FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
3507bfb3-85d5-11ec-8c9c-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Arbitrary POST requests via special HTML attributes in Jupyter Notebooks

DNS Rebinding vulnerability in Irker IRC Gateway integration

Missing certificate validation for external CI services

Blind SSRF Through Project Import

Open redirect vulnerability in Jira Integration

Issue link was disclosing the linked issue

Service desk email accessible by project non-members

Authenticated users can search other users by their private email

"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request

Deleting packages in bulk from package registries may cause table locks

Autocomplete enabled on specific pages

Possible SSRF due to not blocking shared address space

System notes reveals private project path when Issue is moved to a public project

Timeout for pages using Markdown

Certain branch names could not be protected


Discovery 2022-02-03
Entry 2022-02-04
gitlab-ce
ge 14.7.0 lt 14.7.1

ge 14.6.0 lt 14.6.4

ge 0 lt 14.5.4

CVE-2022-0427
CVE-2022-0425
CVE-2022-0123
CVE-2022-0136
CVE-2022-0283
CVE-2022-0390
CVE-2022-0373
CVE-2022-0371
CVE-2021-39943
CVE-2022-0477
CVE-2022-0167
CVE-2022-0249
CVE-2022-0344
CVE-2022-0488
CVE-2021-39931
https://about.gitlab.com/releases/2022/02/03/security-release-gitlab-14-7-1-released/
16f7ec68-5cce-11ed-9be7-454b1dd82c64Gitlab -- Multiple vulnerabilities

Gitlab reports:

DAST analyzer sends custom request headers with every request

Stored-XSS with CSP-bypass via scoped labels' color

Maintainer can leak Datadog API key by changing integration URL

Uncontrolled resource consumption when parsing URLs

Issue HTTP requests when users view an OpenAPI document and click buttons

Command injection in CI jobs via branch name in CI pipelines

Open redirection

Prefill variables do not check permission of the project in external CI config

Disclosure of audit events to insufficiently permissioned group and project members

Arbitrary GFM references rendered in Jira issue description leak private/confidential resources

Award emojis API for an internal note is accessible to users without access to the note

Open redirect in pipeline artifacts when generating HTML documents

Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines

Project-level Secure Files can be written out of the target directory


Discovery 2022-11-02
Entry 2022-11-05
gitlab-ce
ge 15.5.0 lt 15.5.2

ge 15.4.0 lt 15.4.4

ge 9.3.0 lt 15.3.5

CVE-2022-3767
CVE-2022-3265
CVE-2022-3483
CVE-2022-3818
CVE-2022-3726
CVE-2022-2251
CVE-2022-3486
CVE-2022-3793
CVE-2022-3413
CVE-2022-2761
CVE-2022-3819
CVE-2022-3280
CVE-2022-3706
https://about.gitlab.com/releases/2022/11/02/security-release-gitlab-15-5-2-released/
33557582-3958-11ec-90ba-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Stored XSS via ipynb files

Pipeline schedules on imported projects can be set to automatically active after import

Potential Denial of service via Workhorse

Improper Access Control allows Merge Request creator to bypass locked status

Projects API discloses ID and name of private groups

Severity of an incident can be changed by a guest user

System root password accidentally written to log file

Potential DoS via a malformed TIFF image

Bypass of CODEOWNERS Merge Request approval requirement

Change project visibility to a restricted option

Project exports leak external webhook token value

SCIM token is visible after creation

Invited group members, with access inherited from parent group, continue to have project access even after invited subgroup is transfered

Regular expression denial of service issue when cleaning namespace path

Prevent creation of scopeless apps using applications API

Webhook data exposes assignee's private email address


Discovery 2021-10-28
Entry 2021-10-30
gitlab-ce
ge 14.4.0 lt 14.4.1

ge 14.3.0 lt 14.3.4

ge 0 lt 14.2.6

CVE-2021-39906
CVE-2021-39895
CVE-2021-39907
CVE-2021-39904
CVE-2021-39905
CVE-2021-39902
CVE-2021-39913
CVE-2021-39912
CVE-2021-39909
CVE-2021-39903
CVE-2021-39898
CVE-2021-39901
CVE-2021-39897
CVE-2021-39914
CVE-2021-39911
https://about.gitlab.com/releases/2021/10/28/security-release-gitlab-14-4-1-released/
8a0cd618-22a0-11ed-b1e7-001b217b3468Gitlab -- Remote Code Execution

Gitlab reports:

Remote Command Execution via Github import


Discovery 2022-08-22
Entry 2022-08-23
gitlab-ce
ge 15.3.0 lt 15.3.1

ge 15.2.0 lt 15.2.3

ge 11.3.4 lt 15.1.5

CVE-2022-2884
https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/
04422df1-40d8-11ed-9be7-454b1dd82c64Gitlab -- Multiple vulnerabilities

Gitlab reports:

Denial of Service via cloning an issue

Arbitrary PUT request as victim user through Sentry error list

Content injection via External Status Checks

Project maintainers can access Datadog API Key from logs

Unsafe serialization of Json data could lead to sensitive data leakage

Import bug allows importing of private local git repos

Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)

Unauthorized users able to create issues in any project

Bypass group IP restriction on Dependency Proxy

Healthcheck endpoint allow list can be bypassed when accessed over HTTP in an HTTPS enabled system

Disclosure of Todo details to guest users

A user's primary email may be disclosed through group member events webhooks

Content manipulation due to branch/tag name confusion with the default branch name

Leakage of email addresses in WebHook logs

Specially crafted output makes job logs inaccessible

Enforce editing approval rules on project level


Discovery 2022-09-29
Entry 2022-09-30
gitlab-ce
ge 15.4.0 lt 15.4.1

ge 15.3.0 lt 15.3.4

ge 9.3.0 lt 15.2.5

CVE-2022-3293
CVE-2022-3279
CVE-2022-3325
https://about.gitlab.com/releases/2022/09/29/security-release-gitlab-15-4-1-released/
CVE-2022-3283
CVE-2022-3060
CVE-2022-2904
CVE-2022-3018
CVE-2022-3291
CVE-2022-3067
CVE-2022-2882
CVE-2022-3066
CVE-2022-3286
CVE-2022-3285
CVE-2022-3330
CVE-2022-3351
CVE-2022-3288
d1b35142-ff4a-11ec-8be3-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Remote Command Execution via Project Imports

XSS in ZenTao integration affecting self hosted instances without strict CSP

XSS in project settings page

Unallowed users can read unprotected CI variables

IP allow-list bypass to access Container Registries

2FA status is disclosed to unauthenticated users

CI variables provided to runners outside of a group's restricted IP range

IDOR in sentry issues

Reporters can manage issues in error tracking

Regular Expression Denial of Service via malicious web server responses

Unauthorized read for conan repository

Open redirect vulnerability

Group labels are editable through subproject

Release titles visible for any users if group milestones are associated with any project releases

Restrict membership by email domain bypass

Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint


Discovery 2022-06-30
Entry 2022-07-09
gitlab-ce
ge 15.1.0 lt 15.1.1

ge 15.0.0 lt 15.0.4

ge 0 lt 14.10.5

CVE-2022-2185
CVE-2022-2235
CVE-2022-2230
CVE-2022-2229
CVE-2022-1983
CVE-2022-1963
CVE-2022-2228
CVE-2022-2243
CVE-2022-2244
CVE-2022-1954
CVE-2022-2270
CVE-2022-2250
CVE-2022-1999
CVE-2022-2281
CVE-2022-1981
CVE-2022-2227
https://about.gitlab.com/releases/2022/06/30/critical-security-release-gitlab-15-1-1-released/
2823048d-9f8f-11ec-8c9c-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Runner registration token disclosure through Quick Actions

Unprivileged users can add other users to groups through an API endpoint

Inaccurate display of Snippet contents can be potentially misleading to users

Environment variables can be leaked via the sendmail delivery method

Unauthenticated user enumeration on GraphQL API

Adding a mirror with SSH credentials can leak password

Denial of Service via user comments


Discovery 2022-02-25
Entry 2022-03-09
gitlab-ce
ge 14.8.0 lt 14.8.2

ge 14.7.0 lt 14.7.4

ge 0 lt 14.6.5

CVE-2022-0735
CVE-2022-0549
CVE-2022-0751
CVE-2022-0741
CVE-2021-4191
CVE-2022-0738
CVE-2022-0489
https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/
43f84437-73ab-11ec-a587-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Arbitrary file read via group import feature

Stored XSS in notes

Lack of state parameter on GitHub import project OAuth

Vulnerability related fields are available to unauthorized users on GraphQL API

Deleting packages may cause table locks

IP restriction bypass via GraphQL

Repository content spoofing using Git replacement references

Users can import members from projects that they are not a maintainer on through API

Possibility to direct user to malicious site through Slack integration

Bypassing file size limits to the NPM package repository

User with expired password can still access sensitive information

Incorrect port validation allows access to services on ports 80 and 443 if GitLab is configured to run on another port


