AVG-2603 log

Package gitlab
Status Fixed
Severity High
Type multiple issues
Affected 14.5.0-1
Fixed 14.5.2-1
Current 17.4.1-2 [extra-testing]
17.4.1-1 [extra]
Ticket None
Created Tue Dec 7 09:25:21 2021
Issue Severity Remote Type Description
CVE-2021-39945 Low Yes Access restriction bypass
Improper access control in the GitLab API affecting all versions before version 14.5.2 allows an author of a Merge Request to approve the Merge Request even...
CVE-2021-39944 High Yes Privilege escalation
An issue has been discovered in GitLab before version 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their...
CVE-2021-39941 Low Yes Information disclosure
An information disclosure vulnerability in GitLab before version 14.5.2 allowed non-project members to see the default branch name for projects that...
CVE-2021-39940 Medium Yes Denial of service
An issue has been discovered in GitLab before version 14.5.2. GitLab Maven Package registry is vulnerable to a regular expression denial of service when a...
CVE-2021-39938 Low Yes Denial of service
A vulnerable regular expression pattern in GitLab before version 14.5.2 allows an attacker to cause uncontrolled resource consumption leading to Denial of...
CVE-2021-39937 Medium Yes Privilege escalation
A collision in access memoization logic in all versions of GitLab before version 14.5.2 leads to potential elevated privileges in groups and projects under...
CVE-2021-39936 Low Yes Access restriction bypass
Improper access control in GitLab before version 14.5.2 allows an attacker in possession of a deploy token to access a project's disabled wiki.
CVE-2021-39935 Medium Yes Access restriction bypass
An issue has been discovered in GitLab before version 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API.
CVE-2021-39934 Medium Yes Information disclosure
Improper access control allows any project member to retrieve the service desk email address in GitLab before version 14.5.2.
CVE-2021-39933 Medium Yes Denial of service
An issue has been discovered in GitLab before version 14.5.2. A regular expression used for handling user input (notes, comments, etc) was susceptible to...
CVE-2021-39932 Medium Yes Denial of service
An issue has been discovered in GitLab before version 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for users...
CVE-2021-39931 Low Yes Access restriction bypass
An issue has been discovered in GitLab before version 14.5.2. Under specific condition an unauthorised project member was allowed to delete a protected...
CVE-2021-39919 Medium No Information disclosure
In all versions of GitLab before version 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure.
CVE-2021-39917 Medium Yes Denial of service
An issue has been discovered in GitLab before version 14.5.2. A regular expression related to quick actions features was susceptible to catastrophic...
CVE-2021-39915 Medium Yes Information disclosure
Improper access control in the GraphQL API in GitLab before version 14.5.2 allows an attacker to see the names of project access tokens on arbitrary projects.
CVE-2021-39910 Low Yes Content spoofing
An issue has been discovered in GitLab before version 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature.
Date Advisory Package Type
11 Dec 2021 ASA-202112-10 gitlab multiple issues