FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Gitlab -- Multiple Vulnerabilities

Affected packages
15.7.0 <= gitlab-ce < 15.7.2
15.6.0 <= gitlab-ce < 15.6.4
6.6.0 <= gitlab-ce < 15.5.7

Details

VuXML ID 3a023570-91ab-11ed-8950-001b217b3468
Discovery 2023-01-09
Entry 2023-01-11

Gitlab reports:

Race condition on gitlab.com enables verified email forgery and third-party account hijacking

DOS and high resource consumption of Prometheus server through abuse of Grafana integration proxy endpoint

Maintainer can leak sentry token by changing the configured URL

Maintainer can leak masked webhook secrets by changing target URL of the webhook

Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP

Group access tokens continue to work after owner loses ability to revoke them

Users' avatar disclosure by user ID in private GitLab instances

Arbitrary Protocol Redirection in GitLab Pages

Regex DoS due to device-detector parsing user agents

Regex DoS in the Submodule Url Parser

References

CVE Name CVE-2022-3514
CVE Name CVE-2022-3573
CVE Name CVE-2022-3613
CVE Name CVE-2022-3870
CVE Name CVE-2022-4037
CVE Name CVE-2022-4131
CVE Name CVE-2022-4167
CVE Name CVE-2022-4342
CVE Name CVE-2022-4365
CVE Name CVE-2023-0042
URL https://about.gitlab.com/releases/2023/01/09/security-release-gitlab-15-7-2-released/