Discovery 2022-01-11
Entry 2022-01-12
gitlab-ce
ge 14.6.0 lt 14.6.2

ge 14.5.0 lt 14.5.3

ge 7.7 lt 14.4.5

CVE-2021-39946
CVE-2022-0154
CVE-2022-0152
CVE-2022-0151
CVE-2022-0172
CVE-2022-0090
CVE-2022-0125
CVE-2022-0124
CVE-2021-39942
CVE-2022-0093
CVE-2021-39927
https://about.gitlab.com/releases/2022/01/11/security-release-gitlab-14-6-2-released/
4c26f668-0fd2-11ed-a83d-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Revoke access to confidential notes todos

Pipeline subscriptions trigger new pipelines with the wrong author

Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email

Import via git protocol allows to bypass checks on repository

Unauthenticated IP allowlist bypass when accessing job artifacts through GitLab Pages

Maintainer can leak Packagist and other integration access tokens by changing integration URL

Unauthenticated access to victims Grafana datasources through path traversal

Unauthorized users can filter issues by contact and organization

Malicious Maintainer may change the visibility of project or a group

Stored XSS in job error messages

Enforced group MFA can be bypassed when using Resource Owner Password Credentials grant

Non project members can view public project's Deploy Keys

IDOR in project with Jira integration leaks project owner's other projects Jira issues

Group Bot Users and Tokens not deleted after group deletion

Email invited members can join projects even after the member lock has been enabled

Datadog integration returns user emails


Discovery 2022-07-28
Entry 2022-07-30
gitlab-ce
ge 15.2.0 lt 15.2.1

ge 15.1.0 lt 15.1.4

ge 0 lt 15.0.5

CVE-2022-2512
CVE-2022-2498
CVE-2022-2326
CVE-2022-2417
CVE-2022-2501
CVE-2022-2497
CVE-2022-2531
CVE-2022-2539
CVE-2022-2456
CVE-2022-2500
CVE-2022-2303
CVE-2022-2095
CVE-2022-2499
CVE-2022-2307
CVE-2022-2459
CVE-2022-2534
https://about.gitlab.com/releases/2022/07/28/security-release-gitlab-15-2-1-released/
b299417a-5725-11ec-a587-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Group members with developer role can escalate their privilege to maintainer on projects that they import

When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API

Collision in access memoization leads to potential elevated privileges on groups and projects

Project access token names are returned for unauthenticated requesters

Sensitive info disclosure in logs

Disclosure of a user's custom project and group templates

ReDoS in Maven package version

Potential denial of service via the Diff feature

Regular Expression Denial of Service via user comments

Service desk email accessible by any project member

Regular Expression Denial of Service via quick actions

IDOR in "external status check" API leaks data about any status check on the instance

Default branch name visible in public projects restricting access to the source code repository

Deploy token allows access to disabled project Wiki

Regular Expression Denial of Service via deploy Slash commands

Users can reply to Vulnerability Report discussions despite Only Project Members settings

Unauthorised deletion of protected branches

Author can approve Merge Request after having access revoked

HTML Injection via Swagger UI


Discovery 2021-12-06
Entry 2021-12-07
gitlab-ce
ge 14.5.0 lt 14.5.2

ge 14.4.0 lt 14.4.4

ge 0 lt 14.3.6

CVE-2021-39944
CVE-2021-39935
CVE-2021-39937
CVE-2021-39915
CVE-2021-39919
CVE-2021-39930
CVE-2021-39940
CVE-2021-39932
CVE-2021-39933
CVE-2021-39934
CVE-2021-39917
CVE-2021-39916
CVE-2021-39941
CVE-2021-39936
CVE-2021-39938
CVE-2021-39918
CVE-2021-39931
CVE-2021-39945
CVE-2021-39910
https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/
8657eedd-b423-11ec-9559-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Static passwords inadvertently set during OmniAuth-based registration

Stored XSS in notes

Stored XSS on Multi-word milestone reference

Denial of service caused by a specially crafted RDoc file

GitLab Pages access tokens can be reused on multiple domains

GitLab Pages uses default (disabled) server Timeouts and a weak TCP Keep-Alive timeout

Incorrect include in pipeline definition exposes masked CI variables in UI

Regular expression denial of service in release asset link

Latest Commit details from private projects leaked to guest users via Merge Requests

CI/CD analytics are available even when public pipelines are disabled

Absence of limit for the number of tags that can be added to a runner can cause performance issues

