FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
b299417a-5725-11ec-a587-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Group members with developer role can escalate their privilege to maintainer on projects that they import

When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API

Collision in access memoization leads to potential elevated privileges on groups and projects

Project access token names are returned for unauthenticated requesters

Sensitive info disclosure in logs

Disclosure of a user's custom project and group templates

ReDoS in Maven package version

Potential denial of service via the Diff feature

Regular Expression Denial of Service via user comments

Service desk email accessible by any project member

Regular Expression Denial of Service via quick actions

IDOR in "external status check" API leaks data about any status check on the instance

Default branch name visible in public projects restricting access to the source code repository

Deploy token allows access to disabled project Wiki

Regular Expression Denial of Service via deploy Slash commands

Users can reply to Vulnerability Report discussions despite Only Project Members settings

Unauthorised deletion of protected branches

Author can approve Merge Request after having access revoked

HTML Injection via Swagger UI


Discovery 2021-12-06
Entry 2021-12-07
gitlab-ce
ge 14.5.0 lt 14.5.2

ge 14.4.0 lt 14.4.4

ge 0 lt 14.3.6

CVE-2021-39944
CVE-2021-39935
CVE-2021-39937
CVE-2021-39915
CVE-2021-39919
CVE-2021-39930
CVE-2021-39940
CVE-2021-39932
CVE-2021-39933
CVE-2021-39934
CVE-2021-39917
CVE-2021-39916
CVE-2021-39941
CVE-2021-39936
CVE-2021-39938
CVE-2021-39918
CVE-2021-39931
CVE-2021-39945
CVE-2021-39910
https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/
3507bfb3-85d5-11ec-8c9c-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Arbitrary POST requests via special HTML attributes in Jupyter Notebooks

DNS Rebinding vulnerability in Irker IRC Gateway integration

Missing certificate validation for external CI services

Blind SSRF Through Project Import

Open redirect vulnerability in Jira Integration

Issue link was disclosing the linked issue

Service desk email accessible by project non-members

Authenticated users can search other users by their private email

"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request

Deleting packages in bulk from package registries may cause table locks

Autocomplete enabled on specific pages

Possible SSRF due to not blocking shared address space

System notes reveals private project path when Issue is moved to a public project

Timeout for pages using Markdown

Certain branch names could not be protected


Discovery 2022-02-03
Entry 2022-02-04
gitlab-ce
ge 14.7.0 lt 14.7.1

ge 14.6.0 lt 14.6.4

ge 0 lt 14.5.4

CVE-2022-0427
CVE-2022-0425
CVE-2022-0123
CVE-2022-0136
CVE-2022-0283
CVE-2022-0390
CVE-2022-0373
CVE-2022-0371
CVE-2021-39943
CVE-2022-0477
CVE-2022-0167
CVE-2022-0249
CVE-2022-0344
CVE-2022-0488
CVE-2021-39931
https://about.gitlab.com/releases/2022/02/03/security-release-gitlab-14-7-1-released/
33557582-3958-11ec-90ba-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Stored XSS via ipynb files

Pipeline schedules on imported projects can be set to automatically active after import

Potential Denial of service via Workhorse

Improper Access Control allows Merge Request creator to bypass locked status

Projects API discloses ID and name of private groups

Severity of an incident can be changed by a guest user

System root password accidentally written to log file

Potential DoS via a malformed TIFF image

Bypass of CODEOWNERS Merge Request approval requirement

Change project visibility to a restricted option

Project exports leak external webhook token value

SCIM token is visible after creation

Invited group members, with access inherited from parent group, continue to have project access even after invited subgroup is transfered

