CVE-2020-11506
https://notcve.org/view.php?id=CVE-2020-11506
An issue was discovered in GitLab 10.7.0 and later through 12.9.2. A Workhorse bypass could lead to job artifact uploads and file disclosure (Exposure of Sensitive Information) via request smuggling. Se descubrió un problema en GitLab versiones 10.7.0 y posteriores hasta la versión 12.9.2. Una omisión de Workhorse podría conllevar a una carga de artefactos de trabajo y una divulgación de archivos (Exposición de información confidencial) por medio del tráfico no autorizado de peticiones. • https://about.gitlab.com/blog/categories/releases https://about.gitlab.com/releases/2020/04/14/critical-security-release-gitlab-12-dot-9-dot-3-released • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2020-11505
https://notcve.org/view.php?id=CVE-2020-11505
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 12.7.9, 12.8.x before 12.8.9, and 12.9.x before 12.9.3. A Workhorse bypass could lead to NuGet package and file disclosure (Exposure of Sensitive Information) via request smuggling. Se descubrió un problema en GitLab Community Edition (CE) and Enterprise Edition (EE) versiones anteriores a la versión 12.7.9, versiones 12.8.x anteriores a la versión 12.8.9 y versiones 12.9.x anteriores a la versión 12.9.3. Una omisión de Workhorse podría conllevar a una divulgación de paquetes y archivos NuGet (Exposición de información confidencial) por medio del tráfico no autorizado de peticiones. • https://about.gitlab.com/blog/categories/releases https://about.gitlab.com/releases/2020/04/14/critical-security-release-gitlab-12-dot-9-dot-3-released • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2020-10975
https://notcve.org/view.php?id=CVE-2020-10975
GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page. GitLab EE/CE versiones 10.8 hasta 12.9, está filtrando metadatos y comentarios sobre vulnerabilidades a usuarios no autorizados en la página de comentarios sobre vulnerabilidades. • https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released https://about.gitlab.com/releases/categories/releases •
CVE-2020-10976
https://notcve.org/view.php?id=CVE-2020-10976
GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when querying a merge request widget. GitLab EE/CE versiones 8.17 hasta 12.9, es vulnerable a la filtrado de información al consultar un widget de una petición de fusión. • https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released https://about.gitlab.com/releases/categories/releases • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2020-10977 – GitLab File Read Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-10977
GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects. GitLab EE/CE versiones 8.5 hasta 12.9, es vulnerable a un salto de ruta cuando se mueve un problema entre proyectos. • https://github.com/KooroshRZ/CVE-2020-10977 https://github.com/liath/CVE-2020-10977 https://github.com/JustMichi/CVE-2020-10977.py http://packetstormsecurity.com/files/160441/GitLab-File-Read-Remote-Code-Execution.html https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released https://about.gitlab.com/releases/categories/releases https://hackerone.com/reports/827052 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •