FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
5f52d646-c31f-11eb-8dcf-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Stealing GitLab OAuth access tokens using XSLeaks in Safari

Denial of service through recursive triggered pipelines

Unauthenticated CI lint API may lead to information disclosure and SSRF

Server-side DoS through rendering crafted Markdown documents

Issue and merge request length limit is not being enforced

Insufficient Expired Password Validation

XSS in blob viewer of notebooks

Logging of Sensitive Information

On-call rotation information exposed when removing a member

Spoofing commit author for signed commits

Enable qsh verification for Atlassian Connect


Discovery 2021-06-01
Entry 2021-06-01
gitlab-ce
ge 13.12.0 lt 13.12.2

ge 13.11.0 lt 13.11.5

ge 7.10.0 lt 13.10.5

CVE-2021-22181
https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/
fb6e53ae-9df6-11eb-ba8c-001b217b3468Gitlab -- Vulnerabilities

SO-AND-SO reports:

Remote code execution when uploading specially crafted image files

Update Rexml


Discovery 2021-04-14
Entry 2021-04-15
gitlab-ce
ge 13.10.0 lt 13.10.3

ge 13.9.0 lt 13.9.6

ge 7.12 lt 13.8.8

https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/
CVE-2021-28965
50e59056-87f2-11eb-b6a2-001b217b3468Gitlab -- Multiple vulnerabilities

Gigtlab reports:

Remote code execution via unsafe user-controlled markdown rendering options


Discovery 2021-03-17
Entry 2021-03-18
gitlab-ce
ge 13.9.0 lt 13.9.4

ge 13.8.0 lt 13.8.6

ge 13.2.0 lt 13.7.9

https://about.gitlab.com/releases/2021/03/17/security-release-gitlab-13-9-4-released/
174e466b-1d48-11eb-bd0f-001b217b3468Gitlab -- Multiple vulnerabilities

Gitlab reports:

Path Traversal in LFS Upload

Path traversal allows saving packages in arbitrary location

Kubernetes agent API leaks private repos

Terraform state deletion API exposes object storage URL

Stored-XSS in error message of build-dependencies

Git credentials persisted on disk

Potential Denial of service via container registry

Info leak when group is transferred from private to public group

Limited File Disclosure Via Multipart Bypass

Unauthorized user is able to access scheduled pipeline variables and values

CSRF in runner administration page allows an attacker to pause/resume runners

Regex backtracking attack in path parsing of Advanced Search result

Bypass of required CODEOWNERS approval

SAST CiConfiguration information visible without permissions


Discovery 2020-11-02
Entry 2020-11-02
gitlab-ce
ge 13.5.0 lt 13.5.2

ge 13.4.0 lt 13.4.5

ge 8.8.9 lt 13.3.9

https://about.gitlab.com/releases/2020/11/02/security-release-gitlab-13-5-2-released/
CVE-2020-13355
CVE-2020-26405
CVE-2020-13358
CVE-2020-13359
CVE-2020-13340
CVE-2020-13353
CVE-2020-13354
CVE-2020-13352
CVE-2020-13356
CVE-2020-13351
CVE-2020-13350
CVE-2020-13349
CVE-2020-13348
8ba8278d-db06-11eb-ba49-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

DoS using Webhook connections

CSRF on GraphQL API allows executing mutations through GET requests

Private projects information disclosure

Denial of service of user profile page

Single sign-on users not getting blocked

Some users can push to Protected Branch with Deploy keys

A deactivated user can access data through GraphQL

Reflected XSS in release edit page

Clipboard DOM-based XSS

Stored XSS on Audit Log

Forks of public projects by project members could leak codebase

Improper text rendering

HTML Injection in full name field


Discovery 2021-07-01
Entry 2021-07-02
gitlab-ce
ge 14.0.0 lt 14.0.2

ge 13.12.0 lt 13.12.6

ge 8.0.0 lt 13.11.6

https://about.gitlab.com/releases/2021/07/01/security-release-gitlab-14-0-2-released/
1020d401-6d2d-11eb-ab0b-001b217b3468Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Improper Certificate Validation for Fortinet OTP

Denial of Service Attack on gitlab-shell

Resource exhaustion due to pending jobs

Confidential issue titles were exposed

Improper access control allowed demoted project members to access authored merge requests

Improper access control allowed unauthorized users to access analytic pages

Unauthenticated CI lint API may lead to information disclosure and SSRF

Prometheus integration in Gitlab may lead to SSRF


Discovery 2021-02-11
Entry 2021-02-12
gitlab-ce
ge 13.8.0 lt 13.8.4

ge 13.7.0 lt 13.7.7

ge 10.5 lt 13.6.7

https://about.gitlab.com/releases/2021/02/11/security-release-gitlab-13-8-4-released/
a2a2b34d-52b4-11eb-87cb-001b217b3468Gitlab -- multiple vulnerabilities

Gitlab reports:

Ability to steal a user's API access token through GitLab Pages

Prometheus denial of service via HTTP request with custom method

Unauthorized user is able to access private repository information under specific conditions

Regular expression denial of service in NuGet API

Regular expression denial of service in package uploads

Update curl dependency

CVE-2019-3881 mitigation


Discovery 2021-01-07
Entry 2021-01-09
gitlab-ce
ge 13.7.0 lt 13.7.2

ge 13.6.0 lt 13.6.4

ge 12.2 lt 13.5.6

https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/
CVE-2021-22166
CVE-2020-26414
CVE-2019-3881
0a8ebf4a-5660-11eb-b4e2-001b217b3468Gitlab -- vulnerability

SO-AND-SO reports:

Ability to steal a user's API access token through GitLab Pages


Discovery 2021-01-14
Entry 2021-01-14
gitlab-ce
ge 13.7.0 lt 13.7.4

ge 13.6.0 lt 13.6.5

ge 12.2 lt 13.5.7

https://about.gitlab.com/releases/2021/01/14/critical-security-release-gitlab-13-7-4-released/
56abf87b-96ad-11eb-a218-001b217b3468Gitlab -- Multiple vulnerabilities

Gitlab reports:

Arbitrary File Read During Project Import

Kroki Arbitrary File Read/Write

Stored Cross-Site-Scripting in merge requests

Access data of an internal project through a public project fork as an anonymous user

Incident metric images can be deleted by any user

Infinite Loop When a User Access a Merge Request

Stored XSS in scoped labels

Admin CSRF in System Hooks Execution Through API

Update OpenSSL dependency

Update PostgreSQL dependency


Discovery 2021-03-31
Entry 2021-04-06
gitlab-ce
ge 13.10.0 lt 13.10.1

ge 13.9.0 lt 13.9.5

ge 9 lt 13.8.7

https://about.gitlab.com/releases/2021/03/31/security-release-gitlab-13-10-1-released/
1d651770-f4f5-11eb-ba49-001b217b3468Gitlab -- Gitlab

Gitlab reports:

Stored XSS in Mermaid when viewing Markdown files

Stored XSS in default branch name

Perform Git actions with an impersonation token even if impersonation is disabled

Tag and branch name confusion allows Developer to access protected CI variables

New subscriptions generate OAuth tokens on an incorrect OAuth client application

Ability to list and delete impersonation tokens for your own user

Pipelines page is partially visible for users that have no right to see CI/CD

Improper email validation on an invite URL

Unauthorised user was able to add meta data upon issue creation

Unauthorized user can trigger deployment to a protected environment

Guest in private project can see CI/CD Analytics

Guest users can create issues for Sentry errors and track their status

Private user email disclosure via group invitation

Projects are allowed to add members with email address domain that should be blocked by group settings

Misleading username could lead to impersonation in using SSH Certificates

Unauthorized user is able to access and view project vulnerability reports

Denial of service in repository caused by malformed commit author


Discovery 2021-08-03
Entry 2021-08-04
gitlab-ce
ge 14.1.0 lt 14.1.2

ge 14.0.0 lt 14.0.7

ge 0 lt 13.12.9

CVE-2021-22237
CVE-2021-22236
CVE-2021-22239
https://about.gitlab.com/releases/2021/08/03/security-release-gitlab-14-1-2-released/
5d5e5cda-38e6-11eb-bbbf-001b217b3468Gitlab -- Multiple vulnerabilities

Gitlab reports:

XSS in Zoom Meeting URL

Limited Information Disclosure in Private Profile

User email exposed via GraphQL endpoint

Group and project membership potentially exposed via GraphQL

Search terms logged in search parameter in rails logs

Un-authorised access to feature flag user list

A specific query on the explore page causes statement timeouts

Exposure of starred projects on private user profiles

Uncontrolled Resource Consumption in any Markdown field using Mermaid

Former group members able to view updates to confidential epics

Update GraphicsMagick dependency

Update GnuPG dependency

Update libxml dependency


Discovery 2020-12-07
Entry 2020-12-07
gitlab-ce
ge 13.6.0 lt 13.6.2

ge 13.5.0 lt 13.5.5

ge 12.2 lt 13.4.9

https://about.gitlab.com/releases/2020/12/07/security-release-gitlab-13-6-2-released/
CVE-2020-26407
CVE-2020-26408
CVE-2020-13357
CVE-2020-26411
CVE-2020-26409
66d1c277-652a-11eb-bb3f-001b217b3468Gitlab -- Multiple vulnerabilities

Gitlab reports:

