FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
04422df1-40d8-11ed-9be7-454b1dd82c64Gitlab -- Multiple vulnerabilities

Gitlab reports:

Denial of Service via cloning an issue

Arbitrary PUT request as victim user through Sentry error list

Content injection via External Status Checks

Project maintainers can access Datadog API Key from logs

Unsafe serialization of Json data could lead to sensitive data leakage

Import bug allows importing of private local git repos

Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)

Unauthorized users able to create issues in any project

Bypass group IP restriction on Dependency Proxy

Healthcheck endpoint allow list can be bypassed when accessed over HTTP in an HTTPS enabled system

Disclosure of Todo details to guest users

A user's primary email may be disclosed through group member events webhooks

Content manipulation due to branch/tag name confusion with the default branch name

Leakage of email addresses in WebHook logs

Specially crafted output makes job logs inaccessible

Enforce editing approval rules on project level


Discovery 2022-09-29
Entry 2022-09-30
gitlab-ce
ge 15.4.0 lt 15.4.1

ge 15.3.0 lt 15.3.4

ge 9.3.0 lt 15.2.5

CVE-2022-3293
CVE-2022-3279
CVE-2022-3325
https://about.gitlab.com/releases/2022/09/29/security-release-gitlab-15-4-1-released/
CVE-2022-3283
CVE-2022-3060
CVE-2022-2904
CVE-2022-3018
CVE-2022-3291
CVE-2022-3067
CVE-2022-2882
CVE-2022-3066
CVE-2022-3286
CVE-2022-3285
CVE-2022-3330
CVE-2022-3351
CVE-2022-3288
8a0cd618-22a0-11ed-b1e7-001b217b3468Gitlab -- Remote Code Execution

Gitlab reports:

Remote Command Execution via Github import


Discovery 2022-08-22
Entry 2022-08-23
gitlab-ce
ge 15.3.0 lt 15.3.1

ge 15.2.0 lt 15.2.3

ge 11.3.4 lt 15.1.5

CVE-2022-2884
https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/
16f7ec68-5cce-11ed-9be7-454b1dd82c64Gitlab -- Multiple vulnerabilities

Gitlab reports:

DAST analyzer sends custom request headers with every request

Stored-XSS with CSP-bypass via scoped labels' color

Maintainer can leak Datadog API key by changing integration URL

Uncontrolled resource consumption when parsing URLs

Issue HTTP requests when users view an OpenAPI document and click buttons

Command injection in CI jobs via branch name in CI pipelines

Open redirection

Prefill variables do not check permission of the project in external CI config

Disclosure of audit events to insufficiently permissioned group and project members

Arbitrary GFM references rendered in Jira issue description leak private/confidential resources

Award emojis API for an internal note is accessible to users without access to the note

Open redirect in pipeline artifacts when generating HTML documents

Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines

Project-level Secure Files can be written out of the target directory


Discovery 2022-11-02
Entry 2022-11-05
gitlab-ce
ge 15.5.0 lt 15.5.2

ge 15.4.0 lt 15.4.4

ge 9.3.0 lt 15.3.5

CVE-2022-3767
CVE-2022-3265
CVE-2022-3483
CVE-2022-3818
CVE-2022-3726
CVE-2022-2251
CVE-2022-3486
CVE-2022-3793
CVE-2022-3413
CVE-2022-2761
CVE-2022-3819
CVE-2022-3280
CVE-2022-3706
https://about.gitlab.com/releases/2022/11/02/security-release-gitlab-15-5-2-released/
d1b35142-ff4a-11ec-8be3-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Remote Command Execution via Project Imports

XSS in ZenTao integration affecting self hosted instances without strict CSP

XSS in project settings page

Unallowed users can read unprotected CI variables

IP allow-list bypass to access Container Registries

2FA status is disclosed to unauthenticated users

CI variables provided to runners outside of a group's restricted IP range

IDOR in sentry issues

Reporters can manage issues in error tracking

Regular Expression Denial of Service via malicious web server responses

Unauthorized read for conan repository

Open redirect vulnerability

Group labels are editable through subproject

Release titles visible for any users if group milestones are associated with any project releases

Restrict membership by email domain bypass

Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint


Discovery 2022-06-30
Entry 2022-07-09
gitlab-ce
ge 15.1.0 lt 15.1.1

ge 15.0.0 lt 15.0.4

ge 0 lt 14.10.5

CVE-2022-2185
CVE-2022-2235
CVE-2022-2230
CVE-2022-2229
CVE-2022-1983
CVE-2022-1963
CVE-2022-2228
CVE-2022-2243
CVE-2022-2244
CVE-2022-1954
CVE-2022-2270
CVE-2022-2250
CVE-2022-1999
CVE-2022-2281
CVE-2022-1981
CVE-2022-2227
https://about.gitlab.com/releases/2022/06/30/critical-security-release-gitlab-15-1-1-released/
e6b994e2-2891-11ed-9be7-454b1dd82c64Gitlab -- multiple vulnerabilities

Gitlab reports:

Remote Command Execution via GitHub import

Stored XSS via labels color

Content injection via Incidents Timeline description

Lack of length validation in Snippets leads to Denial of Service

Group IP allow-list not fully respected by the Package Registry

Abusing Gitaly.GetTreeEntries calls leads to denial of service

Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags

Regular Expression Denial of Service via special crafted input

Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events

Regex backtracking through the Commit message field

Read repository content via LivePreview feature

Denial of Service via the Create branch API

Denial of Service via Issue preview

IDOR in Zentao integration leaked issue details

Brute force attack may guess a password even when 2FA is enabled


Discovery 2022-08-30
Entry 2022-08-30
gitlab-ce
ge 15.3.0 lt 15.3.2

ge 15.2.0 lt 15.2.4

ge 10.0.0 lt 15.1.6

CVE-2022-2992
CVE-2022-2865
CVE-2022-2527
CVE-2022-2592
CVE-2022-2533
CVE-2022-2455
CVE-2022-2428
CVE-2022-2908
CVE-2022-2630
CVE-2022-2931
CVE-2022-2907
CVE-2022-3031
https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/
4c26f668-0fd2-11ed-a83d-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Revoke access to confidential notes todos

Pipeline subscriptions trigger new pipelines with the wrong author

Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email

Import via git protocol allows to bypass checks on repository

Unauthenticated IP allowlist bypass when accessing job artifacts through GitLab Pages

Maintainer can leak Packagist and other integration access tokens by changing integration URL

Unauthenticated access to victims Grafana datasources through path traversal

Unauthorized users can filter issues by contact and organization

Malicious Maintainer may change the visibility of project or a group

Stored XSS in job error messages

Enforced group MFA can be bypassed when using Resource Owner Password Credentials grant

Non project members can view public project's Deploy Keys

IDOR in project with Jira integration leaks project owner's other projects Jira issues

Group Bot Users and Tokens not deleted after group deletion

Email invited members can join projects even after the member lock has been enabled

Datadog integration returns user emails


Discovery 2022-07-28
Entry 2022-07-30
gitlab-ce
ge 15.2.0 lt 15.2.1

ge 15.1.0 lt 15.1.4

ge 0 lt 15.0.5

CVE-2022-2512
CVE-2022-2498
CVE-2022-2326
CVE-2022-2417
CVE-2022-2501
CVE-2022-2497
CVE-2022-2531
CVE-2022-2539
CVE-2022-2456
CVE-2022-2500
CVE-2022-2303
CVE-2022-2095
CVE-2022-2499
CVE-2022-2307
CVE-2022-2459
CVE-2022-2534
https://about.gitlab.com/releases/2022/07/28/security-release-gitlab-15-2-1-released/