CVSS: 9.8EPSS: 4%CPEs: 7EXPL: 0CVE-2017-0916
https://notcve.org/view.php?id=CVE-2017-0916
Gitlab Community Edition version 10.3 is vulnerable to a lack of input validation in the system_hook_push queue through web hook component resulting in remote code execution. Gitlab Community Edition 10.3 es vulnerable a una falta de validación de entradas en la cola system_hook_push mediante el componente de enlace web que resulta en la ejecución remota de código. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://hackerone.com/reports/299473 https://www.debian.org/security/2018/dsa-4145 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2017-0917
https://notcve.org/view.php?id=CVE-2017-0917
Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the CI job component resulting in persistent cross site scripting. Gitlab Community Edition 10.2.4 es vulnerable a una falta de validación de entradas en el componente de trabajo CI que resulta en Cross-Site Scripting (XSS) persistente. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://hackerone.com/reports/299525 https://www.debian.org/security/2018/dsa-4145 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2017-0918
https://notcve.org/view.php?id=CVE-2017-0918
Gitlab Community Edition version 10.3 is vulnerable to a path traversal issue in the GitLab CI runner component resulting in remote code execution. Gitlab Community Edition 10.3 es vulnerable a un problema de salto de directorio en el componente GitLab CI runner que resulta en la ejecución remota de código. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://hackerone.com/reports/301432 https://www.debian.org/security/2018/dsa-4145 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 1CVE-2017-0926
https://notcve.org/view.php?id=CVE-2017-0926
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login. Gitlab Community Edition 10.3 es vulnerable a un problema de autorización incorrecta en el componente Oauth sign-in que resulta en el inicio de sesión de un usuario no autorizado. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://gitlab.com/gitlab-org/gitlab-ce/issues/32198 https://www.debian.org/security/2018/dsa-4145 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 5.9EPSS: 0%CPEs: 8EXPL: 0CVE-2017-17716
https://notcve.org/view.php?id=CVE-2017-17716
GitLab 9.4.x before 9.4.2 does not support LDAP SSL certificate verification, but a verify_certificates LDAP option was mentioned in the 9.4 release announcement. This issue occurred because code was not merged. This is related to use of the omniauth-ldap library and the gitlab_omniauth-ldap gem. GitLab en versiones 9.4.x anteriores a la 9.4.2 no es compatible con la verificación de certificados SSL LDAP, pero se mencionó la opción LDAP verify_certificates en el anuncio del lanzamiento de la versión 9.4. Este problema ocurrió porque el código no se combinó. • https://about.gitlab.com/2017/07/22/gitlab-9-4-released/#security---add-ldap-ssl-certificate-verification https://about.gitlab.com/2017/07/28/gitlab-9-dot-4-dot-2-released https://gitlab.com/gitlab-org/gitlab-ce/issues/30420 • CWE-295: Improper Certificate Validation •