FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Gitlab -- Vulnerability

Affected packages
16.0.0 <= gitlab-ce < 16.0.2
15.11.0 <= gitlab-ce < 15.11.7
15.10.0 <= gitlab-ce < 15.10.8
1.2 <= gitlab-ce < 15.9.8

Details

VuXML ID cdb5338d-04ec-11ee-9c88-001b217b3468
Discovery 2023-06-05
Entry 2023-06-07

Gitlab reports:

Stored-XSS with CSP-bypass in Merge requests

ReDoS via FrontMatterFilter in any Markdown fields

ReDoS via InlineDiffFilter in any Markdown fields

ReDoS via DollarMathPostFilter in Markdown fields

DoS via malicious test report artifacts

Restricted IP addresses can clone repositories of public projects

Reflected XSS in Report Abuse Functionality

Privilege escalation from maintainer to owner by importing members from a project

Bypassing tags protection in GitLab

Denial of Service using multiple labels with arbitrarily large descriptions

Ability to use an unverified email for public and commit emails

Open Redirection Through HTTP Response Splitting

Disclosure of issue notes to an unauthorized user when exporting a project

Ambiguous branch name exploitation

References

CVE Name CVE-2023-0121
CVE Name CVE-2023-0508
CVE Name CVE-2023-0921
CVE Name CVE-2023-1204
CVE Name CVE-2023-1825
CVE Name CVE-2023-2001
CVE Name CVE-2023-2013
CVE Name CVE-2023-2015
CVE Name CVE-2023-2132
CVE Name CVE-2023-2198
CVE Name CVE-2023-2199
CVE Name CVE-2023-2442
CVE Name CVE-2023-2485
CVE Name CVE-2023-2589
URL https://about.gitlab.com/releases/2023/06/05/security-release-gitlab-16-0-2-released/