CVE-2023-6159 – Inefficient Regular Expression Complexity in GitLab
https://notcve.org/view.php?id=CVE-2023-6159
An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a `Cargo.toml` containing maliciously crafted input. Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones desde 12.7 anterior a 16.6.6, 16.7 anterior a 16.7.4 y 16.8 anterior a 16.8.1. Era posible que un atacante desencadenara una denegación de servicio de expresión regular a través de un `Cargo.toml` que contiene entradas manipuladas con fines malintencionados. • https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released https://gitlab.com/gitlab-org/gitlab/-/issues/431924 https://hackerone.com/reports/2251278 • CWE-1333: Inefficient Regular Expression Complexity •
CVE-2023-5933 – Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab
https://notcve.org/view.php?id=CVE-2023-5933
An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests. Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones posteriores a 13.7 anteriores a 16.6.6, 16.7 anteriores a 16.7.4 y 16.8 anteriores a 16.8.1. La sanitización inadecuada de la entrada del nombre de usuario permite solicitudes PUT de API arbitrarias. • https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released https://gitlab.com/gitlab-org/gitlab/-/issues/430236 https://hackerone.com/reports/2225710 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2024-0456 – Direct Request ('Forced Browsing') in GitLab
https://notcve.org/view.php?id=CVE-2024-0456
An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project Existe una vulnerabilidad de autorización en las versiones de GitLab 14.0 anteriores a 16.6.6, 16.7 anteriores a 16.7.4 y 16.8 anteriores a 16.8.1. Un atacante no autorizado puede asignar usuarios arbitrarios a los MR que crearon dentro del proyecto. • https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released https://gitlab.com/gitlab-org/gitlab/-/issues/430726 • CWE-285: Improper Authorization CWE-425: Direct Request ('Forced Browsing') •
CVE-2023-2030 – Improper Verification of Cryptographic Signature in GitLab
https://notcve.org/view.php?id=CVE-2023-2030
An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits. Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones desde 12.2 anterior a 16.5.6, 16.6 anterior a 16.6.4 y 16.7 anterior a 16.7.2 en el que un atacante podría modificar los metadatos de las confirmaciones firmadas. • https://gitlab.com/gitlab-org/gitlab/-/issues/407252 https://hackerone.com/reports/1929929 • CWE-345: Insufficient Verification of Data Authenticity CWE-347: Improper Verification of Cryptographic Signature •
CVE-2023-5356 – Incorrect Authorization in GitLab
https://notcve.org/view.php?id=CVE-2023-5356
Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user. Verificaciones de autorización incorrectas en GitLab CE/EE desde todas las versiones desde 8.13 anteriores a 16.5.6, todas las versiones desde 16.6 anteriores a 16.6.4, todas las versiones desde 16.7 anteriores a 16.7.2, permiten que un usuario abuse de las integraciones de slack/mattermost para ejecutar slash commands como otro usuario. • https://gitlab.com/gitlab-org/gitlab/-/issues/427154 https://hackerone.com/reports/2188868 • CWE-863: Incorrect Authorization •