FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Gitlab -- Vulnerabilities

Affected packages
16.3.0 <= gitlab-ce < 16.3.1
16.2.0 <= gitlab-ce < 16.2.5
4.1.0 <= gitlab-ce < 16.1.5

Details

VuXML ID aaea7b7c-4887-11ee-b164-001b217b3468
Discovery 2023-08-31
Entry 2023-09-01

Gitlab reports:

Privilege escalation of "external user" to internal access through group service account

Maintainer can leak sentry token by changing the configured URL (fix bypass)

Google Cloud Logging private key showed in plain text in GitLab UI leaking to other group owners

Information disclosure via project import endpoint

Developer can leak DAST scanners "Site Profile" request headers and auth password

Project forking outside current group

User is capable of creating Model experiment and updating existing run's status in public project

ReDoS in bulk import API

Pagination for Branches and Tags can be skipped leading to DoS

Internal Open Redirection Due to Improper handling of "../" characters

Subgroup Member With Reporter Role Can Edit Group Labels

Banned user can delete package registries

[source]

References

CVE Name CVE-2022-4343
CVE Name CVE-2023-0120
CVE Name CVE-2023-1279
CVE Name CVE-2023-1555
CVE Name CVE-2023-3205
CVE Name CVE-2023-3915
CVE Name CVE-2023-3950
CVE Name CVE-2023-4018
CVE Name CVE-2023-4378
CVE Name CVE-2023-4630
CVE Name CVE-2023-4638
CVE Name CVE-2023-4647
URL https://about.gitlab.com/releases/2023/08/31/security-release-gitlab-16-3-1-released/

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.