CVE-2023-3509 – Incorrect Authorization in GitLab
https://notcve.org/view.php?id=CVE-2023-3509
An issue has been discovered in GitLab affecting all versions before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for group members with sub-maintainer role to change the title of privately accessible deploy keys associated with projects in the group. Se descubrió un problema en GitLab que afecta a todas las versiones anteriores a 16.7.6, todas las versiones desde 16.8 anteriores a 16.8.3, todas las versiones desde 16.9 anteriores a 16.9.1. Los miembros del grupo con función de submantenedor podían cambiar el título de las claves de implementación de acceso privado asociadas con los proyectos del grupo. • https://gitlab.com/gitlab-org/gitlab/-/issues/416945 https://hackerone.com/reports/2037814 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVE-2023-6736 – Inefficient Regular Expression Complexity in GitLab
https://notcve.org/view.php?id=CVE-2023-6736
An issue has been discovered in GitLab EE affecting all versions starting from 11.3 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted content in the CODEOWNERS file. Se descubrió un problema en GitLab EE que afecta a todas las versiones desde 11.3 anteriores a 16.6.7, todas las versiones desde 16.7 anteriores a 16.7.5, todas las versiones desde 16.8 anteriores a 16.8.2. Era posible que un atacante provocara una denegación de servicio del lado del cliente utilizando contenido manipulado maliciosamente en el archivo CODEOWNERS. • https://gitlab.com/gitlab-org/gitlab/-/issues/435036 https://hackerone.com/reports/2269023 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVE-2024-1066 – Allocation of Resources Without Limits or Throttling in GitLab
https://notcve.org/view.php?id=CVE-2024-1066
An issue has been discovered in GitLab EE affecting all versions from 13.3.0 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows an attacker to do a resource exhaustion using GraphQL `vulnerabilitiesCountByDay` Se ha descubierto un problema en GitLab EE que afecta a todas las versiones desde 13.3.0 anterior a 16.6.7, 16.7 anterior a 16.7.5 y 16.8 anterior a 16.8.2, lo que permite a un atacante agotar los recursos utilizando las `vulnerabilidadesCountByDay` de GraphQL. • https://gitlab.com/gitlab-org/gitlab/-/issues/420341 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2023-5612 – Missing Authorization in GitLab
https://notcve.org/view.php?id=CVE-2023-5612
An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled. Se descubrió un problema en GitLab que afecta a todas las versiones anteriores a 16.6.6, 16.7 anteriores a 16.7.4 y 16.8 anteriores a 16.8.1. Era posible leer la dirección de correo electrónico del usuario a través del feed de etiquetas, aunque la visibilidad en el perfil del usuario se ha desactivado. An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. • https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released https://gitlab.com/gitlab-org/gitlab/-/issues/428441 https://hackerone.com/reports/2208790 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVE-2023-6159 – Inefficient Regular Expression Complexity in GitLab
https://notcve.org/view.php?id=CVE-2023-6159
An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a `Cargo.toml` containing maliciously crafted input. Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones desde 12.7 anterior a 16.6.6, 16.7 anterior a 16.7.4 y 16.8 anterior a 16.8.1. Era posible que un atacante desencadenara una denegación de servicio de expresión regular a través de un `Cargo.toml` que contiene entradas manipuladas con fines malintencionados. • https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released https://gitlab.com/gitlab-org/gitlab/-/issues/431924 https://hackerone.com/reports/2251278 • CWE-1333: Inefficient Regular Expression Complexity •