Bitnami package
gitlab
pkg:bitnami/gitlab
Vulnerabilities (1,073)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-13356 | Hig | 8.2 | < 13.5.2 | 13.5.2 | Nov 19, 2020 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9. A specially crafted request could bypass Multipart protection and read files in certain specific paths on the server. Affected versions are: >=8.8.9, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2. | |
| CVE-2020-13355 | Hig | 7.5 | < 13.5.2 | 13.5.2 | Nov 19, 2020 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: >=8.14, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2. | |
| CVE-2020-26405 | Hig | 7.1 | < 13.5.2 | 13.5.2 | Nov 17, 2020 | Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are >=12.8, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2. | |
| CVE-2020-13349 | Med | 4.3 | < 13.5.2 | 13.5.2 | Nov 17, 2020 | An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2 | |
| CVE-2020-13348 | Med | 5.7 | >= 10.2.0, < 13.3.9 | 13.3.9 | Nov 17, 2020 | An issue has been discovered in GitLab EE affecting all versions starting from 10.2. Required CODEOWNERS approval could be bypassed by targeting a branch without the CODEOWNERS file. Affected versions are >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2. | |
| CVE-2020-13351 | Med | 6.5 | < 13.5.2 | 13.5.2 | Nov 17, 2020 | Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are >=13.0, <13.3.9,>=13.4.0, <13.4.5,>=13.5.0, <13.5.2. | |
| CVE-2020-13350 | Low | 3.1 | < 13.5.2 | 13.5.2 | Nov 17, 2020 | CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners. Affected versions are >=13.5.0, <13.5.2,>=13.4.0, <13.4.5,<13.3.9. | |
| CVE-2020-26406 | Med | 5.3 | >= 13.3.0, < 13.3.9 | 13.3.9 | Nov 17, 2020 | Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affec | |
| CVE-2020-13358 | Med | 4.7 | < 13.5.2 | 13.5.2 | Nov 17, 2020 | A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: >=13.4, <13.4.5,>=13.3, <13.3.9,>=13.5, <13.5.2. | |
| CVE-2020-13354 | Med | 4.3 | < 13.3.9 | 13.3.9 | Nov 17, 2020 | A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage. Affected versions are: >=12.6, <13.3.9. | |
| CVE-2020-13352 | Low | 3.7 | < 13.5.2 | 13.5.2 | Nov 17, 2020 | Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group. Affected versions are: >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2. | |
| CVE-2020-13341 | Med | 4.9 | >= 13.1.0, < 13.2.10 | 13.2.10 | Oct 12, 2020 | An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Insufficient permission check allows attacker with developer role to perform various deletions. | |
| CVE-2020-13344 | Med | 5.7 | >= 10.8.0, < 13.2.10 | 13.2.10 | Oct 8, 2020 | An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Sessions keys are stored in plain-text in Redis which allows attacker with Redis access to authenticate as any user that has a session stored in Redis | |
| CVE-2020-13340 | Hig | 8.7 | >= 12.4.0, < 13.2.10 | 13.2.10 | Oct 8, 2020 | An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2: Stored XSS in CI Job Log | |
| CVE-2020-13339 | Med | 5.5 | >= 12.10.0, < 13.2.10 | 13.2.10 | Oct 8, 2020 | An issue has been discovered in GitLab affecting all versions before 13.2.10, 13.3.7 and 13.4.2: XSS in SVG File Preview. Overall impact is limited due to the current user only being impacted. | |
| CVE-2020-13342 | Low | 2.7 | >= 10.1.0, < 13.2.10 | 13.2.10 | Oct 7, 2020 | An issue has been discovered in GitLab affecting versions prior to 13.2.10, 13.3.7 and 13.4.2: Lack of Rate Limiting at Re-Sending Confirmation Email | |
| CVE-2020-13347 | Cri | 9.1 | >= 12.0.0, < 13.2.4 | 13.2.4 | Oct 7, 2020 | A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG bui | |
| CVE-2020-13346 | Med | 6.5 | >= 11.2.0, < 13.2.10 | 13.2.10 | Oct 7, 2020 | Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API. | |
| CVE-2020-13335 | Med | 4.3 | >= 7.12.0, < 13.2.10 | 13.2.10 | Oct 7, 2020 | Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group. | |
| CVE-2020-13334 | Med | 5.9 | >= 8.6.0, < 13.2.10 | 13.2.10 | Oct 7, 2020 | In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, improper authorization checks allow a non-member of a project/group to change the confidentiality attribute of issue via mutation GraphQL query |
- affected < 13.5.2fixed 13.5.2
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9. A specially crafted request could bypass Multipart protection and read files in certain specific paths on the server. Affected versions are: >=8.8.9, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
- affected < 13.5.2fixed 13.5.2
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: >=8.14, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
- affected < 13.5.2fixed 13.5.2
Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are >=12.8, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
- affected < 13.5.2fixed 13.5.2
An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2
- affected >= 10.2.0, < 13.3.9fixed 13.3.9
An issue has been discovered in GitLab EE affecting all versions starting from 10.2. Required CODEOWNERS approval could be bypassed by targeting a branch without the CODEOWNERS file. Affected versions are >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
- affected < 13.5.2fixed 13.5.2
Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are >=13.0, <13.3.9,>=13.4.0, <13.4.5,>=13.5.0, <13.5.2.
- affected < 13.5.2fixed 13.5.2
CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners. Affected versions are >=13.5.0, <13.5.2,>=13.4.0, <13.4.5,<13.3.9.
- affected >= 13.3.0, < 13.3.9fixed 13.3.9
Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affec
- affected < 13.5.2fixed 13.5.2
A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: >=13.4, <13.4.5,>=13.3, <13.3.9,>=13.5, <13.5.2.
- affected < 13.3.9fixed 13.3.9
A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage. Affected versions are: >=12.6, <13.3.9.
- affected < 13.5.2fixed 13.5.2
Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group. Affected versions are: >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
- affected >= 13.1.0, < 13.2.10fixed 13.2.10
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Insufficient permission check allows attacker with developer role to perform various deletions.
- affected >= 10.8.0, < 13.2.10fixed 13.2.10
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Sessions keys are stored in plain-text in Redis which allows attacker with Redis access to authenticate as any user that has a session stored in Redis
- affected >= 12.4.0, < 13.2.10fixed 13.2.10
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2: Stored XSS in CI Job Log
- affected >= 12.10.0, < 13.2.10fixed 13.2.10
An issue has been discovered in GitLab affecting all versions before 13.2.10, 13.3.7 and 13.4.2: XSS in SVG File Preview. Overall impact is limited due to the current user only being impacted.
- affected >= 10.1.0, < 13.2.10fixed 13.2.10
An issue has been discovered in GitLab affecting versions prior to 13.2.10, 13.3.7 and 13.4.2: Lack of Rate Limiting at Re-Sending Confirmation Email
- affected >= 12.0.0, < 13.2.4fixed 13.2.4
A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG bui
- affected >= 11.2.0, < 13.2.10fixed 13.2.10
Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API.
- affected >= 7.12.0, < 13.2.10fixed 13.2.10
Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group.
- affected >= 8.6.0, < 13.2.10fixed 13.2.10
In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, improper authorization checks allow a non-member of a project/group to change the confidentiality attribute of issue via mutation GraphQL query
Page 47 of 54