AVG-2432 log

Package gitlab
Status Not affected
Severity High
Type multiple issues
Affected 14.3.0-1
Fixed Not affected
Current 14.10.2-1 [community]
Ticket None
Created Thu Sep 30 17:33:34 2021
Issue Severity Remote Type Description
CVE-2021-39889 Medium Yes Information disclosure
In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name...
CVE-2021-39888 Medium Yes Information disclosure
In all versions of GitLab EE since version 13.10, a specific API endpoint may reveal details about a private group and other sensitive info inside issue and...
CVE-2021-39885 High Yes Cross-site scripting
A Stored cross-site scripting security issue in merge request creation page in Gitlab EE version 13.5 and above allows an attacker to execute arbitrary...
CVE-2021-39884 Medium Yes Information disclosure
In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that...
CVE-2021-39883 Medium Yes Information disclosure
Improper authorization checks in GitLab EE > 13.11 allows subgroup members to see epics from all parent subgroups.
CVE-2021-22259 Medium Yes Denial of service
A potential denial of service vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API.
Notes
These issues only affect GitLab Enterprise Edition, not the Community Edition that Arch Linux packages.