Stored XSS in merge request

Stored XSS in epic's pages

Sensitive GraphQL variables exposed in structured log

Guest user can see tag names in private projects

Information disclosure via error message

DNS rebinding protection bypass

Validate existence of private project


Discovery 2021-02-01
Entry 2021-02-02
gitlab-ce
ge 13.8.0 lt 13.8.2

ge 13.7.0 lt 13.7.6

ge 11.8 lt 13.6.6

https://about.gitlab.com/blog/2021/02/01/security-release-gitlab-13-8-2-released/
CVE-2021-22172
CVE-2021-22169
1bdd4db6-2223-11ec-91be-001b217b3468Gitlab -- vulnerabilities

Gitlab reports:

Stored XSS in merge request creation page

Denial-of-service attack in Markdown parser

Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown

DNS Rebinding vulnerability in Gitea importer

Exposure of trigger tokens on project exports

Improper access control for users with expired password

Access tokens are not cleared after impersonation

Reflected Cross-Site Scripting in Jira Integration

DNS Rebinding vulnerability in Fogbugz importer

Access tokens persist after project deletion

User enumeration vulnerability

Potential DOS via API requests

Pending invitations of public groups and public projects are visible to any user

Bypass Disabled Repo by URL Project Creation

Low privileged users can see names of the private groups shared in projects

API discloses sensitive info to low privileged users

Epic listing do not honour group memberships

Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed

Low privileged users can import users from projects that they they are not a maintainer on

Potential DOS via dependencies API

Create a project with unlimited repository size through malicious Project Import

Bypass disabled Bitbucket Server import source project creation

Requirement to enforce 2FA is not honored when using git commands

Content spoofing vulnerability

Improper session management in impersonation feature

Create OAuth application with arbitrary scopes through content spoofing

Lack of account lockout on change password functionality

Epic reference was not updated while moved between groups

Missing authentication allows disabling of two-factor authentication

Information disclosure in SendEntry


Discovery 2021-09-30
Entry 2021-09-30
gitlab-ce
ge 14.3.0 lt 14.3.1

ge 14.2.0 lt 14.2.5

ge 0 lt 14.1.7

CVE-2021-39885
CVE-2021-39877
CVE-2021-39887
CVE-2021-39867
CVE-2021-39869
CVE-2021-39872
CVE-2021-39878
CVE-2021-39866
CVE-2021-39882
CVE-2021-39875
CVE-2021-39870
CVE-2021-39884
CVE-2021-39883
CVE-2021-22259
CVE-2021-39868
CVE-2021-39871
CVE-2021-39874
CVE-2021-39873
CVE-2021-39881
CVE-2021-39886
CVE-2021-39879
https://about.gitlab.com/releases/2021/09/30/security-release-gitlab-14-3-1-released/
6c22bb39-0a9a-11ec-a265-001b217b3468Gitlab -- Vulnerabilities

Gitlab reports:

Stored XSS in DataDog Integration

Invited group members continue to have project access even after invited group is deleted

Specially crafted requests to apollo_upload_server middleware leads to denial of service

Privilege escalation of an external user through project token

Missing access control allows non-admin users to add/remove Jira Connect Namespaces

User enumeration on private instances

Member e-mails can be revealed via project import/export feature

Stored XSS in Jira integration

Stored XSS in markdown via the Design reference


Discovery 2021-08-31
Entry 2021-08-31
gitlab-ce
ge 14.2.0 lt 14.2.2

ge 14.1.0 lt 14.1.4

ge 0 lt 14.0.9

CVE-2021-22257
CVE-2021-22258
CVE-2021-22238
https://about.gitlab.com/releases/2021/08/31/security-release-gitlab-14-2-2-released/
8bf856ea-7df7-11eb-9aad-001b217b3468Gitlab -- Multiple vulnerabilities

Gitlab reports:

JWT token leak via Workhorse

Stored XSS in wiki pages

Group Maintainers are able to use the Group CI/CD Variables API

Insecure storage of GitLab session keys


Discovery 2021-03-04
Entry 2021-03-05
gitlab-ce
ge 13.9.0 lt 13.9.2

ge 13.8.0 lt 13.8.5

< 13.7.8

https://about.gitlab.com/releases/2021/03/04/security-release-gitlab-13-9-2-released/
CVE-2021-22185
CVE-2021-22186
518a119c-a864-11eb-8ddb-001b217b3468Gitlab -- Vulnerabilities

Gitlab reports:

Read API scoped tokens can execute mutations

Pull mirror credentials were exposed

Denial of Service when querying repository branches API

Non-owners can set system_note_timestamp when creating / updating issues

DeployToken will impersonate a User with the same ID when using Dependency Proxy


Discovery 2021-04-28
Entry 2021-04-28
gitlab-ce
ge 13.11.0 lt 13.11.2

ge 13.10.0 lt 13.10.4

ge 11.6.0 lt 13.9.7

https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/
CVE-2021-22209
CVE-2021-22206
CVE-2021-22210
CVE-2021-22208
CVE-2021-22211