CVE-2021-22252
https://notcve.org/view.php?id=CVE-2021-22252
A confusion between tag and branch names in GitLab CE/EE affecting all versions since 13.7 allowed a Developer to access protected CI variables which should only be accessible to Maintainers Una confusión entre los nombres de las etiquetas y ramas en GitLab CE/EE, afectando a todas las versiones desde la 13.7, permitía a un desarrollador acceder a variables de CI protegidas que sólo deberían ser accesibles para los mantenedores. • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22252.json https://gitlab.com/gitlab-org/gitlab/-/issues/330364 https://hackerone.com/reports/1186135 •
CVE-2021-22253
https://notcve.org/view.php?id=CVE-2021-22253
Improper authorization in GitLab EE affecting all versions since 13.4 allowed a user who previously had the necessary access to trigger deployments to protected environments under specific conditions after the access has been removed Una autorización inapropiada en GitLab EE que afectaba a todas las versiones desde la 13.4, permitía a un usuario que anteriormente tenía el acceso necesario desencadenar despliegues en entornos protegidos bajo condiciones específicas después de que se hubiera eliminado el acceso • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22253.json https://gitlab.com/gitlab-org/gitlab/-/issues/323794 https://hackerone.com/reports/1113783 • CWE-863: Incorrect Authorization •
CVE-2021-22238
https://notcve.org/view.php?id=CVE-2021-22238
An issue has been discovered in GitLab affecting all versions starting with 13.3. GitLab was vulnerable to a stored XSS by using the design feature in issues. Se ha detectado un problema en GitLab, afectando a todas las versiones a partir de la 13.3. GitLab era vulnerable a un ataque de tipo XSS almacenado al usar la funcionalidad design en los issues. • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22238.json https://gitlab.com/gitlab-org/gitlab/-/issues/332420 https://hackerone.com/reports/1212067 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-22254
https://notcve.org/view.php?id=CVE-2021-22254
Under very specific conditions a user could be impersonated using Gitlab shell. This vulnerability affects GitLab CE/EE 13.1 and later through 14.1.2, 14.0.7 and 13.12.9. En condiciones muy específicas se podría suplantar la identidad de un usuario usando el shell de Gitlab. Esta vulnerabilidad afecta a GitLab CE/EE versión 13.1 y posteriores hasta 14.1.2, 14.0.7 y 13.12.9. • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22254.json https://gitlab.com/gitlab-org/gitlab/-/issues/300265 https://hackerone.com/reports/1087806 • CWE-116: Improper Encoding or Escaping of Output •
CVE-2021-22241
https://notcve.org/view.php?id=CVE-2021-22241
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0. It was possible to exploit a stored cross-site-scripting via a specifically crafted default branch name. Se ha detectado un problema en GitLab CE/EE afectando a todas las versiones a partir de 14.0. Era posible explotar una vulnerabilidad de tipo cross-site-scripting almacenado por medio de un nombre de rama predeterminado específicamente diseñado • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22241.json https://gitlab.com/gitlab-org/gitlab/-/issues/336460 https://hackerone.com/reports/1256777 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •