Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2018-AVI-142
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans GitLab . Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "GitLab CE et EE versions 10.4.x ant\u00e9rieures \u00e0 10.4.6",
"product": {
"name": "N/A",
"vendor": {
"name": "GitLab",
"scada": false
}
}
},
{
"description": "GitLab CE et EE versions 10.3.x ant\u00e9rieures \u00e0 10.3.9",
"product": {
"name": "N/A",
"vendor": {
"name": "GitLab",
"scada": false
}
}
},
{
"description": "GitLab Community Edition (CE) et Enterprise Edition (EE) versions 10.5.x ant\u00e9rieures \u00e0 10.5.6",
"product": {
"name": "N/A",
"vendor": {
"name": "GitLab",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2017-0924",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-0924"
},
{
"name": "CVE-2017-0915",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-0915"
},
{
"name": "CVE-2017-0922",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-0922"
},
{
"name": "CVE-2017-0920",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-0920"
},
{
"name": "CVE-2017-0925",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-0925"
},
{
"name": "CVE-2017-0927",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-0927"
},
{
"name": "CVE-2017-0916",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-0916"
},
{
"name": "CVE-2018-8801",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-8801"
},
{
"name": "CVE-2017-0918",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-0918"
},
{
"name": "CVE-2017-0926",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-0926"
},
{
"name": "CVE-2017-0923",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-0923"
},
{
"name": "CVE-2018-3710",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3710"
},
{
"name": "CVE-2017-0917",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-0917"
},
{
"name": "CVE-2017-0914",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-0914"
}
],
"links": [],
"reference": "CERTFR-2018-AVI-142",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2018-03-22T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans GitLab . Certaines\nd\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire \u00e0 distance, un contournement de la politique de s\u00e9curit\u00e9\net une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans GitLab",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 GitLab du 20 mars 2018",
"url": "https://about.gitlab.com/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released/"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 GitLab du 16 janvier 2018",
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
]
}
CVE-2017-0916 (GCVE-0-2017-0916)
Vulnerability from cvelistv5 – Published: 2018-03-21 20:00 – Updated: 2024-08-05 13:25
VLAI?
EPSS
Summary
Gitlab Community Edition version 10.3 is vulnerable to a lack of input validation in the system_hook_push queue through web hook component resulting in remote code execution.
Severity ?
No CVSS data available.
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitLab | GitLab Community and Enterprise Editions |
Affected:
9.1.0 - 10.1.5 Fixed in 10.1.6
Affected: 10.2.0 - 10.2.5 Fixed in 10.2.6 Affected: 10.3.0 - 10.3.3 Fixed in 10.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:25:16.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-4145",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/299473"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab Community and Enterprise Editions",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "9.1.0 - 10.1.5 Fixed in 10.1.6"
},
{
"status": "affected",
"version": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"status": "affected",
"version": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
],
"datePublic": "2018-01-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Gitlab Community Edition version 10.3 is vulnerable to a lack of input validation in the system_hook_push queue through web hook component resulting in remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) (CWE-77)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-22T09:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"name": "DSA-4145",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/299473"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2017-0916",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab Community and Enterprise Editions",
"version": {
"version_data": [
{
"version_value": "9.1.0 - 10.1.5 Fixed in 10.1.6"
},
{
"version_value": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"version_value": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gitlab Community Edition version 10.3 is vulnerable to a lack of input validation in the system_hook_push queue through web hook component resulting in remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) (CWE-77)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-4145",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"name": "https://hackerone.com/reports/299473",
"refsource": "MISC",
"url": "https://hackerone.com/reports/299473"
},
{
"name": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/",
"refsource": "CONFIRM",
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0916",
"datePublished": "2018-03-21T20:00:00",
"dateReserved": "2016-11-30T00:00:00",
"dateUpdated": "2024-08-05T13:25:16.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-0925 (GCVE-0-2017-0925)
Vulnerability from cvelistv5 – Published: 2018-03-21 20:00 – Updated: 2024-08-05 13:25
VLAI?
EPSS
Summary
Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insufficiently protected credential issue in the project service integration API endpoint resulting in an information disclosure of plaintext password.
Severity ?
No CVSS data available.
CWE
- CWE-522 - Insufficiently Protected Credentials (CWE-522)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitLab | GitLab Community and Enterprise Editions |
Affected:
8.10.6 - 10.1.5 Fixed in 10.1.6
Affected: 10.2.0 - 10.2.5 Fixed in 10.2.6 Affected: 10.3.0 - 10.3.3 Fixed in 10.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:25:17.478Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-4145",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/gitlab-ee/issues/3847"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab Community and Enterprise Editions",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "8.10.6 - 10.1.5 Fixed in 10.1.6"
},
{
"status": "affected",
"version": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"status": "affected",
"version": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
],
"datePublic": "2018-01-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insufficiently protected credential issue in the project service integration API endpoint resulting in an information disclosure of plaintext password."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "Insufficiently Protected Credentials (CWE-522)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-22T09:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"name": "DSA-4145",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gitlab.com/gitlab-org/gitlab-ee/issues/3847"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2017-0925",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab Community and Enterprise Editions",
"version": {
"version_data": [
{
"version_value": "8.10.6 - 10.1.5 Fixed in 10.1.6"
},
{
"version_value": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"version_value": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insufficiently protected credential issue in the project service integration API endpoint resulting in an information disclosure of plaintext password."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insufficiently Protected Credentials (CWE-522)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-4145",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"name": "https://gitlab.com/gitlab-org/gitlab-ee/issues/3847",
"refsource": "CONFIRM",
"url": "https://gitlab.com/gitlab-org/gitlab-ee/issues/3847"
},
{
"name": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/",
"refsource": "CONFIRM",
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0925",
"datePublished": "2018-03-21T20:00:00",
"dateReserved": "2016-11-30T00:00:00",
"dateUpdated": "2024-08-05T13:25:17.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-0920 (GCVE-0-2017-0920)
Vulnerability from cvelistv5 – Published: 2018-03-22 15:00 – Updated: 2024-08-05 13:25
VLAI?
EPSS
Summary
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance.
Severity ?
No CVSS data available.
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key (CWE-639)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitLab | GitLab Community and Enterprise Editions |
Affected:
Versions before 10.1.6, 10.2.6, and 10.3.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:25:16.968Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/301336"
},
{
"name": "DSA-4206",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4206"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab Community and Enterprise Editions",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "Versions before 10.1.6, 10.2.6, and 10.3.4"
}
]
}
],
"datePublic": "2018-03-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key (CWE-639)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-22T09:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/301336"
},
{
"name": "DSA-4206",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4206"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2017-0920",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab Community and Enterprise Editions",
"version": {
"version_data": [
{
"version_value": "Versions before 10.1.6, 10.2.6, and 10.3.4"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authorization Bypass Through User-Controlled Key (CWE-639)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/301336",
"refsource": "MISC",
"url": "https://hackerone.com/reports/301336"
},
{
"name": "DSA-4206",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4206"
},
{
"name": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/",
"refsource": "CONFIRM",
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0920",
"datePublished": "2018-03-22T15:00:00",
"dateReserved": "2016-11-30T00:00:00",
"dateUpdated": "2024-08-05T13:25:16.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-0927 (GCVE-0-2017-0927)
Vulnerability from cvelistv5 – Published: 2018-03-21 20:00 – Updated: 2024-08-05 13:25
VLAI?
EPSS
Summary
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the deployment keys component resulting in unauthorized use of deployment keys by guest users.
Severity ?
No CVSS data available.
CWE
- CWE-285 - Improper Authorization (CWE-285)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitLab | GitLab Community and Enterprise Editions |
Affected:
8.10.6 - 10.1.5 Fixed in 10.1.6
Affected: 10.2.0 - 10.2.5 Fixed in 10.2.6 Affected: 10.3.0 - 10.3.3 Fixed in 10.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:25:16.907Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/37594"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab Community and Enterprise Editions",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "8.10.6 - 10.1.5 Fixed in 10.1.6"
},
{
"status": "affected",
"version": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"status": "affected",
"version": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
],
"datePublic": "2018-01-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the deployment keys component resulting in unauthorized use of deployment keys by guest users."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization (CWE-285)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-21T19:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/37594"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2017-0927",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab Community and Enterprise Editions",
"version": {
"version_data": [
{
"version_value": "8.10.6 - 10.1.5 Fixed in 10.1.6"
},
{
"version_value": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"version_value": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the deployment keys component resulting in unauthorized use of deployment keys by guest users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authorization (CWE-285)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gitlab.com/gitlab-org/gitlab-ce/issues/37594",
"refsource": "CONFIRM",
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/37594"
},
{
"name": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/",
"refsource": "CONFIRM",
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0927",
"datePublished": "2018-03-21T20:00:00",
"dateReserved": "2016-11-30T00:00:00",
"dateUpdated": "2024-08-05T13:25:16.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-8801 (GCVE-0-2018-8801)
Vulnerability from cvelistv5 – Published: 2018-04-25 09:00 – Updated: 2024-08-05 07:02
VLAI?
EPSS
Summary
GitLab Community and Enterprise Editions version 8.3 up to 10.x before 10.3 are vulnerable to SSRF in the Services and webhooks component.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:02:26.093Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/301924"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/41642"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-04-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "GitLab Community and Enterprise Editions version 8.3 up to 10.x before 10.3 are vulnerable to SSRF in the Services and webhooks component."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-01T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/301924"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/41642"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-8801",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GitLab Community and Enterprise Editions version 8.3 up to 10.x before 10.3 are vulnerable to SSRF in the Services and webhooks component."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/301924",
"refsource": "MISC",
"url": "https://hackerone.com/reports/301924"
},
{
"name": "https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md",
"refsource": "MISC",
"url": "https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md"
},
{
"name": "https://gitlab.com/gitlab-org/gitlab-ce/issues/41642",
"refsource": "MISC",
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/41642"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-8801",
"datePublished": "2018-04-25T09:00:00",
"dateReserved": "2018-03-19T00:00:00",
"dateUpdated": "2024-08-05T07:02:26.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-0923 (GCVE-0-2017-0923)
Vulnerability from cvelistv5 – Published: 2018-03-21 20:00 – Updated: 2024-08-05 13:25
VLAI?
EPSS
Summary
Gitlab Community Edition version 9.1 is vulnerable to lack of input validation in the IPython notebooks component resulting in persistent cross site scripting.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitLab | GitLab Community and Enterprise Editions |
Affected:
9.1.0 - 10.1.5 Fixed in 10.1.6
Affected: 10.2.0 - 10.2.5 Fixed in 10.2.6 Affected: 10.3.0 - 10.3.3 Fixed in 10.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:25:17.023Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/293740"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab Community and Enterprise Editions",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "9.1.0 - 10.1.5 Fixed in 10.1.6"
},
{
"status": "affected",
"version": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"status": "affected",
"version": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
],
"datePublic": "2018-01-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Gitlab Community Edition version 9.1 is vulnerable to lack of input validation in the IPython notebooks component resulting in persistent cross site scripting."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-21T19:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/293740"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2017-0923",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab Community and Enterprise Editions",
"version": {
"version_data": [
{
"version_value": "9.1.0 - 10.1.5 Fixed in 10.1.6"
},
{
"version_value": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"version_value": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gitlab Community Edition version 9.1 is vulnerable to lack of input validation in the IPython notebooks component resulting in persistent cross site scripting."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/293740",
"refsource": "MISC",
"url": "https://hackerone.com/reports/293740"
},
{
"name": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/",
"refsource": "CONFIRM",
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0923",
"datePublished": "2018-03-21T20:00:00",
"dateReserved": "2016-11-30T00:00:00",
"dateUpdated": "2024-08-05T13:25:17.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-0926 (GCVE-0-2017-0926)
Vulnerability from cvelistv5 – Published: 2018-03-21 20:00 – Updated: 2024-08-05 13:25
VLAI?
EPSS
Summary
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login.
Severity ?
No CVSS data available.
CWE
- CWE-285 - Improper Authorization (CWE-285)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitLab | GitLab Community and Enterprise Editions |
Affected:
9.1.0 - 10.0.5 Fixed in 10.0.5
Affected: 10.1.0 - 10.1.5 Fixed in 10.1.6 Affected: 10.2.0 - 10.2.5 Fixed in 10.2.6 Affected: 10.3.0 - 10.3.3 Fixed in 10.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:25:16.917Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-4145",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/32198"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab Community and Enterprise Editions",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "9.1.0 - 10.0.5 Fixed in 10.0.5"
},
{
"status": "affected",
"version": "10.1.0 - 10.1.5 Fixed in 10.1.6"
},
{
"status": "affected",
"version": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"status": "affected",
"version": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
],
"datePublic": "2018-01-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization (CWE-285)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-22T09:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"name": "DSA-4145",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/32198"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2017-0926",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab Community and Enterprise Editions",
"version": {
"version_data": [
{
"version_value": "9.1.0 - 10.0.5 Fixed in 10.0.5"
},
{
"version_value": "10.1.0 - 10.1.5 Fixed in 10.1.6"
},
{
"version_value": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"version_value": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authorization (CWE-285)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-4145",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"name": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/",
"refsource": "CONFIRM",
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
},
{
"name": "https://gitlab.com/gitlab-org/gitlab-ce/issues/32198",
"refsource": "CONFIRM",
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/32198"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0926",
"datePublished": "2018-03-21T20:00:00",
"dateReserved": "2016-11-30T00:00:00",
"dateUpdated": "2024-08-05T13:25:16.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-0914 (GCVE-0-2017-0914)
Vulnerability from cvelistv5 – Published: 2018-03-21 20:00 – Updated: 2024-08-05 13:25
VLAI?
EPSS
Summary
Gitlab Community and Enterprise Editions version 10.1, 10.2, and 10.2.4 are vulnerable to a SQL injection in the MilestoneFinder component resulting in disclosure of all data in a GitLab instance's database.
Severity ?
No CVSS data available.
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitLab | GitLab Community and Enterprise Editions |
Affected:
9.1.0 - 10.1.5 Fixed in 10.1.6
Affected: 10.2.0 - 10.2.5 Fixed in 10.2.6 Affected: 10.3.0 - 10.3.3 Fixed in 10.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:25:16.728Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/298176"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab Community and Enterprise Editions",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "9.1.0 - 10.1.5 Fixed in 10.1.6"
},
{
"status": "affected",
"version": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"status": "affected",
"version": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
],
"datePublic": "2018-01-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Gitlab Community and Enterprise Editions version 10.1, 10.2, and 10.2.4 are vulnerable to a SQL injection in the MilestoneFinder component resulting in disclosure of all data in a GitLab instance\u0027s database."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) (CWE-89)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-21T19:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/298176"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2017-0914",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab Community and Enterprise Editions",
"version": {
"version_data": [
{
"version_value": "9.1.0 - 10.1.5 Fixed in 10.1.6"
},
{
"version_value": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"version_value": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gitlab Community and Enterprise Editions version 10.1, 10.2, and 10.2.4 are vulnerable to a SQL injection in the MilestoneFinder component resulting in disclosure of all data in a GitLab instance\u0027s database."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) (CWE-89)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/298176",
"refsource": "MISC",
"url": "https://hackerone.com/reports/298176"
},
{
"name": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/",
"refsource": "CONFIRM",
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0914",
"datePublished": "2018-03-21T20:00:00",
"dateReserved": "2016-11-30T00:00:00",
"dateUpdated": "2024-08-05T13:25:16.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-0915 (GCVE-0-2017-0915)
Vulnerability from cvelistv5 – Published: 2018-03-21 20:00 – Updated: 2024-08-05 13:25
VLAI?
