FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Gitlab -- Multiple Vulnerabilities

Affected packages
14.5.0 <= gitlab-ce < 14.5.2
14.4.0 <= gitlab-ce < 14.4.4
0 <= gitlab-ce < 14.3.6


VuXML ID b299417a-5725-11ec-a587-001b217b3468
Discovery 2021-12-06
Entry 2021-12-07

Gitlab reports:

Group members with developer role can escalate their privilege to maintainer on projects that they import

When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API

Collision in access memoization leads to potential elevated privileges on groups and projects

Project access token names are returned for unauthenticated requesters

Sensitive info disclosure in logs

Disclosure of a user's custom project and group templates

ReDoS in Maven package version

Potential denial of service via the Diff feature

Regular Expression Denial of Service via user comments

Service desk email accessible by any project member

Regular Expression Denial of Service via quick actions

IDOR in "external status check" API leaks data about any status check on the instance

Default branch name visible in public projects restricting access to the source code repository

Deploy token allows access to disabled project Wiki

Regular Expression Denial of Service via deploy Slash commands

Users can reply to Vulnerability Report discussions despite Only Project Members settings

Unauthorised deletion of protected branches

Author can approve Merge Request after having access revoked

HTML Injection via Swagger UI


CVE Name CVE-2021-39910
CVE Name CVE-2021-39915
CVE Name CVE-2021-39916
CVE Name CVE-2021-39917
CVE Name CVE-2021-39918
CVE Name CVE-2021-39919
CVE Name CVE-2021-39930
CVE Name CVE-2021-39931
CVE Name CVE-2021-39932
CVE Name CVE-2021-39933
CVE Name CVE-2021-39934
CVE Name CVE-2021-39935
CVE Name CVE-2021-39936
CVE Name CVE-2021-39937
CVE Name CVE-2021-39938
CVE Name CVE-2021-39940
CVE Name CVE-2021-39941
CVE Name CVE-2021-39944
CVE Name CVE-2021-39945