CVE-2022-0477
https://notcve.org/view.php?id=CVE-2022-0477
An issue has been discovered in GitLab affecting all versions starting from 11.9 before 14.5.4, all versions starting from 14.6.0 before 14.6.4, all versions starting from 14.7.0 before 14.7.1. GitLab was not correctly handling bulk requests to delete existing packages from the package registries which could result in a Denial of Service under specific conditions. Se ha detectado un problema en GitLab que afecta a todas las versiones a partir de la 11.9 anteriores a 14.5.4, todas las versiones a partir de la 14.6.0 anteriores a 14.6.4, todas las versiones a partir de la 14.7.0 anteriores a 14.7.1. GitLab no manejaba correctamente las peticiones masivas para eliminar paquetes existentes de los registros de paquetes, lo que podía resultar en una Denegación de Servicio en determinadas condiciones • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0477.json https://gitlab.com/gitlab-org/gitlab/-/issues/348166 •
CVE-2022-1157
https://notcve.org/view.php?id=CVE-2022-1157
Missing sanitization of logged exception messages in all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 of GitLab CE/EE causes potential sensitive values in invalid URLs to be logged Una falta de saneo de los mensajes de excepción registrados en todas las versiones anteriores a 14.7.7, 14.8 anteriores a 14.8.5 y 14.9 anteriores a 14.9.2 de GitLab CE/EE causa el registro de posibles valores confidenciales en URLs no válidas • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1157.json https://gitlab.com/gitlab-org/gitlab/-/issues/37261 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2022-1193
https://notcve.org/view.php?id=CVE-2022-1193
Improper access control in GitLab CE/EE versions 10.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows a malicious actor to obtain details of the latest commit in a private project via Merge Requests under certain circumstances Un control de acceso inadecuado en las versiones 10.7 anterior a 14.7.7, 14.8 anterior a 14.8.5 y 14.9 anterior a 14.9.2 de GitLab CE/EE permite a un actor malintencionado obtener detalles del último commit de un proyecto privado a través de Merge Requests en determinadas circunstancias • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1193.json https://gitlab.com/gitlab-org/gitlab/-/issues/351823 https://hackerone.com/reports/1465994 • CWE-863: Incorrect Authorization •
CVE-2022-1190
https://notcve.org/view.php?id=CVE-2022-1190
Improper handling of user input in GitLab CE/EE versions 8.3 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to exploit a stored XSS by abusing multi-word milestone references in issue descriptions, comments, etc. Un manejo inapropiado de la entrada del usuario en GitLab CE/EE versiones 8.3 anteriores a 14.7.7, 14.8 anteriores a 14.8.5 y 14.9 anteriores a 14.9.2, permitía a un atacante explotar un ataque de tipo XSS almacenado al abusar de las referencias de hitos de varias palabras en las descripciones de incidencias, comentarios, etc • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1190.json https://gitlab.com/gitlab-org/gitlab/-/issues/352392 https://hackerone.com/reports/1455036 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-1175 – GitLab 14.9 - Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-1175
Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes. Una neutralización inapropiada de la entrada del usuario en GitLab CE/EE versiones 14.4 anteriores a 14.7.7, todas las versiones a partir de 14.8 anteriores a 14.8.5, todas las versiones a partir de 14.9 anteriores a 14.9.2, permitió a un atacante explotar un ataque de tipo XSS mediante una inyección de HTML en las notas Gitlab versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.7 prior to 14.7.7 suffer from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/50889 https://github.com/Greenwolf/CVE-2022-1175 http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json https://gitlab.com/gitlab-org/gitlab/-/issues/353370 https://hackerone.com/reports/1481207 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •