ASA-202108-7 log generated external raw

[ASA-202108-7] gitlab: multiple issues
Arch Linux Security Advisory ASA-202108-7 ========================================= Severity: High Date : 2021-08-10 CVE-ID : CVE-2021-22236 CVE-2021-22237 CVE-2021-22239 CVE-2021-22241 Package : gitlab Type : multiple issues Remote : Yes Link : Summary ======= The package gitlab before version 14.1.2-1 is vulnerable to multiple issues including cross-site scripting, access restriction bypass and incorrect calculation. Resolution ========== Upgrade to 14.1.2-1. # pacman -Syu "gitlab>=14.1.2-1" The problems have been fixed upstream in version 14.1.2. Workaround ========== None. Description =========== - CVE-2021-22236 (incorrect calculation) Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1 before version 14.1.2. - CVE-2021-22237 (access restriction bypass) Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. This vulnerability is present in GitLab versions before 14.1.2. - CVE-2021-22239 (access restriction bypass) An unauthorized user was able to insert metadata when creating a new issue on GitLab 14.0 and later before version 14.1.2. - CVE-2021-22241 (cross-site scripting) An issue has been discovered in GitLab affecting all versions starting from 13.4 and before 14.1.2. It was possible to exploit a stored cross- site-scripting via a specifically crafted default branch name. Impact ====== A remote attacker could execute arbitrary JavaScript code through a crafted branch name, or bypass access restrictions to perform various actions they are not authorised for. References ==========