AVG-2785 log

Package gitlab
Status Fixed
Severity Medium
Type unknown
Affected 15.2.0-1
Fixed 15.2.1-1
Current 15.6.0-1 [community-testing]
15.5.2-1 [community]
Ticket None
Created Thu Jul 28 16:57:40 2022
Advisory Pending
Issue Severity Remote Type Description
CVE-2022-2539 Medium Yes Unknown
Unauthorized users can filter issues by contact and organization
CVE-2022-2534 Low Yes Unknown
GitLab was returning contributor emails due to improper data handling in the Datadog integration
CVE-2022-2512 Medium Yes Unknown
Membership changes are not reflected in TODO for confidential notes, allowing a former project members to read updates via TODOs
CVE-2022-2500 Medium Yes Unknown
stored XSS in job error messages allows attackers to perform arbitrary actions on behalf of victims at client side
CVE-2022-2497 Medium Yes Unknown
A malicious maintainer could exfiltrate an integration's access token by modifying the integration URL such that authenticated requests are sent to an...
CVE-2022-2456 Medium Yes Unknown
It may be possible for malicious group or project maintainers to change their corresponding group or project visibility by crafting a malicious POST request
CVE-2022-2417 Medium Yes Unknown
gitlab allows an authenticated and authorised user to import a project that includes branch names which are 40 hexadecimal characters, which could be abused...
CVE-2022-2326 Medium Yes Unknown
It may be possible to gain access to a private project through an email invite by using other user's email address as an unverified secondary email
CVE-2022-2307 Low Yes Unknown
gitlab allows a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited
CVE-2022-2303 Medium Yes Unknown
It may be possible for group members to bypass 2FA enforcement enabled at the group level by using Resource Owner Password Credentials grant to obtain an...
CVE-2022-2095 Medium Yes Unknown
gitlab allows a malicious authenticated user to view a public project's Deploy Key's public fingerprint and name when that key has write permission
References
https://about.gitlab.com/releases/2022/07/28/security-release-gitlab-15-2-1-released/