CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2017-0918
https://notcve.org/view.php?id=CVE-2017-0918
Gitlab Community Edition version 10.3 is vulnerable to a path traversal issue in the GitLab CI runner component resulting in remote code execution. Gitlab Community Edition 10.3 es vulnerable a un problema de salto de directorio en el componente GitLab CI runner que resulta en la ejecución remota de código. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://hackerone.com/reports/301432 https://www.debian.org/security/2018/dsa-4145 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 1CVE-2017-0926
https://notcve.org/view.php?id=CVE-2017-0926
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login. Gitlab Community Edition 10.3 es vulnerable a un problema de autorización incorrecta en el componente Oauth sign-in que resulta en el inicio de sesión de un usuario no autorizado. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://gitlab.com/gitlab-org/gitlab-ce/issues/32198 https://www.debian.org/security/2018/dsa-4145 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2017-0925
https://notcve.org/view.php?id=CVE-2017-0925
Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insufficiently protected credential issue in the project service integration API endpoint resulting in an information disclosure of plaintext password. Gitlab Enterprise Edition 10.1.0 es vulnerable a un problema de credenciales protegidas de forma insuficiente en el endpoint de API de proyecto de integración de servicio que resulta en la divulgación de información de contraseñas en texto plano. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://gitlab.com/gitlab-org/gitlab-ee/issues/3847 https://www.debian.org/security/2018/dsa-4145 • CWE-319: Cleartext Transmission of Sensitive Information CWE-522: Insufficiently Protected Credentials •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-8540
https://notcve.org/view.php?id=CVE-2014-8540
The groups API in GitLab 6.x and 7.x before 7.4.3 allows remote authenticated guest users to modify ownership of arbitrary groups by leveraging improper permission checks. La API de grupos en GitLab 6.x y 7.x anteriores a la 7.4.3 permite que los usuarios guest autenticados remotos modifiquen la propiedad de grupos arbitrarios aprovechándose de las comprobaciones incorrectas de permisos. • http://www.openwall.com/lists/oss-security/2014/10/31/2 http://www.securityfocus.com/bid/70841 https://about.gitlab.com/2014/10/30/gitlab-7-4-3-released https://exchange.xforce.ibmcloud.com/vulnerabilities/98449 https://gitlab.com/gitlab-org/gitlab-ce/commit/a2dfff418bf2532ebb5aee88414107929b17eefd • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.9EPSS: 0%CPEs: 8EXPL: 0CVE-2017-17716
https://notcve.org/view.php?id=CVE-2017-17716
GitLab 9.4.x before 9.4.2 does not support LDAP SSL certificate verification, but a verify_certificates LDAP option was mentioned in the 9.4 release announcement. This issue occurred because code was not merged. This is related to use of the omniauth-ldap library and the gitlab_omniauth-ldap gem. GitLab en versiones 9.4.x anteriores a la 9.4.2 no es compatible con la verificación de certificados SSL LDAP, pero se mencionó la opción LDAP verify_certificates en el anuncio del lanzamiento de la versión 9.4. Este problema ocurrió porque el código no se combinó. • https://about.gitlab.com/2017/07/22/gitlab-9-4-released/#security---add-ldap-ssl-certificate-verification https://about.gitlab.com/2017/07/28/gitlab-9-dot-4-dot-2-released https://gitlab.com/gitlab-org/gitlab-ce/issues/30420 • CWE-295: Improper Certificate Validation •