CVE-2020-11505
https://notcve.org/view.php?id=CVE-2020-11505
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 12.7.9, 12.8.x before 12.8.9, and 12.9.x before 12.9.3. A Workhorse bypass could lead to NuGet package and file disclosure (Exposure of Sensitive Information) via request smuggling. Se descubrió un problema en GitLab Community Edition (CE) and Enterprise Edition (EE) versiones anteriores a la versión 12.7.9, versiones 12.8.x anteriores a la versión 12.8.9 y versiones 12.9.x anteriores a la versión 12.9.3. Una omisión de Workhorse podría conllevar a una divulgación de paquetes y archivos NuGet (Exposición de información confidencial) por medio del tráfico no autorizado de peticiones. • https://about.gitlab.com/blog/categories/releases https://about.gitlab.com/releases/2020/04/14/critical-security-release-gitlab-12-dot-9-dot-3-released • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2020-10975
https://notcve.org/view.php?id=CVE-2020-10975
GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page. GitLab EE/CE versiones 10.8 hasta 12.9, está filtrando metadatos y comentarios sobre vulnerabilidades a usuarios no autorizados en la página de comentarios sobre vulnerabilidades. • https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released https://about.gitlab.com/releases/categories/releases •
CVE-2020-10976
https://notcve.org/view.php?id=CVE-2020-10976
GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when querying a merge request widget. GitLab EE/CE versiones 8.17 hasta 12.9, es vulnerable a la filtrado de información al consultar un widget de una petición de fusión. • https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released https://about.gitlab.com/releases/categories/releases • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2020-10977 – GitLab File Read Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-10977
GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects. GitLab EE/CE versiones 8.5 hasta 12.9, es vulnerable a un salto de ruta cuando se mueve un problema entre proyectos. • https://github.com/KooroshRZ/CVE-2020-10977 https://github.com/liath/CVE-2020-10977 https://github.com/JustMichi/CVE-2020-10977.py http://packetstormsecurity.com/files/160441/GitLab-File-Read-Remote-Code-Execution.html https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released https://about.gitlab.com/releases/categories/releases https://hackerone.com/reports/827052 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2020-10978
https://notcve.org/view.php?id=CVE-2020-10978
GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public project and then moved to a private project through Web-UI and GraphQL API. GitLab EE/CE versiones 8.11 hasta 12.9, está filtrando información sobre Problemas aperturados en un proyecto público y luego es movido a un proyecto privado por medio de Interfaz de Usuario Web y la API GraphQL. • https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released https://about.gitlab.com/releases/categories/releases •