FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Gitlab -- Vulnerabilities

Affected packages
16.9.0 <= gitlab-ce < 16.9.1
16.8.0 <= gitlab-ce < 16.8.3
11.3.0 <= gitlab-ce < 16.7.6

Details

VuXML ID 03bf5157-d145-11ee-acee-001b217b3468
Discovery 2024-02-21
Entry 2024-02-22

Gitlab reports:

Stored-XSS in user's profile page

User with "admin_group_members" permission can invite other groups to gain owner access

ReDoS issue in the Codeowners reference extractor

LDAP user can reset password using secondary email and login using direct authentication

Bypassing group ip restriction settings to access environment details of projects through Environments/Operations Dashboard

Users with the Guest role can change Custom dashboard projects settings for projects in the victim group

Group member with sub-maintainer role can change title of shared private deploy keys

Bypassing approvals of CODEOWNERS

References

CVE Name CVE-2023-3509
CVE Name CVE-2023-4895
CVE Name CVE-2023-6477
CVE Name CVE-2023-6736
CVE Name CVE-2024-0410
CVE Name CVE-2024-0861
CVE Name CVE-2024-1451
CVE Name CVE-2024-1525
URL https://about.gitlab.com/releases/2024/02/21/security-release-gitlab-16-9-1-released/