CVE-2017-0918
https://notcve.org/view.php?id=CVE-2017-0918
Gitlab Community Edition version 10.3 is vulnerable to a path traversal issue in the GitLab CI runner component resulting in remote code execution. Gitlab Community Edition 10.3 es vulnerable a un problema de salto de directorio en el componente GitLab CI runner que resulta en la ejecución remota de código. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://hackerone.com/reports/301432 https://www.debian.org/security/2018/dsa-4145 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVE-2017-0926
https://notcve.org/view.php?id=CVE-2017-0926
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login. Gitlab Community Edition 10.3 es vulnerable a un problema de autorización incorrecta en el componente Oauth sign-in que resulta en el inicio de sesión de un usuario no autorizado. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://gitlab.com/gitlab-org/gitlab-ce/issues/32198 https://www.debian.org/security/2018/dsa-4145 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVE-2014-8540
https://notcve.org/view.php?id=CVE-2014-8540
The groups API in GitLab 6.x and 7.x before 7.4.3 allows remote authenticated guest users to modify ownership of arbitrary groups by leveraging improper permission checks. La API de grupos en GitLab 6.x y 7.x anteriores a la 7.4.3 permite que los usuarios guest autenticados remotos modifiquen la propiedad de grupos arbitrarios aprovechándose de las comprobaciones incorrectas de permisos. • http://www.openwall.com/lists/oss-security/2014/10/31/2 http://www.securityfocus.com/bid/70841 https://about.gitlab.com/2014/10/30/gitlab-7-4-3-released https://exchange.xforce.ibmcloud.com/vulnerabilities/98449 https://gitlab.com/gitlab-org/gitlab-ce/commit/a2dfff418bf2532ebb5aee88414107929b17eefd • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2017-17716
https://notcve.org/view.php?id=CVE-2017-17716
GitLab 9.4.x before 9.4.2 does not support LDAP SSL certificate verification, but a verify_certificates LDAP option was mentioned in the 9.4 release announcement. This issue occurred because code was not merged. This is related to use of the omniauth-ldap library and the gitlab_omniauth-ldap gem. GitLab en versiones 9.4.x anteriores a la 9.4.2 no es compatible con la verificación de certificados SSL LDAP, pero se mencionó la opción LDAP verify_certificates en el anuncio del lanzamiento de la versión 9.4. Este problema ocurrió porque el código no se combinó. • https://about.gitlab.com/2017/07/22/gitlab-9-4-released/#security---add-ldap-ssl-certificate-verification https://about.gitlab.com/2017/07/28/gitlab-9-dot-4-dot-2-released https://gitlab.com/gitlab-org/gitlab-ce/issues/30420 • CWE-295: Improper Certificate Validation •
CVE-2017-12426
https://notcve.org/view.php?id=CVE-2017-12426
GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote attackers to execute arbitrary code via a crafted SSH URL in a project import. GitLab Community Edition (CE) y Enterprise Edition (EE) en versiones anteriores a la 8.17.8, 9.0.x en versiones anteriores a la 9.0.13, 9.1.x en versiones anteriores a la 9.1.10, 9.2.x en versiones anteriores a la 9.2.10, 9.3.x en versiones anteriores a la 9.3.10, y 9.4.x en versiones anteriores a la 9.4.4 podría permitir que atacantes remotos ejecuten código arbitrario mediante una URL SSH manipulada en una importación de proyecto. • https://github.com/sm-paul-schuette/CVE-2017-12426 https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released https://www.mail-archive.com/linux-kernel%40vger.kernel.org/msg1466490.html • CWE-20: Improper Input Validation •