FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-25 21:13:12 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
4c8c2218-b120-11ee-90ec-001b217b3468Gitlab -- vulnerabilities

Gitlab reports:

Account Takeover via Password Reset without user interactions

Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user

Bypass CODEOWNERS approval removal

Workspaces able to be created under different root namespace

Commit signature validation ignores headers after signature


Discovery 2024-01-11
Entry 2024-01-12
gitlab-ce
ge 16.7.0 lt 16.7.2

ge 16.6.0 lt 16.6.4

ge 8.13.0 lt 16.5.6

CVE-2023-7028
CVE-2023-5356
CVE-2023-4812
CVE-2023-6955
CVE-2023-2030
https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
e2fb85ce-9a3c-11ee-af26-001b217b3468Gitlab -- vulnerabilities

Gitlab reports:

Smartcard authentication allows impersonation of arbitrary user using user's public certificate

When subgroup is allowed to merge or push to protected branches, subgroup members with the Developer role may gain the ability to push or merge

The GitLab web interface does not ensure the integrity of information when downloading the source code from installation packages or tags

Project maintainer can escalate to Project owner using project access token rotate API

Omission of Double Encoding in File Names Facilitates the Creation of Repositories with Malicious Content

Unvalidated timeSpent value leads to unable to load issues on Issue board

Developer can bypass predefined variables via REST API

Auditor users can create merge requests on projects they don't have access to


Discovery 2023-12-13
Entry 2023-12-14
gitlab-ce
ge 16.6.0 lt 16.6.2

ge 16.5.0 lt 16.5.4

ge 8.17.0 lt 16.4.4

CVE-2023-6680
CVE-2023-6564
CVE-2023-6051
CVE-2023-3907
CVE-2023-5512
CVE-2023-3904
CVE-2023-5061
CVE-2023-3511
https://about.gitlab.com/releases/2023/12/13/security-release-gitlab-16-6-2-released/
6b2cba6a-c6a5-11ee-97d0-001b217b3468Gitlab -- vulnerabilities

Gitlab reports:

Restrict group access token creation for custom roles

Project maintainers can bypass group's scan result policy block_branch_modification setting

ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax

Resource exhaustion using GraphQL vulnerabilitiesCountByDay


Discovery 2024-02-07
Entry 2024-02-08
gitlab-ce
ge 16.8.0 lt 16.8.2

ge 16.7.0 lt 16.7.5

ge 13.3.0 lt 16.6.7

CVE-2024-1250
CVE-2023-6840
CVE-2023-6386
CVE-2024-1066
https://about.gitlab.com/releases/2024/02/07/security-release-gitlab-16-8-2-released/
03bf5157-d145-11ee-acee-001b217b3468Gitlab -- Vulnerabilities

Gitlab reports:

Stored-XSS in user's profile page

User with "admin_group_members" permission can invite other groups to gain owner access

ReDoS issue in the Codeowners reference extractor

LDAP user can reset password using secondary email and login using direct authentication

Bypassing group ip restriction settings to access environment details of projects through Environments/Operations Dashboard

Users with the Guest role can change Custom dashboard projects settings for projects in the victim group

Group member with sub-maintainer role can change title of shared private deploy keys

Bypassing approvals of CODEOWNERS


Discovery 2024-02-21
Entry 2024-02-22
gitlab-ce
ge 16.9.0 lt 16.9.1

ge 16.8.0 lt 16.8.3

ge 11.3.0 lt 16.7.6

CVE-2024-1451
CVE-2023-6477
CVE-2023-6736
CVE-2024-1525
CVE-2023-4895
CVE-2024-0861
CVE-2023-3509
CVE-2024-0410
https://about.gitlab.com/releases/2024/02/21/security-release-gitlab-16-9-1-released/
d2992bc2-ed18-11ee-96dc-001b217b3468Gitlab -- vulnerabilities

Gitlab reports:

Stored-XSS injected in Wiki page via Banzai pipeline

DOS using crafted emojis


Discovery 2024-03-27
Entry 2024-03-28
gitlab-ce
ge 16.10.0 lt 16.10.1

ge 16.9.0 lt 16.9.3

< 16.8.5

CVE-2023-6371
CVE-2024-2818
https://about.gitlab.com/releases/2024/03/27/security-release-gitlab-16-10-1-released/
61fe903b-bc2e-11ee-b06e-001b217b3468Gitlab -- vulnerabilities

Gitlab reports:

Arbitrary file write while creating workspace

ReDoS in Cargo.toml blob viewer

Arbitrary API PUT requests via HTML injection in user's name

Disclosure of the public email in Tags RSS Feed

Non-Member can update MR Assignees of owned MRs


Discovery 2024-01-25
Entry 2024-01-26
gitlab-ce
ge 16.8.0 lt 16.8.1

ge 16.7.0 lt 16.7.4

ge 16.6.0 lt 16.6.6

ge 12.7.0 lt 16.5.8

CVE-2024-0402
CVE-2023-6159
CVE-2023-5933
CVE-2023-5612
CVE-2024-0456
https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/
b2caae55-dc38-11ee-96dc-001b217b3468Gitlab -- Vulnerabilities

Gitlab reports:

Bypassing CODEOWNERS approval allowing to steal protected variables

Guest with manage group access tokens can rotate and see group access token with owner permissions


Discovery 2024-03-06
Entry 2024-03-07
gitlab-ce
ge 16.9.0 lt 16.9.2

ge 16.8.0 lt 16.8.4

ge 11.3.0 lt 16.7.7

CVE-2024-0199
CVE-2024-1299
https://about.gitlab.com/releases/2024/03/06/security-release-gitlab-16-9-2-released/