EPSS
Summary
Gitlab Community Edition version 10.2.4 is vulnerable to a lack of input validation in the GitlabProjectsImportService resulting in remote code execution.
Severity ?
No CVSS data available.
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitLab | GitLab Community and Enterprise Editions |
Affected:
8.9 - 10.1.5 Fixed in 10.1.6
Affected: 10.2.0 - 10.2.5 Fixed in 10.2.6 Affected: 10.3.0 - 10.3.3 Fixed in 10.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:25:16.906Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-4145",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/298873"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab Community and Enterprise Editions",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "8.9 - 10.1.5 Fixed in 10.1.6"
},
{
"status": "affected",
"version": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"status": "affected",
"version": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
],
"datePublic": "2018-01-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Gitlab Community Edition version 10.2.4 is vulnerable to a lack of input validation in the GitlabProjectsImportService resulting in remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) (CWE-77)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-22T09:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"name": "DSA-4145",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/298873"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2017-0915",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab Community and Enterprise Editions",
"version": {
"version_data": [
{
"version_value": "8.9 - 10.1.5 Fixed in 10.1.6"
},
{
"version_value": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"version_value": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gitlab Community Edition version 10.2.4 is vulnerable to a lack of input validation in the GitlabProjectsImportService resulting in remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) (CWE-77)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-4145",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"name": "https://hackerone.com/reports/298873",
"refsource": "MISC",
"url": "https://hackerone.com/reports/298873"
},
{
"name": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/",
"refsource": "CONFIRM",
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0915",
"datePublished": "2018-03-21T20:00:00",
"dateReserved": "2016-11-30T00:00:00",
"dateUpdated": "2024-08-05T13:25:16.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-0922 (GCVE-0-2017-0922)
Vulnerability from cvelistv5 – Published: 2018-03-21 20:00 – Updated: 2024-08-05 13:25
VLAI?
EPSS
Summary
Gitlab Enterprise Edition version 10.3 is vulnerable to an authorization bypass issue in the GitLab Projects::BoardsController component resulting in an information disclosure on any board object.
Severity ?
No CVSS data available.
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key (CWE-639)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitLab | GitLab Community and Enterprise Editions |
Affected:
9.1.0 - 10.1.5 Fixed in 10.1.6
Affected: 10.2.0 - 10.2.5 Fixed in 10.2.6 Affected: 10.3.0 - 10.3.3 Fixed in 10.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:25:16.596Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/301123"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab Community and Enterprise Editions",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "9.1.0 - 10.1.5 Fixed in 10.1.6"
},
{
"status": "affected",
"version": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"status": "affected",
"version": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
],
"datePublic": "2018-01-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Gitlab Enterprise Edition version 10.3 is vulnerable to an authorization bypass issue in the GitLab Projects::BoardsController component resulting in an information disclosure on any board object."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key (CWE-639)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-21T19:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/301123"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2017-0922",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab Community and Enterprise Editions",
"version": {
"version_data": [
{
"version_value": "9.1.0 - 10.1.5 Fixed in 10.1.6"
},
{
"version_value": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"version_value": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gitlab Enterprise Edition version 10.3 is vulnerable to an authorization bypass issue in the GitLab Projects::BoardsController component resulting in an information disclosure on any board object."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authorization Bypass Through User-Controlled Key (CWE-639)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/301123",
"refsource": "MISC",
"url": "https://hackerone.com/reports/301123"
},
{
"name": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/",
"refsource": "CONFIRM",
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0922",
"datePublished": "2018-03-21T20:00:00",
"dateReserved": "2016-11-30T00:00:00",
"dateUpdated": "2024-08-05T13:25:16.596Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-3710 (GCVE-0-2018-3710)
Vulnerability from cvelistv5 – Published: 2018-03-21 20:00 – Updated: 2024-08-05 04:50
VLAI?
EPSS
Summary
Gitlab Community and Enterprise Editions version 10.3.3 is vulnerable to an Insecure Temporary File in the project import component resulting remote code execution.
Severity ?
No CVSS data available.
CWE
- CWE-377 - Insecure Temporary File (CWE-377)
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitLab | GitLab Community and Enterprise Editions |
Affected:
8.9 - 10.1.5 Fixed in 10.1.6
Affected: 10.2.0 - 10.2.5 Fixed in 10.2.6 Affected: 10.3.0 - 10.3.3 Fixed in 10.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:50:30.417Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-com/infrastructure/issues/3510"
},
{
"name": "DSA-4145",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/302959"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/41757"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab Community and Enterprise Editions",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "8.9 - 10.1.5 Fixed in 10.1.6"
},
{
"status": "affected",
"version": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"status": "affected",
"version": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
],
"datePublic": "2018-01-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Gitlab Community and Enterprise Editions version 10.3.3 is vulnerable to an Insecure Temporary File in the project import component resulting remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-377",
"description": "Insecure Temporary File (CWE-377)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-22T09:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitlab.com/gitlab-com/infrastructure/issues/3510"
},
{
"name": "DSA-4145",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/302959"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/41757"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-3710",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab Community and Enterprise Editions",
"version": {
"version_data": [
{
"version_value": "8.9 - 10.1.5 Fixed in 10.1.6"
},
{
"version_value": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"version_value": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gitlab Community and Enterprise Editions version 10.3.3 is vulnerable to an Insecure Temporary File in the project import component resulting remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Temporary File (CWE-377)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gitlab.com/gitlab-com/infrastructure/issues/3510",
"refsource": "MISC",
"url": "https://gitlab.com/gitlab-com/infrastructure/issues/3510"
},
{
"name": "DSA-4145",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"name": "https://hackerone.com/reports/302959",
"refsource": "MISC",
"url": "https://hackerone.com/reports/302959"
},
{
"name": "https://gitlab.com/gitlab-org/gitlab-ce/issues/41757",
"refsource": "CONFIRM",
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/41757"
},
{
"name": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/",
"refsource": "CONFIRM",
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-3710",
"datePublished": "2018-03-21T20:00:00",
"dateReserved": "2017-12-28T00:00:00",
"dateUpdated": "2024-08-05T04:50:30.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-0918 (GCVE-0-2017-0918)
Vulnerability from cvelistv5 – Published: 2018-03-21 20:00 – Updated: 2024-08-05 13:25
VLAI?
EPSS
Summary
Gitlab Community Edition version 10.3 is vulnerable to a path traversal issue in the GitLab CI runner component resulting in remote code execution.
Severity ?
No CVSS data available.
CWE
- CWE-23 - Relative Path Traversal (CWE-23)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitLab | GitLab Community and Enterprise Editions |
Affected:
8.4.0 - 10.1.5 Fixed in 10.1.6
Affected: 10.2.0 - 10.2.5 Fixed in 10.2.6 Affected: 10.3.0 - 10.3.3 Fixed in 10.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:25:17.195Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-4145",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/301432"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab Community and Enterprise Editions",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "8.4.0 - 10.1.5 Fixed in 10.1.6"
},
{
"status": "affected",
"version": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"status": "affected",
"version": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
],
"datePublic": "2018-01-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Gitlab Community Edition version 10.3 is vulnerable to a path traversal issue in the GitLab CI runner component resulting in remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "Relative Path Traversal (CWE-23)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-22T09:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"name": "DSA-4145",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/301432"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2017-0918",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab Community and Enterprise Editions",
"version": {
"version_data": [
{
"version_value": "8.4.0 - 10.1.5 Fixed in 10.1.6"
},
{
"version_value": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"version_value": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gitlab Community Edition version 10.3 is vulnerable to a path traversal issue in the GitLab CI runner component resulting in remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Relative Path Traversal (CWE-23)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-4145",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"name": "https://hackerone.com/reports/301432",
"refsource": "MISC",
"url": "https://hackerone.com/reports/301432"
},
{
"name": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/",
"refsource": "CONFIRM",
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0918",
"datePublished": "2018-03-21T20:00:00",
"dateReserved": "2016-11-30T00:00:00",
"dateUpdated": "2024-08-05T13:25:17.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-0924 (GCVE-0-2017-0924)
Vulnerability from cvelistv5 – Published: 2018-03-21 20:00 – Updated: 2024-08-05 13:25
VLAI?
