CVE-2020-11649
https://notcve.org/view.php?id=CVE-2020-11649
An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Members of a group could still have access after the group is deleted. Se descubrió un problema en GitLab CE and EE versiones 8.15 hasta la versión 12.9.2. Los miembros de un grupo aún podrían tener acceso después de que se elimine el grupo. • https://about.gitlab.com/blog/categories/releases https://about.gitlab.com/releases/2020/04/14/critical-security-release-gitlab-12-dot-9-dot-3-released • CWE-306: Missing Authentication for Critical Function •
CVE-2020-11505
https://notcve.org/view.php?id=CVE-2020-11505
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 12.7.9, 12.8.x before 12.8.9, and 12.9.x before 12.9.3. A Workhorse bypass could lead to NuGet package and file disclosure (Exposure of Sensitive Information) via request smuggling. Se descubrió un problema en GitLab Community Edition (CE) and Enterprise Edition (EE) versiones anteriores a la versión 12.7.9, versiones 12.8.x anteriores a la versión 12.8.9 y versiones 12.9.x anteriores a la versión 12.9.3. Una omisión de Workhorse podría conllevar a una divulgación de paquetes y archivos NuGet (Exposición de información confidencial) por medio del tráfico no autorizado de peticiones. • https://about.gitlab.com/blog/categories/releases https://about.gitlab.com/releases/2020/04/14/critical-security-release-gitlab-12-dot-9-dot-3-released • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2020-10976
https://notcve.org/view.php?id=CVE-2020-10976
GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when querying a merge request widget. GitLab EE/CE versiones 8.17 hasta 12.9, es vulnerable a la filtrado de información al consultar un widget de una petición de fusión. • https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released https://about.gitlab.com/releases/categories/releases • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2020-10977 – GitLab File Read Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-10977
GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects. GitLab EE/CE versiones 8.5 hasta 12.9, es vulnerable a un salto de ruta cuando se mueve un problema entre proyectos. • https://github.com/KooroshRZ/CVE-2020-10977 https://github.com/liath/CVE-2020-10977 https://github.com/JustMichi/CVE-2020-10977.py http://packetstormsecurity.com/files/160441/GitLab-File-Read-Remote-Code-Execution.html https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released https://about.gitlab.com/releases/categories/releases https://hackerone.com/reports/827052 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2020-10978
https://notcve.org/view.php?id=CVE-2020-10978
GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public project and then moved to a private project through Web-UI and GraphQL API. GitLab EE/CE versiones 8.11 hasta 12.9, está filtrando información sobre Problemas aperturados en un proyecto público y luego es movido a un proyecto privado por medio de Interfaz de Usuario Web y la API GraphQL. • https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released https://about.gitlab.com/releases/categories/releases •