CVE-2021-32823 – Potential Denial-of-Service in bindata
https://notcve.org/view.php?id=CVE-2021-32823
In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with <user_input>.constantize there is a potential for a CPU-based DoS. In version 2.4.10 bindata improved the creation time of Bits and Integers. • https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/#update-bindata-dependency https://github.com/dmendel/bindata/blob/v2.4.10/ChangeLog.rdoc#version-2410-2021-05-18- https://github.com/dmendel/bindata/commit/d99f050b88337559be2cb35906c1f8da49531323 https://github.com/rubysec/ruby-advisory-db/issues/476 https://rubygems.org/gems/bindata • CWE-400: Uncontrolled Resource Consumption •
CVE-2021-22181
https://notcve.org/view.php?id=CVE-2021-22181
A denial of service vulnerability in GitLab CE/EE affecting all versions since 11.8 allows an attacker to create a recursive pipeline relationship and exhaust resources. Una vulnerabilidad de denegación de servicio en GitLab CE/EE que afecta a todas las versiones desde 11.8, permite a un atacante crear una relación de pipeline recursiva y agotar los recursos • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22181.json https://gitlab.com/gitlab-org/gitlab/-/issues/249100 • CWE-400: Uncontrolled Resource Consumption •
CVE-2021-22175
https://notcve.org/view.php?id=CVE-2021-22175
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled Cuando se habilitan las peticiones a la red interna para los webhooks, una vulnerabilidad de tipo server-side request forgery en GitLab que afecta a todas las versiones desde 10.5, era posible explotar por un atacante no autenticado incluso en una instancia de GitLab en la que el registro está deshabilitado • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22175.json https://gitlab.com/gitlab-org/gitlab/-/issues/294178 https://hackerone.com/reports/1059596 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2021-22216
https://notcve.org/view.php?id=CVE-2021-22216
A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a very long issue or merge request description Una vulnerabilidad de denegación de servicio en GitLab CE/EE todas las versiones anteriores a 13.12.2, 13.11.5 o 13.10.5, permite a un atacante causar un consumo no controlado de recursos con una descripción de petición de emisión o fusión muy larga • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22216.json https://gitlab.com/gitlab-org/gitlab/-/issues/329890 • CWE-400: Uncontrolled Resource Consumption •
CVE-2021-22220
https://notcve.org/view.php?id=CVE-2021-22220
An issue has been discovered in GitLab affecting all versions starting with 13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks. Se ha detectado un problema en GitLab que afecta a todas las versiones a partir de la versión 13.10. GitLab era vulnerable a un ataque de tipo XSS almacenado en el visualizador de blob de cuadernos • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22220.json https://gitlab.com/gitlab-org/gitlab/-/issues/294128 https://hackerone.com/reports/1060114 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •