Vulnerabilities in GitLab

gitlab

Recently, several vulnerabilities have been found in GitLab CE/EE, some of which allow an attacker to cause a denial of service (DoS) or bypass the security policy or violate the principle of data confidentiality. Or they can indirectly inject arbitrary code remotely (XSS). The following table shows the identified and patched defects in GitLab:
Affected versions Vulnerability CVE
Vulnerability description
Row
GitLab EE/CE 8.5 and later Arbitrary File Read when Moving an Issue 1
GitLab EE 11.7 and later CVE-2020-10953 Path Traversal in NPM Package Registry 2
؟ CVE-2020-10956 SSRF on Project Import 3
؟ External Users Can Create Personal Snippet 4
GitLab EE/CE 9.0 and later Triggers Decription Can be Updated by Other Maintainers in Project 5
GitLab EE/CE 8.11 and later Information Disclosure on Confidential Issues Moved to Private Programs 6
؟ CVE-2020-10954 Potential DoS in Repository Archive Download 7
GitLab EE/CE 8.11 and later CVE-2020-10952 Blocked Users Can Still Pull/Push Docker Images 8
؟ Repository Mirroring not Disabled when Feature not Activated 9
GitLab EE/CE 10.8 and later Vulnerability Feedback Page Was Leaking Information on Vulnerabilities 10
؟ Stored XSS Vulnerability in Admin Feature 11
GitLab EE/CE 11.1 and later CVE-2020-10955 Upload Feature Allowed a User to Read Unauthorized Exported Files 12
GitLab EE/CE 11.10 and later Unauthorized Users Are Able to See CI Metrics 13
GitLab EE/CE 8.17 and later Last Pipeline Status of a Merge Request Leaked 14
GitLab EE/CE 8.0 and later Blind SSRF on FogBugz 15
all previous versions of GitLab CE/EE CVE-2020-9795 Update Nokogiri dependency به روزرسانی ها
all previous versions of GitLab CE/EE CVE-2019-20454 Update Pcre2 dependency

 

Vulnerability IDs marked with – have not yet been published

Affected versions with the mark? It has not been announced yet

 

solution :

 

GitLab recently released versions 12.9.1, 12.8.8 and 12.7.8 for
  • GitLab Community Edition (CE)
  • GitLab Enterprise Edition (EE)
has released and asked its users to update their products to the latest versions.

Source :

Narrated by: Center Maher

NewsUncategorized

CVE-2019-20454CVE-2020-10952CVE-2020-10953CVE-2020-10954CVE-2020-10955CVE-2020-10956CVE-2020-9795GitLab

Leave a Reply

Your email address will not be published. Required fields are marked *