Lucene search

K
freebsdFreeBSD1FB13175-ED52-11EA-8B93-001B217B3468
HistorySep 02, 2020 - 12:00 a.m.

Gitlab -- multiple vulnerabilities

2020-09-0200:00:00
vuxml.freebsd.org
31

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS

0.061

Percentile

93.6%

Gitlab reports:

Vendor Cross-Account Assume-Role Attack
Stored XSS on the Vulnerability Page
Outdated Job Token Can Be Reused to Access Unauthorized Resources
File Disclosure Via Workhorse File Upload Bypass
Unauthorized Maintainer Can Edit Group Badge
Denial of Service Within Wiki Functionality
Sign-in Vulnerable to Brute-force Attacks
Invalidated Session Allows Account Access With an Old Password
GitLab Omniauth Endpoint Renders User Controlled Messages
Blind SSRF Through Repository Mirroring
Information Disclosure Through Incorrect Group Permission Verifications
No Rate Limit on GitLab Webhook Feature
GitLab Session Revocation Feature Does Not Invalidate All Sessions
OAuth Authorization Scope for an External Application Can Be Changed Without User Consent
Unauthorized Maintainer Can Delete Repository
Improper Verification of Deploy-Key Leads to Access Restricted Repository
Disabled Repository Still Accessible With a Deploy-Token
Duplicated Secret Code Generated by 2 Factor Authentication Mechanism
Lack of Validation Within Project Invitation Flow
Current Sessions Not Invalidated Upon Enabling 2 Factor Authentication
Users Without 2 Factor Authentication Can Be Blocked Accessing GitLab
Lack of Upper Bound Check Leading to Possible Denial of Service
2 Factor Authentication for Groups Was Not Enforced Within API Endpoint
GitLab Runner Denial of Service via CI Jobs
Update jQuery Dependency

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchgitlab-ce= 13.3.0UNKNOWN
FreeBSDanynoarchgitlab-ce< 13.3.4UNKNOWN

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS

0.061

Percentile

93.6%

Related for 1FB13175-ED52-11EA-8B93-001B217B3468