Regular expression denial of service issue when cleaning namespace path

Prevent creation of scopeless apps using applications API

Webhook data exposes assignee's private email address


Discovery 2021-10-28
Entry 2021-10-30
gitlab-ce
ge 14.4.0 lt 14.4.1

ge 14.3.0 lt 14.3.4

ge 0 lt 14.2.6

CVE-2021-39906
CVE-2021-39895
CVE-2021-39907
CVE-2021-39904
CVE-2021-39905
CVE-2021-39902
CVE-2021-39913
CVE-2021-39912
CVE-2021-39909
CVE-2021-39903
CVE-2021-39898
CVE-2021-39901
CVE-2021-39897
CVE-2021-39914
CVE-2021-39911
https://about.gitlab.com/releases/2021/10/28/security-release-gitlab-14-4-1-released/
8657eedd-b423-11ec-9559-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Static passwords inadvertently set during OmniAuth-based registration

Stored XSS in notes

Stored XSS on Multi-word milestone reference

Denial of service caused by a specially crafted RDoc file

GitLab Pages access tokens can be reused on multiple domains

GitLab Pages uses default (disabled) server Timeouts and a weak TCP Keep-Alive timeout

Incorrect include in pipeline definition exposes masked CI variables in UI

Regular expression denial of service in release asset link

Latest Commit details from private projects leaked to guest users via Merge Requests

CI/CD analytics are available even when public pipelines are disabled

Absence of limit for the number of tags that can be added to a runner can cause performance issues

Client DoS through rendering crafted comments

Blind SSRF Through Repository Mirroring

Bypass of branch restriction in Asana integration

Readable approval rules by Guest user

Redact InvalidURIError error messages

Project import maps members' created_by_id users based on source user ID


Discovery 2022-03-31
Entry 2022-04-04
gitlab-ce
ge 14.9.0 lt 14.9.2

ge 14.8.0 lt 14.8.5

ge 0 lt 14.7.7

CVE-2022-1162
CVE-2022-1175
CVE-2022-1190
CVE-2022-1185
CVE-2022-1148
CVE-2022-1121
CVE-2022-1120
CVE-2022-1100
CVE-2022-1193
CVE-2022-1105
CVE-2022-1099
CVE-2022-1174
CVE-2022-1188
CVE-2022-0740
CVE-2022-1189
CVE-2022-1157
CVE-2022-1111
https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/
43f84437-73ab-11ec-a587-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Arbitrary file read via group import feature

Stored XSS in notes

Lack of state parameter on GitHub import project OAuth

Vulnerability related fields are available to unauthorized users on GraphQL API

Deleting packages may cause table locks

IP restriction bypass via GraphQL

Repository content spoofing using Git replacement references

Users can import members from projects that they are not a maintainer on through API

Possibility to direct user to malicious site through Slack integration

Bypassing file size limits to the NPM package repository

User with expired password can still access sensitive information

Incorrect port validation allows access to services on ports 80 and 443 if GitLab is configured to run on another port


Discovery 2022-01-11
Entry 2022-01-12
gitlab-ce
ge 14.6.0 lt 14.6.2

ge 14.5.0 lt 14.5.3

ge 7.7 lt 14.4.5

CVE-2021-39946
CVE-2022-0154
CVE-2022-0152
CVE-2022-0151
CVE-2022-0172
CVE-2022-0090
CVE-2022-0125
CVE-2022-0124
CVE-2021-39942
CVE-2022-0093
CVE-2021-39927
https://about.gitlab.com/releases/2022/01/11/security-release-gitlab-14-6-2-released/
6c22bb39-0a9a-11ec-a265-001b217b3468Gitlab -- Vulnerabilities

Gitlab reports:

Stored XSS in DataDog Integration

Invited group members continue to have project access even after invited group is deleted

Specially crafted requests to apollo_upload_server middleware leads to denial of service

Privilege escalation of an external user through project token

Missing access control allows non-admin users to add/remove Jira Connect Namespaces

User enumeration on private instances

Member e-mails can be revealed via project import/export feature

Stored XSS in Jira integration

Stored XSS in markdown via the Design reference


Discovery 2021-08-31
Entry 2021-08-31
gitlab-ce
ge 14.2.0 lt 14.2.2

ge 14.1.0 lt 14.1.4

ge 0 lt 14.0.9

CVE-2021-22257
CVE-2021-22258
CVE-2021-22238
https://about.gitlab.com/releases/2021/08/31/security-release-gitlab-14-2-2-released/
f414d69f-e43d-11ec-9ea4-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Account take over via SCIM email change

