CVE-2024-0402 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in GitLab
https://notcve.org/view.php?id=CVE-2024-0402
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace. Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones desde 16.0 anterior a 16.6.6, 16.7 anterior a 16.7.4 y 16.8 anterior a 16.8.1, lo que permite a un usuario autenticado escribir archivos en ubicaciones arbitrarias en el servidor GitLab mientras crea un workspace. • https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released https://gitlab.com/gitlab-org/gitlab/-/issues/437819 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2023-2030 – Improper Verification of Cryptographic Signature in GitLab
https://notcve.org/view.php?id=CVE-2023-2030
An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits. Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones desde 12.2 anterior a 16.5.6, 16.6 anterior a 16.6.4 y 16.7 anterior a 16.7.2 en el que un atacante podría modificar los metadatos de las confirmaciones firmadas. • https://gitlab.com/gitlab-org/gitlab/-/issues/407252 https://hackerone.com/reports/1929929 • CWE-345: Insufficient Verification of Data Authenticity CWE-347: Improper Verification of Cryptographic Signature •
CVE-2023-4812 – Incorrect Authorization in GitLab
https://notcve.org/view.php?id=CVE-2023-4812
An issue has been discovered in GitLab EE affecting all versions starting from 15.3 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. The required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge request. Se descubrió un problema en GitLab EE que afecta a todas las versiones desde 15.3 anteriores a 16.5.6, todas las versiones desde 16.6 anteriores a 16.6.4, todas las versiones desde 16.7 anteriores a 16.7.2. La aprobación requerida de CODEOWNERS podría omitirse agregando cambios a una solicitud de fusión previamente aprobada. • https://gitlab.com/gitlab-org/gitlab/-/issues/424398 https://hackerone.com/reports/2115574 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVE-2023-5356 – Incorrect Authorization in GitLab
https://notcve.org/view.php?id=CVE-2023-5356
Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user. Verificaciones de autorización incorrectas en GitLab CE/EE desde todas las versiones desde 8.13 anteriores a 16.5.6, todas las versiones desde 16.6 anteriores a 16.6.4, todas las versiones desde 16.7 anteriores a 16.7.2, permiten que un usuario abuse de las integraciones de slack/mattermost para ejecutar slash commands como otro usuario. • https://gitlab.com/gitlab-org/gitlab/-/issues/427154 https://hackerone.com/reports/2188868 • CWE-863: Incorrect Authorization •
CVE-2023-6955 – Missing Authorization in GitLab
https://notcve.org/view.php?id=CVE-2023-6955
An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group. Existe una vulnerabilidad de control de acceso inadecuado en GitLab Remote Development que afecta a todas las versiones anteriores a 16.5.6, 16.6 anterior a 16.6.4 y 16.7 anterior a 16.7.2. Esta condición permite a un atacante crear un workspace en un grupo asociado con un agente de otro grupo. A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. • https://gitlab.com/gitlab-org/gitlab/-/issues/432188 • CWE-284: Improper Access Control CWE-668: Exposure of Resource to Wrong Sphere CWE-862: Missing Authorization •