CVE-2023-5612 – Missing Authorization in GitLab
https://notcve.org/view.php?id=CVE-2023-5612
An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled. Se descubrió un problema en GitLab que afecta a todas las versiones anteriores a 16.6.6, 16.7 anteriores a 16.7.4 y 16.8 anteriores a 16.8.1. Era posible leer la dirección de correo electrónico del usuario a través del feed de etiquetas, aunque la visibilidad en el perfil del usuario se ha desactivado. An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. • https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released https://gitlab.com/gitlab-org/gitlab/-/issues/428441 https://hackerone.com/reports/2208790 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVE-2023-6159 – Inefficient Regular Expression Complexity in GitLab
https://notcve.org/view.php?id=CVE-2023-6159
An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a `Cargo.toml` containing maliciously crafted input. Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones desde 12.7 anterior a 16.6.6, 16.7 anterior a 16.7.4 y 16.8 anterior a 16.8.1. Era posible que un atacante desencadenara una denegación de servicio de expresión regular a través de un `Cargo.toml` que contiene entradas manipuladas con fines malintencionados. • https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released https://gitlab.com/gitlab-org/gitlab/-/issues/431924 https://hackerone.com/reports/2251278 • CWE-1333: Inefficient Regular Expression Complexity •
CVE-2023-5933 – Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab
https://notcve.org/view.php?id=CVE-2023-5933
An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests. Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones posteriores a 13.7 anteriores a 16.6.6, 16.7 anteriores a 16.7.4 y 16.8 anteriores a 16.8.1. La sanitización inadecuada de la entrada del nombre de usuario permite solicitudes PUT de API arbitrarias. • https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released https://gitlab.com/gitlab-org/gitlab/-/issues/430236 https://hackerone.com/reports/2225710 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2024-0456 – Direct Request ('Forced Browsing') in GitLab
https://notcve.org/view.php?id=CVE-2024-0456
An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project Existe una vulnerabilidad de autorización en las versiones de GitLab 14.0 anteriores a 16.6.6, 16.7 anteriores a 16.7.4 y 16.8 anteriores a 16.8.1. Un atacante no autorizado puede asignar usuarios arbitrarios a los MR que crearon dentro del proyecto. • https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released https://gitlab.com/gitlab-org/gitlab/-/issues/430726 • CWE-285: Improper Authorization CWE-425: Direct Request ('Forced Browsing') •
CVE-2023-2030 – Improper Verification of Cryptographic Signature in GitLab
https://notcve.org/view.php?id=CVE-2023-2030
An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits. Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones desde 12.2 anterior a 16.5.6, 16.6 anterior a 16.6.4 y 16.7 anterior a 16.7.2 en el que un atacante podría modificar los metadatos de las confirmaciones firmadas. • https://gitlab.com/gitlab-org/gitlab/-/issues/407252 https://hackerone.com/reports/1929929 • CWE-345: Insufficient Verification of Data Authenticity CWE-347: Improper Verification of Cryptographic Signature •