FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Gitlab -- Multiple vulnerabilities

Affected packages
13.5.0 <= gitlab-ce < 13.5.2
13.4.0 <= gitlab-ce < 13.4.5
8.8.9 <= gitlab-ce < 13.3.9

Details

VuXML ID 174e466b-1d48-11eb-bd0f-001b217b3468
Discovery 2020-11-02
Entry 2020-11-02

Gitlab reports:

Path Traversal in LFS Upload

Path traversal allows saving packages in arbitrary location

Kubernetes agent API leaks private repos

Terraform state deletion API exposes object storage URL

Stored-XSS in error message of build-dependencies

Git credentials persisted on disk

Potential Denial of service via container registry

Info leak when group is transferred from private to public group

Limited File Disclosure Via Multipart Bypass

Unauthorized user is able to access scheduled pipeline variables and values

CSRF in runner administration page allows an attacker to pause/resume runners

Regex backtracking attack in path parsing of Advanced Search result

Bypass of required CODEOWNERS approval

SAST CiConfiguration information visible without permissions

References

CVE Name CVE-2020-13340
CVE Name CVE-2020-13348
CVE Name CVE-2020-13349
CVE Name CVE-2020-13350
CVE Name CVE-2020-13351
CVE Name CVE-2020-13352
CVE Name CVE-2020-13353
CVE Name CVE-2020-13354
CVE Name CVE-2020-13355
CVE Name CVE-2020-13356
CVE Name CVE-2020-13358
CVE Name CVE-2020-13359
CVE Name CVE-2020-26405
URL https://about.gitlab.com/releases/2020/11/02/security-release-gitlab-13-5-2-released/