FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Gitlab -- multiple vulnerabilities

Affected packages
14.9.0 <= gitlab-ce < 14.9.2
14.8.0 <= gitlab-ce < 14.8.5
0 <= gitlab-ce < 14.7.7

Details

VuXML ID 8657eedd-b423-11ec-9559-001b217b3468
Discovery 2022-03-31
Entry 2022-04-04

Gitlab reports:

Static passwords inadvertently set during OmniAuth-based registration

Stored XSS in notes

Stored XSS on Multi-word milestone reference

Denial of service caused by a specially crafted RDoc file

GitLab Pages access tokens can be reused on multiple domains

GitLab Pages uses default (disabled) server Timeouts and a weak TCP Keep-Alive timeout

Incorrect include in pipeline definition exposes masked CI variables in UI

Regular expression denial of service in release asset link

Latest Commit details from private projects leaked to guest users via Merge Requests

CI/CD analytics are available even when public pipelines are disabled

Absence of limit for the number of tags that can be added to a runner can cause performance issues

Client DoS through rendering crafted comments

Blind SSRF Through Repository Mirroring

Bypass of branch restriction in Asana integration

Readable approval rules by Guest user

Redact InvalidURIError error messages

Project import maps members' created_by_id users based on source user ID

References

CVE Name CVE-2022-0740
CVE Name CVE-2022-1099
CVE Name CVE-2022-1100
CVE Name CVE-2022-1105
CVE Name CVE-2022-1111
CVE Name CVE-2022-1120
CVE Name CVE-2022-1121
CVE Name CVE-2022-1148
CVE Name CVE-2022-1157
CVE Name CVE-2022-1162
CVE Name CVE-2022-1174
CVE Name CVE-2022-1175
CVE Name CVE-2022-1185
CVE Name CVE-2022-1188
CVE Name CVE-2022-1189
CVE Name CVE-2022-1190
CVE Name CVE-2022-1193
URL https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/