AVG-1416 log

Package gitlab
Status Fixed
Severity High
Type multiple issues
Affected 13.7.1-1
Fixed 13.7.2-1
Current 14.2.3-1 [community]
Ticket None
Created Thu Jan 7 21:27:01 2021
Issue Severity Remote Type Description
CVE-2021-22171 High Yes Authentication bypass
Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ would allow stealing a user's API access token. The issue is mitigated...
CVE-2021-22168 Medium Yes Denial of service
A regular expression denial of service issue has been discovered in the NuGet API affecting all versions of GitLab starting from version 12.8. The issue is...
CVE-2021-22167 Medium Yes Information disclosure
An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers within a specific project page allow attackers to have...
CVE-2021-22166 Medium Yes Denial of service
An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method. The issue is mitigated in GitLab...
CVE-2020-26414 Medium Yes Denial of service
An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution...
Date Advisory Package Type
12 Jan 2021 ASA-202101-10 gitlab multiple issues
References
https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/
Notes
There are three more security issues fixed in this release for which CVE IDs have been requested, but have not been assigned yet.