FreshPorts - VuXML

Gitlab reports:

Disclosure of CI/CD variables using Custom project templates

GitLab omnibus DoS crash via OOM with CI Catalogs

Parsing gitlab-ci.yml with large string via timeout input leads to Denial of Service

DoS - Blocking FIFO files in Tar archives

Titles exposed by service-desk template

Approval on protected environments can be bypassed

Version information disclosure when super_sidebar_logged_out feature flag is enabled

Add abuse detection for search syntax filter pipes

ge 16.5.0 lt 16.5.1

ge 16.4.0 lt 16.4.2

ge 11.6.0 lt 16.3.6

Gitlab reports:

A user can change the name and path of some public GitLab groups

ge 16.1.0 lt 16.1.2

ge 16.0.0 lt 16.0.7

ge 15.11.0 lt 15.11.11

Gitlab reports:

Stored-XSS in user's profile page

User with "admin_group_members" permission can invite other groups to gain owner access

ReDoS issue in the Codeowners reference extractor

LDAP user can reset password using secondary email and login using direct authentication

Bypassing group ip restriction settings to access environment details of projects through Environments/Operations Dashboard

Users with the Guest role can change Custom dashboard projects settings for projects in the victim group

Group member with sub-maintainer role can change title of shared private deploy keys

Bypassing approvals of CODEOWNERS

ge 16.9.0 lt 16.9.1

ge 16.8.0 lt 16.8.3

ge 11.3.0 lt 16.7.6

Gitlab reports:

Account Takeover via Password Reset without user interactions

Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user

Bypass CODEOWNERS approval removal

Workspaces able to be created under different root namespace

Commit signature validation ignores headers after signature

ge 16.7.0 lt 16.7.2

ge 16.6.0 lt 16.6.4

ge 8.13.0 lt 16.5.6

Gitlab reports:

Smartcard authentication allows impersonation of arbitrary user using user's public certificate

When subgroup is allowed to merge or push to protected branches, subgroup members with the Developer role may gain the ability to push or merge

The GitLab web interface does not ensure the integrity of information when downloading the source code from installation packages or tags

Project maintainer can escalate to Project owner using project access token rotate API

Omission of Double Encoding in File Names Facilitates the Creation of Repositories with Malicious Content

Unvalidated timeSpent value leads to unable to load issues on Issue board

Developer can bypass predefined variables via REST API

Auditor users can create merge requests on projects they don't have access to

ge 16.6.0 lt 16.6.2

ge 16.5.0 lt 16.5.4

ge 8.17.0 lt 16.4.4

Gitlab reports:

Stored-XSS injected in Wiki page via Banzai pipeline

DOS using crafted emojis

ge 16.10.0 lt 16.10.1

ge 16.9.0 lt 16.9.3

< 16.8.5

Gitlab reports:

Attacker can abuse scan execution policies to run pipelines as another user

ge 16.3.0 lt 16.3.4

ge 13.12.0 lt 16.2.7

Gitlab reports:

Arbitrary file write while creating workspace

ReDoS in Cargo.toml blob viewer

Arbitrary API PUT requests via HTML injection in user's name

Disclosure of the public email in Tags RSS Feed

Non-Member can update MR Assignees of owned MRs

ge 16.8.0 lt 16.8.1

ge 16.7.0 lt 16.7.4

ge 16.6.0 lt 16.6.6

ge 12.7.0 lt 16.5.8

Gitlab reports:

Privilege escalation of "external user" to internal access through group service account

Maintainer can leak sentry token by changing the configured URL (fix bypass)

Google Cloud Logging private key showed in plain text in GitLab UI leaking to other group owners

Information disclosure via project import endpoint

Developer can leak DAST scanners "Site Profile" request headers and auth password

Project forking outside current group

User is capable of creating Model experiment and updating existing run's status in public project

ReDoS in bulk import API

Pagination for Branches and Tags can be skipped leading to DoS

Internal Open Redirection Due to Improper handling of "../" characters

Subgroup Member With Reporter Role Can Edit Group Labels

Banned user can delete package registries

ge 16.3.0 lt 16.3.1

ge 16.2.0 lt 16.2.5

ge 4.1.0 lt 16.1.5

Gitlab reports:

Restrict group access token creation for custom roles

Project maintainers can bypass group's scan result policy block_branch_modification setting

ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax

Resource exhaustion using GraphQL vulnerabilitiesCountByDay

ge 16.8.0 lt 16.8.2

ge 16.7.0 lt 16.7.5

ge 13.3.0 lt 16.6.7

Gitlab reports:

XSS and ReDoS in Markdown via Banzai pipeline of Jira

Members with admin_group_member custom permission can add members with higher role

Release Description visible in public projects despite release set as project members only through atom response

Manipulate the repository content in the UI (CVE-2023-3401 bypass)

External user can abuse policy bot to gain access to internal projects

Client-side DOS via Mermaid Flowchart

Developers can update pipeline schedules to use protected branches even if they don't have permission to merge

Users can install Composer packages from public projects even when Package registry is turned off

Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches

Guest users can react (emojis) on confidential work items which they cant see in a project

ge 16.6.0 lt 16.6.1

ge 16.5.0 lt 16.5.3

ge 8.13.0 lt 16.4.3

Gitlab reports:

ReDoS via EpicReferenceFilter in any Markdown fields

New commits to private projects visible in forks created while project was public

New commits to private projects visible in forks created while project was public

Maintainer can leak masked webhook secrets by manipulating URL masking

Information disclosure of project import errors

Sensitive information disclosure via value stream analytics controller

Bypassing Code Owners branch protection rule in GitLab

HTML injection in email address

Webhook token leaked in Sidekiq logs if log format is 'default'

Private email address of service desk issue creator disclosed via issues API

ge 16.1.0 lt 16.1.1

ge 16.0.0 lt 16.0.6

ge 15.11.0 lt 15.11.10

ge 7.14.0 lt 15.10.8

Gitlab reports:

ReDoS via ProjectReferenceFilter in any Markdown fields

ReDoS via AutolinkFilter in any Markdown fields

Regex DoS in Harbor Registry search

Arbitrary read of files owned by the "git" user via malicious tar.gz file upload using GitLab export functionality

Stored XSS in Web IDE Beta via crafted URL

securityPolicyProjectAssign mutation does not authorize security policy project ID

An attacker can run pipeline jobs as arbitrary user

Possible Pages Unique Domain Overwrite

Access tokens may have been logged when a query was made to an endpoint

Reflected XSS via PlantUML diagram

The main branch of a repository with a specially designed name may allow an attacker to create repositories with malicious code

Invalid 'start_sha' value on merge requests page may lead to Denial of Service

Developers can create pipeline schedules on protected branches even if they don't have access to merge

Potential DOS due to lack of pagination while loading license data

Leaking emails of newly created users

ge 16.2.0 lt 16.2.2

ge 16.1.0 lt 16.1.3

ge 9.3.0 lt 16.0.8

Attacker can add other projects policy bot as member to their own project and use that bot to trigger pipelines in victims project

Group import allows impersonation of users in CI pipelines

Developers can bypass code owners approval by changing a MR's base branch

Leaking source code of restricted project through a fork

Third party library Consul requires enable-script-checks to be False to enable patch

Service account not deleted when namespace is deleted allowing access to internal projects

Enforce SSO settings bypassed for public projects for Members without identity

Removed project member can write to protected branches

Unauthorised association of CI jobs for Machine Learning experiments

Force pipelines to not have access to protected variables and will likely fail using tags

Maintainer can create a fork relationship between existing projects

Disclosure of masked CI variables via processing CI/CD configuration of forks

Asset Proxy Bypass using non-ASCII character in asset URI

Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches

Removed Developer can continue editing the source code of a public project

A project reporter can leak owner's Sentry instance projects

Math rendering in markdown can escape container and hijack clicks

ge 16.4.0 lt 16.4.1

ge 16.3.0 lt 16.3.5

ge 8.15 lt 16.2.8

Gitlab reports:

Bypassing CODEOWNERS approval allowing to steal protected variables

Guest with manage group access tokens can rotate and see group access token with owner permissions

ge 16.9.0 lt 16.9.2

ge 16.8.0 lt 16.8.4

ge 11.3.0 lt 16.7.7

Gitlab reports:

Stored-XSS with CSP-bypass in Merge requests

ReDoS via FrontMatterFilter in any Markdown fields

ReDoS via InlineDiffFilter in any Markdown fields

ReDoS via DollarMathPostFilter in Markdown fields

DoS via malicious test report artifacts

Restricted IP addresses can clone repositories of public projects

Reflected XSS in Report Abuse Functionality

Privilege escalation from maintainer to owner by importing members from a project

Bypassing tags protection in GitLab

Denial of Service using multiple labels with arbitrarily large descriptions

Ability to use an unverified email for public and commit emails

Open Redirection Through HTTP Response Splitting

Disclosure of issue notes to an unauthorized user when exporting a project

Ambiguous branch name exploitation

ge 16.0.0 lt 16.0.2

ge 15.11.0 lt 15.11.7

ge 15.10.0 lt 15.10.8

ge 1.2 lt 15.9.8