FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Gitlab -- multiple vulnerabilities

Affected packages
15.3.0 <= gitlab-ce < 15.3.2
15.2.0 <= gitlab-ce < 15.2.4
10.0.0 <= gitlab-ce < 15.1.6

Details

VuXML ID e6b994e2-2891-11ed-9be7-454b1dd82c64
Discovery 2022-08-30
Entry 2022-08-30

Gitlab reports:

Remote Command Execution via GitHub import

Stored XSS via labels color

Content injection via Incidents Timeline description

Lack of length validation in Snippets leads to Denial of Service

Group IP allow-list not fully respected by the Package Registry

Abusing Gitaly.GetTreeEntries calls leads to denial of service

Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags

Regular Expression Denial of Service via special crafted input

Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events

Regex backtracking through the Commit message field

Read repository content via LivePreview feature

Denial of Service via the Create branch API

Denial of Service via Issue preview

IDOR in Zentao integration leaked issue details

Brute force attack may guess a password even when 2FA is enabled

References

CVE Name CVE-2022-2428
CVE Name CVE-2022-2455
CVE Name CVE-2022-2527
CVE Name CVE-2022-2533
CVE Name CVE-2022-2592
CVE Name CVE-2022-2630
CVE Name CVE-2022-2865
CVE Name CVE-2022-2907
CVE Name CVE-2022-2908
CVE Name CVE-2022-2931
CVE Name CVE-2022-2992
CVE Name CVE-2022-3031
URL https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/