Client DoS through rendering crafted comments

Blind SSRF Through Repository Mirroring

Bypass of branch restriction in Asana integration

Readable approval rules by Guest user

Redact InvalidURIError error messages

Project import maps members' created_by_id users based on source user ID


Discovery 2022-03-31
Entry 2022-04-04
gitlab-ce
ge 14.9.0 lt 14.9.2

ge 14.8.0 lt 14.8.5

ge 0 lt 14.7.7

CVE-2022-1162
CVE-2022-1175
CVE-2022-1190
CVE-2022-1185
CVE-2022-1148
CVE-2022-1121
CVE-2022-1120
CVE-2022-1100
CVE-2022-1193
CVE-2022-1105
CVE-2022-1099
CVE-2022-1174
CVE-2022-1188
CVE-2022-0740
CVE-2022-1189
CVE-2022-1157
CVE-2022-1111
https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/
1bdd4db6-2223-11ec-91be-001b217b3468Gitlab -- vulnerabilities

Gitlab reports:

Stored XSS in merge request creation page

Denial-of-service attack in Markdown parser

Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown

DNS Rebinding vulnerability in Gitea importer

Exposure of trigger tokens on project exports

Improper access control for users with expired password

Access tokens are not cleared after impersonation

Reflected Cross-Site Scripting in Jira Integration

DNS Rebinding vulnerability in Fogbugz importer

Access tokens persist after project deletion

User enumeration vulnerability

Potential DOS via API requests

Pending invitations of public groups and public projects are visible to any user

Bypass Disabled Repo by URL Project Creation

Low privileged users can see names of the private groups shared in projects

API discloses sensitive info to low privileged users

Epic listing do not honour group memberships

Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed

Low privileged users can import users from projects that they they are not a maintainer on

Potential DOS via dependencies API

Create a project with unlimited repository size through malicious Project Import

Bypass disabled Bitbucket Server import source project creation

Requirement to enforce 2FA is not honored when using git commands

Content spoofing vulnerability

Improper session management in impersonation feature

Create OAuth application with arbitrary scopes through content spoofing

Lack of account lockout on change password functionality

Epic reference was not updated while moved between groups

Missing authentication allows disabling of two-factor authentication

Information disclosure in SendEntry


Discovery 2021-09-30
Entry 2021-09-30
gitlab-ce
ge 14.3.0 lt 14.3.1

ge 14.2.0 lt 14.2.5

ge 0 lt 14.1.7

CVE-2021-39885
CVE-2021-39877
CVE-2021-39887
CVE-2021-39867
CVE-2021-39869
CVE-2021-39872
CVE-2021-39878
CVE-2021-39866
CVE-2021-39882
CVE-2021-39875
CVE-2021-39870
CVE-2021-39884
CVE-2021-39883
CVE-2021-22259
CVE-2021-39868
CVE-2021-39871
CVE-2021-39874
CVE-2021-39873
CVE-2021-39881
CVE-2021-39886
CVE-2021-39879
https://about.gitlab.com/releases/2021/09/30/security-release-gitlab-14-3-1-released/
e6b994e2-2891-11ed-9be7-454b1dd82c64Gitlab -- multiple vulnerabilities

Gitlab reports:

Remote Command Execution via GitHub import

Stored XSS via labels color

Content injection via Incidents Timeline description

Lack of length validation in Snippets leads to Denial of Service

Group IP allow-list not fully respected by the Package Registry

Abusing Gitaly.GetTreeEntries calls leads to denial of service

Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags

Regular Expression Denial of Service via special crafted input

Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events

Regex backtracking through the Commit message field

Read repository content via LivePreview feature

Denial of Service via the Create branch API

Denial of Service via Issue preview

IDOR in Zentao integration leaked issue details

Brute force attack may guess a password even when 2FA is enabled


Discovery 2022-08-30
Entry 2022-08-30
gitlab-ce
ge 15.3.0 lt 15.3.2

ge 15.2.0 lt 15.2.4

ge 10.0.0 lt 15.1.6

CVE-2022-2992
CVE-2022-2865
CVE-2022-2527
CVE-2022-2592
CVE-2022-2533
CVE-2022-2455
CVE-2022-2428
CVE-2022-2908
CVE-2022-2630
CVE-2022-2931
CVE-2022-2907
CVE-2022-3031
https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/
f414d69f-e43d-11ec-9ea4-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Account take over via SCIM email change

Stored XSS in Jira integration

Quick action commands susceptible to XSS

IP allowlist bypass when using Trigger tokens

IP allowlist bypass when using Project Deploy Tokens

Improper authorization in the Interactive Web Terminal

Subgroup member can list members of parent group

Group member lock bypass


Discovery 2022-06-01
Entry 2022-06-04
gitlab-ce
ge 15.0.0 lt 15.0.1

ge 14.10.0 lt 14.10.4

ge 11.10.0 lt 14.9.5

CVE-2022-1680
CVE-2022-1940
CVE-2022-1948
CVE-2022-1935
CVE-2022-1936
CVE-2022-1944
CVE-2022-1821
CVE-2022-1783
https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/