AVG-794

Package gitlab
Status Fixed
Severity Critical
Type multiple issues
Affected 11.4.0-1
Fixed 11.4.3-1
Current 12.2.1-1 [community]
Ticket None
Created Mon Oct 29 14:52:02 2018
Issue Severity Remote Type Description
CVE-2018-18649 Critical Yes Arbitrary code execution
A security issue has been found in gitlab versions prior to 11.4.3, where the wiki API contained an input validation issue which resulted in remote code execution.
CVE-2018-18648 Low Yes Information disclosure
A security issue has been found in gitlab versions prior to 11.4.3, where a JSON endpoint was disclosing Gem version information which could result in an...
CVE-2018-18646 Medium Yes Cross-site request forgery
A security issue has been found in gitlab versions prior to 11.4.3, where the Hipchat integration was vulnerable to a SSRF issue which allowed an attacker...
CVE-2018-18645 Low Yes Information disclosure
A security issue has been found in gitlab versions prior to 11.4.3, where when replying to an issue through email, with the GitLab email footer included, a...
CVE-2018-18643 Medium Yes Cross-site scripting
A security issue has been found in gitlab versions prior to 11.4.3, where the fragment identifier (hash) of several pages contained a lack of input...
CVE-2018-18641 Low Yes Information disclosure
A security issue has been found in gitlab versions prior to 11.4.3, where personal access tokens were being stored unencrypted as plain text in the database...
CVE-2018-18640 Medium No Information disclosure
A security issue has been found in gitlab versions prior to 11.4.3, where private project pages had inadequate cache control, which resulted in unauthorized...
Date Advisory Package Description
31 Oct 2018 ASA-201810-16 gitlab multiple issues
References
https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/