CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2018-8971
https://notcve.org/view.php?id=CVE-2018-8971
The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x before 10.5.6 has an incorrect omniauth-auth0 configuration, leading to signing in unintended users. La integración de Auth0 en GitLab, en versiones anteriores a la 10.3.9, versiones 10.4.x anteriores a la 10.4.6 y versiones 10.5.x anteriores a la 10.5.6 tiene una configuración omniauth-auth0 incorrecta, lo que da lugar al firmado de usuarios no deseados. • https://about.gitlab.com/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released https://www.debian.org/security/2018/dsa-4206 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2017-0920
https://notcve.org/view.php?id=CVE-2017-0920
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance. Las ediciones Community y Enterprise de Gitlab, en versiones anteriores a la 10.1.6, 10.2.6 y 10.3.4, son vulnerables a un problema de omisión de autenticación en el componente Projects::MergeRequests::CreationsController. Esto resulta en que un atacante puede ver todos los nombres de proyecto y sus respectivos espacios de nombre en una instancia de GitLab. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://hackerone.com/reports/301336 https://www.debian.org/security/2018/dsa-4206 • CWE-639: Authorization Bypass Through User-Controlled Key CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 4%CPEs: 9EXPL: 0CVE-2017-0915
https://notcve.org/view.php?id=CVE-2017-0915
Gitlab Community Edition version 10.2.4 is vulnerable to a lack of input validation in the GitlabProjectsImportService resulting in remote code execution. Gitlab Community Edition 10.2.4 es vulnerable a una falta de validación de entradas en GitlabProjectsImportService que resulta en la ejecución remota de código. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://hackerone.com/reports/298873 https://www.debian.org/security/2018/dsa-4145 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 4%CPEs: 7EXPL: 0CVE-2017-0916
https://notcve.org/view.php?id=CVE-2017-0916
Gitlab Community Edition version 10.3 is vulnerable to a lack of input validation in the system_hook_push queue through web hook component resulting in remote code execution. Gitlab Community Edition 10.3 es vulnerable a una falta de validación de entradas en la cola system_hook_push mediante el componente de enlace web que resulta en la ejecución remota de código. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://hackerone.com/reports/299473 https://www.debian.org/security/2018/dsa-4145 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.8EPSS: 4%CPEs: 9EXPL: 0CVE-2018-3710
https://notcve.org/view.php?id=CVE-2018-3710
Gitlab Community and Enterprise Editions version 10.3.3 is vulnerable to an Insecure Temporary File in the project import component resulting remote code execution. Las ediciones Community y Enterprise de Gitlab, en su versión 10.3.3, son vulnerables a un archivo temporal inseguro en el componente de importación de proyectos, lo que resulta en una ejecución remota de código. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://gitlab.com/gitlab-com/infrastructure/issues/3510 https://gitlab.com/gitlab-org/gitlab-ce/issues/41757 https://hackerone.com/reports/302959 https://www.debian.org/security/2018/dsa-4145 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-377: Insecure Temporary File •