git: bce205b2ccb3 - main - security/vuxml: Document www/gitlab-ce vulnerabilities
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 30 Jul 2022 06:50:13 UTC
The branch main has been updated by mfechner:
URL: https://cgit.FreeBSD.org/ports/commit/?id=bce205b2ccb3fdc4e4af89bcf75483fbc233a58f
commit bce205b2ccb3fdc4e4af89bcf75483fbc233a58f
Author: Matthias Fechner <mfechner@FreeBSD.org>
AuthorDate: 2022-07-30 06:49:28 +0000
Commit: Matthias Fechner <mfechner@FreeBSD.org>
CommitDate: 2022-07-30 06:50:09 +0000
security/vuxml: Document www/gitlab-ce vulnerabilities
---
security/vuxml/vuln-2022.xml | 58 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 58 insertions(+)
diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index 246c27b6cbd5..c7e15af990da 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,61 @@
+ <vuln vid="4c26f668-0fd2-11ed-a83d-001b217b3468">
+ <topic>Gitlab -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>gitlab-ce</name>
+ <range><ge>15.2.0</ge><lt>15.2.1</lt></range>
+ <range><ge>15.1.0</ge><lt>15.1.4</lt></range>
+ <range><ge>0</ge><lt>15.0.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Gitlab reports:</p>
+ <blockquote cite="https://about.gitlab.com/releases/2022/07/28/security-release-gitlab-15-2-1-released/">
+ <p>Revoke access to confidential notes todos</p>
+ <p>Pipeline subscriptions trigger new pipelines with the wrong author</p>
+ <p>Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email</p>
+ <p>Import via git protocol allows to bypass checks on repository</p>
+ <p>Unauthenticated IP allowlist bypass when accessing job artifacts through GitLab Pages</p>
+ <p>Maintainer can leak Packagist and other integration access tokens by changing integration URL</p>
+ <p>Unauthenticated access to victims Grafana datasources through path traversal</p>
+ <p>Unauthorized users can filter issues by contact and organization</p>
+ <p>Malicious Maintainer may change the visibility of project or a group</p>
+ <p>Stored XSS in job error messages</p>
+ <p>Enforced group MFA can be bypassed when using Resource Owner Password Credentials grant</p>
+ <p>Non project members can view public project's Deploy Keys</p>
+ <p>IDOR in project with Jira integration leaks project owner's other projects Jira issues</p>
+ <p>Group Bot Users and Tokens not deleted after group deletion</p>
+ <p>Email invited members can join projects even after the member lock has been enabled</p>
+ <p>Datadog integration returns user emails</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2022-2512</cvename>
+ <cvename>CVE-2022-2498</cvename>
+ <cvename>CVE-2022-2326</cvename>
+ <cvename>CVE-2022-2417</cvename>
+ <cvename>CVE-2022-2501</cvename>
+ <cvename>CVE-2022-2497</cvename>
+ <cvename>CVE-2022-2531</cvename>
+ <cvename>CVE-2022-2539</cvename>
+ <cvename>CVE-2022-2456</cvename>
+ <cvename>CVE-2022-2500</cvename>
+ <cvename>CVE-2022-2303</cvename>
+ <cvename>CVE-2022-2095</cvename>
+ <cvename>CVE-2022-2499</cvename>
+ <cvename>CVE-2022-2307</cvename>
+ <cvename>CVE-2022-2459</cvename>
+ <cvename>CVE-2022-2534</cvename>
+ <url>https://about.gitlab.com/releases/2022/07/28/security-release-gitlab-15-2-1-released/</url>
+ </references>
+ <dates>
+ <discovery>2022-07-28</discovery>
+ <entry>2022-07-30</entry>
+ </dates>
+ </vuln>
+
<vuln vid="e1387e95-08d0-11ed-be26-001999f8d30b">
<topic>VirtualBox -- Multiple vulnerabilities</topic>
<affects>