AVG-2125 log

Package gitlab
Status Fixed
Severity High
Type multiple issues
Affected 14.0.1-1
Fixed 14.0.3-1
Current 14.2.3-1 [community]
Ticket None
Created Fri Jul 2 08:36:05 2021
Issue Severity Remote Type Description
CVE-2021-31799 Medium Yes Arbitrary command execution
RDoc before version 6.3.1, as bundled with Ruby before version 2.7.4 and 2.6.8 as well as GitLab before version 14.0.2, used to call Kernel#open to open a...
CVE-2021-22232 Low Yes Content spoofing
HTML injection was possible via the full name field before version 14.0.2 in GitLab CE.
CVE-2021-22231 Low Yes Denial of service
A denial of service on the user's profile page is found starting with GitLab CE/EE 8.0 and before 14.0.2 that allows an attacker to reject access to their...
CVE-2021-22230 Medium Yes Arbitrary code execution
Improper code rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later up...
CVE-2021-22229 Medium Yes Information disclosure
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8 and before 14.0.2. Under a special condition it was possible to...
CVE-2021-22228 Medium Yes Information disclosure
An issue has been discovered in GitLab affecting all versions before 14.0.2. Improper access control allows unauthorised users to access project details...
CVE-2021-22227 Medium Yes Cross-site scripting
A reflected cross-site script vulnerability in GitLab before version 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on...
CVE-2021-22226 Medium Yes Access restriction bypass
Under certain conditions, some users were able to push to protected branches that were restricted to deploy keys in GitLab CE/EE since version 13.9 and...
CVE-2021-22225 Medium Yes Cross-site scripting
Insufficient input sanitization in markdown in GitLab version 13.11 and up before version 14.0.2 allows an attacker to exploit a stored cross-site scripting...
CVE-2021-22224 High Yes Cross-site request forgery
A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before version 14.0.2 allowed an attacker to call mutations...
CVE-2021-22223 Medium Yes Cross-site scripting
Client-Side code injection through a Feature Flag name in GitLab CE/EE starting with 11.9 and before version 14.0.2 allows a specially crafted feature flag...
Date Advisory Package Type
06 Jul 2021 ASA-202107-18 gitlab multiple issues
References
https://about.gitlab.com/releases/2021/07/01/security-release-gitlab-14-0-2-released/