Stored XSS in Jira integration

Quick action commands susceptible to XSS

IP allowlist bypass when using Trigger tokens

IP allowlist bypass when using Project Deploy Tokens

Improper authorization in the Interactive Web Terminal

Subgroup member can list members of parent group

Group member lock bypass


Discovery 2022-06-01
Entry 2022-06-04
gitlab-ce
ge 15.0.0 lt 15.0.1

ge 14.10.0 lt 14.10.4

ge 11.10.0 lt 14.9.5

CVE-2022-1680
CVE-2022-1940
CVE-2022-1948
CVE-2022-1935
CVE-2022-1936
CVE-2022-1944
CVE-2022-1821
CVE-2022-1783
https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/
1bdd4db6-2223-11ec-91be-001b217b3468Gitlab -- vulnerabilities

Gitlab reports:

Stored XSS in merge request creation page

Denial-of-service attack in Markdown parser

Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown

DNS Rebinding vulnerability in Gitea importer

Exposure of trigger tokens on project exports

Improper access control for users with expired password

Access tokens are not cleared after impersonation

Reflected Cross-Site Scripting in Jira Integration

DNS Rebinding vulnerability in Fogbugz importer

Access tokens persist after project deletion

User enumeration vulnerability

Potential DOS via API requests

Pending invitations of public groups and public projects are visible to any user

Bypass Disabled Repo by URL Project Creation

Low privileged users can see names of the private groups shared in projects

API discloses sensitive info to low privileged users

Epic listing do not honour group memberships

Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed

Low privileged users can import users from projects that they they are not a maintainer on

Potential DOS via dependencies API

Create a project with unlimited repository size through malicious Project Import

Bypass disabled Bitbucket Server import source project creation

Requirement to enforce 2FA is not honored when using git commands

Content spoofing vulnerability

Improper session management in impersonation feature

Create OAuth application with arbitrary scopes through content spoofing

Lack of account lockout on change password functionality

Epic reference was not updated while moved between groups

Missing authentication allows disabling of two-factor authentication

Information disclosure in SendEntry


Discovery 2021-09-30
Entry 2021-09-30
gitlab-ce
ge 14.3.0 lt 14.3.1

ge 14.2.0 lt 14.2.5

ge 0 lt 14.1.7

CVE-2021-39885
CVE-2021-39877
CVE-2021-39887
CVE-2021-39867
CVE-2021-39869
CVE-2021-39872
CVE-2021-39878
CVE-2021-39866
CVE-2021-39882
CVE-2021-39875
CVE-2021-39870
CVE-2021-39884
CVE-2021-39883
CVE-2021-22259
CVE-2021-39868
CVE-2021-39871
CVE-2021-39874
CVE-2021-39873
CVE-2021-39881
CVE-2021-39886
CVE-2021-39879
https://about.gitlab.com/releases/2021/09/30/security-release-gitlab-14-3-1-released/
2823048d-9f8f-11ec-8c9c-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Runner registration token disclosure through Quick Actions

Unprivileged users can add other users to groups through an API endpoint

Inaccurate display of Snippet contents can be potentially misleading to users

Environment variables can be leaked via the sendmail delivery method

Unauthenticated user enumeration on GraphQL API

Adding a mirror with SSH credentials can leak password

Denial of Service via user comments


Discovery 2022-02-25
Entry 2022-03-09
gitlab-ce
ge 14.8.0 lt 14.8.2

ge 14.7.0 lt 14.7.4

ge 0 lt 14.6.5

CVE-2022-0735
CVE-2022-0549
CVE-2022-0751
CVE-2022-0741
CVE-2021-4191
CVE-2022-0738
CVE-2022-0489
https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/