gitlab

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Project management and code hosting application
Version 12.5.1-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-802 11.4.0-1 11.4.3-2 High Not affected
AVG-794 11.4.0-1 11.4.3-1 Critical Fixed
AVG-726 11.0.0-1 11.0.1-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2018-18843 AVG-802 High Yes Cross-site request forgery
The GitLab Kubernetes integration was vulnerable to a SSRF issue which could allow an attacker to make requests to access any internal URLs
CVE-2018-18649 AVG-794 Critical Yes Arbitrary code execution
A security issue has been found in gitlab versions prior to 11.4.3, where the wiki API contained an input validation issue which resulted in remote code execution.
CVE-2018-18648 AVG-794 Low Yes Information disclosure
A security issue has been found in gitlab versions prior to 11.4.3, where a JSON endpoint was disclosing Gem version information which could result in an...
CVE-2018-18647 AVG-802 Medium Yes Access restriction bypass
A security issue has been found in gitlab versions prior to 11.4.3, where the protected_branches API was vulnerable to an issue which allowed an...
CVE-2018-18646 AVG-794 Medium Yes Cross-site request forgery
A security issue has been found in gitlab versions prior to 11.4.3, where the Hipchat integration was vulnerable to a SSRF issue which allowed an attacker...
CVE-2018-18645 AVG-794 Low Yes Information disclosure
A security issue has been found in gitlab versions prior to 11.4.3, where when replying to an issue through email, with the GitLab email footer included, a...
CVE-2018-18644 AVG-802 Medium Yes Information disclosure
A security issue has been found in gitlab versions prior to 11.4.3, where the Prometheus integration was vulnerable to an indirect object reference issue...
CVE-2018-18643 AVG-794 Medium Yes Cross-site scripting
A security issue has been found in gitlab versions prior to 11.4.3, where the fragment identifier (hash) of several pages contained a lack of input...
CVE-2018-18642 AVG-802 Medium Yes Cross-site scripting
A security issue has been found in gitlab versions prior to 11.4.3, where the license management and security reports pages contained a lack of input...
CVE-2018-18641 AVG-794 Low Yes Information disclosure
A security issue has been found in gitlab versions prior to 11.4.3, where personal access tokens were being stored unencrypted as plain text in the database...
CVE-2018-18640 AVG-794 Medium No Information disclosure
A security issue has been found in gitlab versions prior to 11.4.3, where private project pages had inadequate cache control, which resulted in unauthorized...
CVE-2018-12607 AVG-726 Medium Yes Cross-site scripting
The charts feature contained a persistent XSS issue due to a lack of output encoding.
CVE-2018-12606 AVG-726 Medium Yes Cross-site scripting
The wiki contains a persistent XSS issue due to a lack of output encoding affecting a specific markdown feature.
CVE-2018-3740 AVG-726 Medium Yes Insufficient validation
A specially crafted HTML fragment can cause Sanitize gem for Ruby to allow non-whitelisted attributes to be used on a whitelisted HTML element.

Advisories

Date Advisory Group Severity Description
31 Oct 2018 ASA-201810-16 AVG-794 Critical multiple issues
04 Jul 2018 ASA-201807-1 AVG-726 Medium multiple issues