EPSS
Summary
Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the labels component resulting in persistent cross site scripting.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitLab | GitLab Community and Enterprise Editions |
Affected:
9.1.0 - 10.0.5 Fixed in 10.0.5
Affected: 10.1.0 - 10.1.5 Fixed in 10.1.6 Affected: 10.2.0 - 10.2.5 Fixed in 10.2.6 Affected: 10.3.0 - 10.3.3 Fixed in 10.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:25:17.209Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/294099"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab Community and Enterprise Editions",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "9.1.0 - 10.0.5 Fixed in 10.0.5"
},
{
"status": "affected",
"version": "10.1.0 - 10.1.5 Fixed in 10.1.6"
},
{
"status": "affected",
"version": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"status": "affected",
"version": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
],
"datePublic": "2018-01-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the labels component resulting in persistent cross site scripting."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-21T19:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/294099"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2017-0924",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab Community and Enterprise Editions",
"version": {
"version_data": [
{
"version_value": "9.1.0 - 10.0.5 Fixed in 10.0.5"
},
{
"version_value": "10.1.0 - 10.1.5 Fixed in 10.1.6"
},
{
"version_value": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"version_value": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the labels component resulting in persistent cross site scripting."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/",
"refsource": "CONFIRM",
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
},
{
"name": "https://hackerone.com/reports/294099",
"refsource": "MISC",
"url": "https://hackerone.com/reports/294099"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0924",
"datePublished": "2018-03-21T20:00:00",
"dateReserved": "2016-11-30T00:00:00",
"dateUpdated": "2024-08-05T13:25:17.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-0917 (GCVE-0-2017-0917)
Vulnerability from cvelistv5 – Published: 2018-03-21 20:00 – Updated: 2024-08-05 13:25
VLAI?
EPSS
Summary
Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the CI job component resulting in persistent cross site scripting.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitLab | GitLab Community and Enterprise Editions |
Affected:
9.1.0 - 10.1.5 Fixed in 10.1.6
Affected: 10.2.0 - 10.2.5 Fixed in 10.2.6 Affected: 10.3.0 - 10.3.3 Fixed in 10.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:25:17.004Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-4145",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/299525"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab Community and Enterprise Editions",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "9.1.0 - 10.1.5 Fixed in 10.1.6"
},
{
"status": "affected",
"version": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"status": "affected",
"version": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
],
"datePublic": "2018-01-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the CI job component resulting in persistent cross site scripting."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-22T09:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"name": "DSA-4145",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/299525"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2017-0917",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab Community and Enterprise Editions",
"version": {
"version_data": [
{
"version_value": "9.1.0 - 10.1.5 Fixed in 10.1.6"
},
{
"version_value": "10.2.0 - 10.2.5 Fixed in 10.2.6"
},
{
"version_value": "10.3.0 - 10.3.3 Fixed in 10.3.4"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the CI job component resulting in persistent cross site scripting."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-4145",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4145"
},
{
"name": "https://hackerone.com/reports/299525",
"refsource": "MISC",
"url": "https://hackerone.com/reports/299525"
},
{
"name": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/",
"refsource": "CONFIRM",
"url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0917",
"datePublished": "2018-03-21T20:00:00",
"dateReserved": "2016-11-30T00:00:00",
"dateUpdated": "2024-08-05T13:25:17.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…