FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Gitlab -- multiple vulnerabilities

Affected packages
15.1.0 <= gitlab-ce < 15.1.1
15.0.0 <= gitlab-ce < 15.0.4
0 <= gitlab-ce < 14.10.5

Details

VuXML ID d1b35142-ff4a-11ec-8be3-001b217b3468
Discovery 2022-06-30
Entry 2022-07-09

Gitlab reports:

Remote Command Execution via Project Imports

XSS in ZenTao integration affecting self hosted instances without strict CSP

XSS in project settings page

Unallowed users can read unprotected CI variables

IP allow-list bypass to access Container Registries

2FA status is disclosed to unauthenticated users

CI variables provided to runners outside of a group's restricted IP range

IDOR in sentry issues

Reporters can manage issues in error tracking

Regular Expression Denial of Service via malicious web server responses

Unauthorized read for conan repository

Open redirect vulnerability

Group labels are editable through subproject

Release titles visible for any users if group milestones are associated with any project releases

Restrict membership by email domain bypass

Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint

References

CVE Name CVE-2022-1954
CVE Name CVE-2022-1963
CVE Name CVE-2022-1981
CVE Name CVE-2022-1983
CVE Name CVE-2022-1999
CVE Name CVE-2022-2185
CVE Name CVE-2022-2227
CVE Name CVE-2022-2228
CVE Name CVE-2022-2229
CVE Name CVE-2022-2230
CVE Name CVE-2022-2235
CVE Name CVE-2022-2243
CVE Name CVE-2022-2244
CVE Name CVE-2022-2250
CVE Name CVE-2022-2270
CVE Name CVE-2022-2281
URL https://about.gitlab.com/releases/2022/06/30/critical-security-release-gitlab-15-1-1-released/