FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Gitlab -- multiple vulnerabilities

Affected packages
15.2.0 <= gitlab-ce < 15.2.1
15.1.0 <= gitlab-ce < 15.1.4
0 <= gitlab-ce < 15.0.5

Details

VuXML ID 4c26f668-0fd2-11ed-a83d-001b217b3468
Discovery 2022-07-28
Entry 2022-07-30

Gitlab reports:

Revoke access to confidential notes todos

Pipeline subscriptions trigger new pipelines with the wrong author

Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email

Import via git protocol allows to bypass checks on repository

Unauthenticated IP allowlist bypass when accessing job artifacts through GitLab Pages

Maintainer can leak Packagist and other integration access tokens by changing integration URL

Unauthenticated access to victims Grafana datasources through path traversal

Unauthorized users can filter issues by contact and organization

Malicious Maintainer may change the visibility of project or a group

Stored XSS in job error messages

Enforced group MFA can be bypassed when using Resource Owner Password Credentials grant

Non project members can view public project's Deploy Keys

IDOR in project with Jira integration leaks project owner's other projects Jira issues

Group Bot Users and Tokens not deleted after group deletion

Email invited members can join projects even after the member lock has been enabled

Datadog integration returns user emails

References

CVE Name CVE-2022-2095
CVE Name CVE-2022-2303
CVE Name CVE-2022-2307
CVE Name CVE-2022-2326
CVE Name CVE-2022-2417
CVE Name CVE-2022-2456
CVE Name CVE-2022-2459
CVE Name CVE-2022-2497
CVE Name CVE-2022-2498
CVE Name CVE-2022-2499
CVE Name CVE-2022-2500
CVE Name CVE-2022-2501
CVE Name CVE-2022-2512
CVE Name CVE-2022-2531
CVE Name CVE-2022-2534
CVE Name CVE-2022-2539
URL https://about.gitlab.com/releases/2022/07/28/security-release-gitlab-15-2-1-released/