CVE-2021-22206
https://notcve.org/view.php?id=CVE-2021-22206
An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text, Se ha detectado un problema en GitLab que afecta a todas las versiones a partir de la 11.6. Las credenciales de Pull Mirror están expuestas, permitiendo que otros mantenedores sean capaz de visualizar las credenciales en texto plano • https://github.com/dannymas/CVE-2021-22206 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22206.json https://gitlab.com/gitlab-org/gitlab/-/issues/230864 https://hackerone.com/reports/928074 • CWE-312: Cleartext Storage of Sensitive Information •
CVE-2021-22210
https://notcve.org/view.php?id=CVE-2021-22210
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. When querying the repository branches through API, GitLab was ignoring a query parameter and returning a considerable amount of results. Se ha detectado un problema en GitLab CE/EE que afecta a todas las versiones a partir de la 13.2. Al consultar las ramas del repositorio por medio de API, GitLab ignoraba un parámetro de consulta y devolvía una cantidad considerable de resultados • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22210.json https://gitlab.com/gitlab-org/gitlab/-/issues/322500 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2021-22211
https://notcve.org/view.php?id=CVE-2021-22211
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling. Se ha detectado un problema en GitLab CE/EE que afecta a todas las versiones a partir de la 13.7. GitLab Dependency Proxy, bajo determinadas circunstancias, puede hacerse pasar por un usuario, resultando en un manejo de acceso incorrecto • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22211.json https://gitlab.com/gitlab-org/gitlab/-/issues/298847 • CWE-863: Incorrect Authorization •
CVE-2021-22205 – GitLab Community and Enterprise Editions Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-22205
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. Se ha detectado un problema en GitLab CE/EE que afecta a todas las versiones a partir de 11.9. GitLab no estaba comprobado apropiadamente archivos de imagen que fueron pasados a un analizador de archivos, lo que resultó en una ejecución de comando remoto GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse passes image file extensions through ExifTool, which improperly validates the image files. • https://www.exploit-db.com/exploits/50532 https://github.com/Al1ex/CVE-2021-22205 https://github.com/inspiringz/CVE-2021-22205 https://github.com/mr-r3bot/Gitlab-CVE-2021-22205 https://github.com/XTeam-Wing/CVE-2021-22205 https://github.com/r0eXpeR/CVE-2021-22205 https://github.com/whwlsfb/CVE-2021-22205 https://github.com/c0okB/CVE-2021-22205 https://github.com/Seals6/CVE-2021-22205 https://github.com/antx-code/CVE-2021-22205 https://github.com/keven1z • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2021-22199
https://notcve.org/view.php?id=CVE-2021-22199
An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used. Se ha detectado un problema en GitLab que afecta a todas las versiones a partir de la 12.9. GitLab era vulnerable a un ataque de tipo XSS almacenado si etiquetas de ámbito eran usadas • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22199.json https://gitlab.com/gitlab-org/gitlab/-/issues/291004 https://hackerone.com/reports/1050189 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •