FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
16f7ec68-5cce-11ed-9be7-454b1dd82c64Gitlab -- Multiple vulnerabilities

Gitlab reports:

DAST analyzer sends custom request headers with every request

Stored-XSS with CSP-bypass via scoped labels' color

Maintainer can leak Datadog API key by changing integration URL

Uncontrolled resource consumption when parsing URLs

Issue HTTP requests when users view an OpenAPI document and click buttons

Command injection in CI jobs via branch name in CI pipelines

Open redirection

Prefill variables do not check permission of the project in external CI config

Disclosure of audit events to insufficiently permissioned group and project members

Arbitrary GFM references rendered in Jira issue description leak private/confidential resources

Award emojis API for an internal note is accessible to users without access to the note

Open redirect in pipeline artifacts when generating HTML documents

Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines

Project-level Secure Files can be written out of the target directory


Discovery 2022-11-02
Entry 2022-11-05
gitlab-ce
ge 15.5.0 lt 15.5.2

ge 15.4.0 lt 15.4.4

ge 9.3.0 lt 15.3.5

CVE-2022-3767
CVE-2022-3265
CVE-2022-3483
CVE-2022-3818
CVE-2022-3726
CVE-2022-2251
CVE-2022-3486
CVE-2022-3793
CVE-2022-3413
CVE-2022-2761
CVE-2022-3819
CVE-2022-3280
CVE-2022-3706
https://about.gitlab.com/releases/2022/11/02/security-release-gitlab-15-5-2-released/
e6b994e2-2891-11ed-9be7-454b1dd82c64Gitlab -- multiple vulnerabilities

Gitlab reports:

Remote Command Execution via GitHub import

Stored XSS via labels color

Content injection via Incidents Timeline description

Lack of length validation in Snippets leads to Denial of Service

Group IP allow-list not fully respected by the Package Registry

Abusing Gitaly.GetTreeEntries calls leads to denial of service

Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags

Regular Expression Denial of Service via special crafted input

Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events

Regex backtracking through the Commit message field

Read repository content via LivePreview feature

Denial of Service via the Create branch API

Denial of Service via Issue preview

IDOR in Zentao integration leaked issue details

Brute force attack may guess a password even when 2FA is enabled


Discovery 2022-08-30
Entry 2022-08-30
gitlab-ce
ge 15.3.0 lt 15.3.2

ge 15.2.0 lt 15.2.4

ge 10.0.0 lt 15.1.6

CVE-2022-2992
CVE-2022-2865
CVE-2022-2527
CVE-2022-2592
CVE-2022-2533
CVE-2022-2455
CVE-2022-2428
CVE-2022-2908
CVE-2022-2630
CVE-2022-2931
CVE-2022-2907
CVE-2022-3031
https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/
f414d69f-e43d-11ec-9ea4-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Account take over via SCIM email change

Stored XSS in Jira integration

Quick action commands susceptible to XSS

IP allowlist bypass when using Trigger tokens

IP allowlist bypass when using Project Deploy Tokens

Improper authorization in the Interactive Web Terminal

Subgroup member can list members of parent group

Group member lock bypass


Discovery 2022-06-01
Entry 2022-06-04
gitlab-ce
ge 15.0.0 lt 15.0.1

ge 14.10.0 lt 14.10.4

ge 11.10.0 lt 14.9.5

CVE-2022-1680
CVE-2022-1940
CVE-2022-1948
CVE-2022-1935
CVE-2022-1936
CVE-2022-1944
CVE-2022-1821
CVE-2022-1783
https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/
04422df1-40d8-11ed-9be7-454b1dd82c64Gitlab -- Multiple vulnerabilities

Gitlab reports:

Denial of Service via cloning an issue

Arbitrary PUT request as victim user through Sentry error list

Content injection via External Status Checks

Project maintainers can access Datadog API Key from logs

Unsafe serialization of Json data could lead to sensitive data leakage

Import bug allows importing of private local git repos

Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)

Unauthorized users able to create issues in any project

Bypass group IP restriction on Dependency Proxy

Healthcheck endpoint allow list can be bypassed when accessed over HTTP in an HTTPS enabled system

Disclosure of Todo details to guest users

A user's primary email may be disclosed through group member events webhooks

Content manipulation due to branch/tag name confusion with the default branch name

Leakage of email addresses in WebHook logs

Specially crafted output makes job logs inaccessible

Enforce editing approval rules on project level


Discovery 2022-09-29
Entry 2022-09-30
gitlab-ce
ge 15.4.0 lt 15.4.1

ge 15.3.0 lt 15.3.4

ge 9.3.0 lt 15.2.5

CVE-2022-3293
CVE-2022-3279
CVE-2022-3325
https://about.gitlab.com/releases/2022/09/29/security-release-gitlab-15-4-1-released/
CVE-2022-3283
CVE-2022-3060
CVE-2022-2904
CVE-2022-3018
CVE-2022-3291
CVE-2022-3067
CVE-2022-2882
CVE-2022-3066
CVE-2022-3286
CVE-2022-3285
CVE-2022-3330
CVE-2022-3351
CVE-2022-3288
43f84437-73ab-11ec-a587-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Arbitrary file read via group import feature

Stored XSS in notes

Lack of state parameter on GitHub import project OAuth

Vulnerability related fields are available to unauthorized users on GraphQL API

Deleting packages may cause table locks

IP restriction bypass via GraphQL

Repository content spoofing using Git replacement references

Users can import members from projects that they are not a maintainer on through API

Possibility to direct user to malicious site through Slack integration

Bypassing file size limits to the NPM package repository

User with expired password can still access sensitive information

Incorrect port validation allows access to services on ports 80 and 443 if GitLab is configured to run on another port


Discovery 2022-01-11
Entry 2022-01-12
gitlab-ce
ge 14.6.0 lt 14.6.2

ge 14.5.0 lt 14.5.3

ge 7.7 lt 14.4.5

CVE-2021-39946
CVE-2022-0154
CVE-2022-0152
CVE-2022-0151
CVE-2022-0172
CVE-2022-0090
CVE-2022-0125
CVE-2022-0124
CVE-2021-39942
CVE-2022-0093
CVE-2021-39927
https://about.gitlab.com/releases/2022/01/11/security-release-gitlab-14-6-2-released/
8a0cd618-22a0-11ed-b1e7-001b217b3468Gitlab -- Remote Code Execution

Gitlab reports:

Remote Command Execution via Github import


Discovery 2022-08-22
Entry 2022-08-23
gitlab-ce
ge 15.3.0 lt 15.3.1

ge 15.2.0 lt 15.2.3

ge 11.3.4 lt 15.1.5

CVE-2022-2884
https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/
2823048d-9f8f-11ec-8c9c-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Runner registration token disclosure through Quick Actions

Unprivileged users can add other users to groups through an API endpoint

Inaccurate display of Snippet contents can be potentially misleading to users

Environment variables can be leaked via the sendmail delivery method

Unauthenticated user enumeration on GraphQL API

Adding a mirror with SSH credentials can leak password

Denial of Service via user comments


Discovery 2022-02-25
Entry 2022-03-09
gitlab-ce
ge 14.8.0 lt 14.8.2

ge 14.7.0 lt 14.7.4

ge 0 lt 14.6.5

CVE-2022-0735
CVE-2022-0549
CVE-2022-0751
CVE-2022-0741
CVE-2021-4191
CVE-2022-0738
CVE-2022-0489
https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/
8657eedd-b423-11ec-9559-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Static passwords inadvertently set during OmniAuth-based registration

Stored XSS in notes

Stored XSS on Multi-word milestone reference

Denial of service caused by a specially crafted RDoc file

GitLab Pages access tokens can be reused on multiple domains

GitLab Pages uses default (disabled) server Timeouts and a weak TCP Keep-Alive timeout

Incorrect include in pipeline definition exposes masked CI variables in UI

Regular expression denial of service in release asset link

Latest Commit details from private projects leaked to guest users via Merge Requests

CI/CD analytics are available even when public pipelines are disabled

Absence of limit for the number of tags that can be added to a runner can cause performance issues

Client DoS through rendering crafted comments

Blind SSRF Through Repository Mirroring

Bypass of branch restriction in Asana integration

Readable approval rules by Guest user

Redact InvalidURIError error messages

Project import maps members' created_by_id users based on source user ID


Discovery 2022-03-31
Entry 2022-04-04
gitlab-ce
ge 14.9.0 lt 14.9.2

ge 14.8.0 lt 14.8.5

ge 0 lt 14.7.7

CVE-2022-1162
CVE-2022-1175
CVE-2022-1190
CVE-2022-1185
CVE-2022-1148
CVE-2022-1121
CVE-2022-1120
CVE-2022-1100
CVE-2022-1193
CVE-2022-1105
CVE-2022-1099
CVE-2022-1174
CVE-2022-1188
CVE-2022-0740
CVE-2022-1189
CVE-2022-1157
CVE-2022-1111
https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/
4c26f668-0fd2-11ed-a83d-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Revoke access to confidential notes todos

Pipeline subscriptions trigger new pipelines with the wrong author

Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email

Import via git protocol allows to bypass checks on repository

Unauthenticated IP allowlist bypass when accessing job artifacts through GitLab Pages

Maintainer can leak Packagist and other integration access tokens by changing integration URL

Unauthenticated access to victims Grafana datasources through path traversal

Unauthorized users can filter issues by contact and organization

Malicious Maintainer may change the visibility of project or a group

Stored XSS in job error messages

Enforced group MFA can be bypassed when using Resource Owner Password Credentials grant

Non project members can view public project's Deploy Keys

IDOR in project with Jira integration leaks project owner's other projects Jira issues

Group Bot Users and Tokens not deleted after group deletion

Email invited members can join projects even after the member lock has been enabled

Datadog integration returns user emails


Discovery 2022-07-28
Entry 2022-07-30
gitlab-ce
ge 15.2.0 lt 15.2.1

ge 15.1.0 lt 15.1.4

ge 0 lt 15.0.5

CVE-2022-2512
CVE-2022-2498
CVE-2022-2326
CVE-2022-2417
CVE-2022-2501
CVE-2022-2497
CVE-2022-2531
CVE-2022-2539
CVE-2022-2456
CVE-2022-2500
CVE-2022-2303
CVE-2022-2095
CVE-2022-2499
CVE-2022-2307
CVE-2022-2459
CVE-2022-2534
https://about.gitlab.com/releases/2022/07/28/security-release-gitlab-15-2-1-released/
3507bfb3-85d5-11ec-8c9c-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Arbitrary POST requests via special HTML attributes in Jupyter Notebooks

DNS Rebinding vulnerability in Irker IRC Gateway integration

Missing certificate validation for external CI services

Blind SSRF Through Project Import

Open redirect vulnerability in Jira Integration

Issue link was disclosing the linked issue

Service desk email accessible by project non-members

Authenticated users can search other users by their private email

"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request

Deleting packages in bulk from package registries may cause table locks

Autocomplete enabled on specific pages

Possible SSRF due to not blocking shared address space

System notes reveals private project path when Issue is moved to a public project

Timeout for pages using Markdown

Certain branch names could not be protected


Discovery 2022-02-03
Entry 2022-02-04
gitlab-ce
ge 14.7.0 lt 14.7.1

ge 14.6.0 lt 14.6.4

ge 0 lt 14.5.4

CVE-2022-0427
CVE-2022-0425
CVE-2022-0123
CVE-2022-0136
CVE-2022-0283
CVE-2022-0390
CVE-2022-0373
CVE-2022-0371
CVE-2021-39943
CVE-2022-0477
CVE-2022-0167
CVE-2022-0249
CVE-2022-0344
CVE-2022-0488
CVE-2021-39931
https://about.gitlab.com/releases/2022/02/03/security-release-gitlab-14-7-1-released/
d1b35142-ff4a-11ec-8be3-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Remote Command Execution via Project Imports

XSS in ZenTao integration affecting self hosted instances without strict CSP

XSS in project settings page

Unallowed users can read unprotected CI variables

IP allow-list bypass to access Container Registries

2FA status is disclosed to unauthenticated users

CI variables provided to runners outside of a group's restricted IP range

IDOR in sentry issues

Reporters can manage issues in error tracking

Regular Expression Denial of Service via malicious web server responses

Unauthorized read for conan repository

Open redirect vulnerability

Group labels are editable through subproject

Release titles visible for any users if group milestones are associated with any project releases

Restrict membership by email domain bypass

Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint


Discovery 2022-06-30
Entry 2022-07-09
gitlab-ce
ge 15.1.0 lt 15.1.1

ge 15.0.0 lt 15.0.4

ge 0 lt 14.10.5

CVE-2022-2185
CVE-2022-2235
CVE-2022-2230
CVE-2022-2229
CVE-2022-1983
CVE-2022-1963
CVE-2022-2228
CVE-2022-2243
CVE-2022-2244
CVE-2022-1954
CVE-2022-2270
CVE-2022-2250
CVE-2022-1999
CVE-2022-2281
CVE-2022-1981
CVE-2022-2227
https://about.gitlab.com/releases/2022/06/30/critical-security-release-gitlab-15-1-1-released/