CVE-2023-2232
https://notcve.org/view.php?id=CVE-2023-2232
An issue has been discovered in GitLab affecting all versions starting from 15.10 before 16.1, leading to a ReDoS vulnerability in the Jira prefix • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2232.json https://gitlab.com/gitlab-org/gitlab/-/issues/408352 https://hackerone.com/reports/1934802 • CWE-1333: Inefficient Regular Expression Complexity •
CVE-2023-1825 – Insertion of Sensitive Information Into Sent Data in GitLab
https://notcve.org/view.php?id=CVE-2023-1825
An issue has been discovered in GitLab EE affecting all versions starting from 15.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. It was possible to disclose issue notes to an unauthorized user at project export. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1825.json https://gitlab.com/gitlab-org/gitlab/-/issues/384035 • CWE-201: Insertion of Sensitive Information Into Sent Data CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2023-0508 – Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in GitLab
https://notcve.org/view.php?id=CVE-2023-0508
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the NPM package API. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0508.json https://gitlab.com/gitlab-org/gitlab/-/issues/389328 https://hackerone.com/reports/1842314 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVE-2023-2485 – Incorrect Privilege Assignment in GitLab
https://notcve.org/view.php?id=CVE-2023-2485
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A malicious maintainer in a project can escalate other users to Owners in that project if they import members from another project that those other users are Owners of. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2485.json https://gitlab.com/gitlab-org/gitlab/-/issues/407830 https://hackerone.com/reports/1934811 • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •
CVE-2023-2589
https://notcve.org/view.php?id=CVE-2023-2589
An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker can clone a repository from a public project, from a disallowed IP, even after the top-level group has enabled IP restrictions on the group. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2589.json https://gitlab.com/gitlab-org/gitlab/-/issues/407891 https://hackerone.com/reports/1941803 •