FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Gitlab -- vulnerabilities

Affected packages
14.3.0 <= gitlab-ce < 14.3.1
14.2.0 <= gitlab-ce < 14.2.5
0 <= gitlab-ce < 14.1.7

Details

VuXML ID 1bdd4db6-2223-11ec-91be-001b217b3468
Discovery 2021-09-30
Entry 2021-09-30

Gitlab reports:

Stored XSS in merge request creation page

Denial-of-service attack in Markdown parser

Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown

DNS Rebinding vulnerability in Gitea importer

Exposure of trigger tokens on project exports

Improper access control for users with expired password

Access tokens are not cleared after impersonation

Reflected Cross-Site Scripting in Jira Integration

DNS Rebinding vulnerability in Fogbugz importer

Access tokens persist after project deletion

User enumeration vulnerability

Potential DOS via API requests

Pending invitations of public groups and public projects are visible to any user

Bypass Disabled Repo by URL Project Creation

Low privileged users can see names of the private groups shared in projects

API discloses sensitive info to low privileged users

Epic listing do not honour group memberships

Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed

Low privileged users can import users from projects that they they are not a maintainer on

Potential DOS via dependencies API

Create a project with unlimited repository size through malicious Project Import

Bypass disabled Bitbucket Server import source project creation

Requirement to enforce 2FA is not honored when using git commands

Content spoofing vulnerability

Improper session management in impersonation feature

Create OAuth application with arbitrary scopes through content spoofing

Lack of account lockout on change password functionality

Epic reference was not updated while moved between groups

Missing authentication allows disabling of two-factor authentication

Information disclosure in SendEntry

References

CVE Name CVE-2021-22259
CVE Name CVE-2021-39866
CVE Name CVE-2021-39867
CVE Name CVE-2021-39868
CVE Name CVE-2021-39869
CVE Name CVE-2021-39870
CVE Name CVE-2021-39871
CVE Name CVE-2021-39872
CVE Name CVE-2021-39873
CVE Name CVE-2021-39874
CVE Name CVE-2021-39875
CVE Name CVE-2021-39877
CVE Name CVE-2021-39878
CVE Name CVE-2021-39879
CVE Name CVE-2021-39881
CVE Name CVE-2021-39882
CVE Name CVE-2021-39883
CVE Name CVE-2021-39884
CVE Name CVE-2021-39885
CVE Name CVE-2021-39886
CVE Name CVE-2021-39887
URL https://about.gitlab.com/releases/2021/09/30/security-release-gitlab-14-3-1-released/