CVE-2021-22206
https://notcve.org/view.php?id=CVE-2021-22206
An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text, Se ha detectado un problema en GitLab que afecta a todas las versiones a partir de la 11.6. Las credenciales de Pull Mirror están expuestas, permitiendo que otros mantenedores sean capaz de visualizar las credenciales en texto plano • https://github.com/dannymas/CVE-2021-22206 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22206.json https://gitlab.com/gitlab-org/gitlab/-/issues/230864 https://hackerone.com/reports/928074 • CWE-312: Cleartext Storage of Sensitive Information •
CVE-2021-22205 – GitLab Community and Enterprise Editions Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-22205
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. Se ha detectado un problema en GitLab CE/EE que afecta a todas las versiones a partir de 11.9. GitLab no estaba comprobado apropiadamente archivos de imagen que fueron pasados a un analizador de archivos, lo que resultó en una ejecución de comando remoto GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse passes image file extensions through ExifTool, which improperly validates the image files. • https://www.exploit-db.com/exploits/50532 https://github.com/Al1ex/CVE-2021-22205 https://github.com/inspiringz/CVE-2021-22205 https://github.com/mr-r3bot/Gitlab-CVE-2021-22205 https://github.com/XTeam-Wing/CVE-2021-22205 https://github.com/r0eXpeR/CVE-2021-22205 https://github.com/whwlsfb/CVE-2021-22205 https://github.com/c0okB/CVE-2021-22205 https://github.com/Seals6/CVE-2021-22205 https://github.com/antx-code/CVE-2021-22205 https://github.com/keven1z • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2021-22199
https://notcve.org/view.php?id=CVE-2021-22199
An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used. Se ha detectado un problema en GitLab que afecta a todas las versiones a partir de la 12.9. GitLab era vulnerable a un ataque de tipo XSS almacenado si etiquetas de ámbito eran usadas • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22199.json https://gitlab.com/gitlab-org/gitlab/-/issues/291004 https://hackerone.com/reports/1050189 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-22202
https://notcve.org/view.php?id=CVE-2021-22202
An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API. Se ha detectado un problema en GitLab CE/EE que afecta a todas las versiones anteriores. Si la víctima es un administrador, es posible facilitar un ataque de tipo CSRF en los enlaces del Sistema por medio de la API. • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22202.json https://gitlab.com/gitlab-org/gitlab/-/issues/26017 https://hackerone.com/reports/471274 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2021-22200
https://notcve.org/view.php?id=CVE-2021-22200
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user. Se detecto un problema en GitLab CE/EE que afecta a todas las versiones a partir de la versión 12.6. Bajo una condición especial era posible acceder a los datos de un repositorio interno a través de un fork público del proyecto como usuario anónimo • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22200.json https://gitlab.com/gitlab-org/gitlab/-/issues/247523 •