[Git][security-tracker-team/security-tracker][master] Add new CVEs from gitlab advisory from 2020/01/30
Salvatore Bonaccorso
carnil at debian.org
Mon Feb 3 08:27:49 GMT 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7db940e6 by Salvatore Bonaccorso at 2020-02-03T09:27:22+01:00
Add new CVEs from gitlab advisory from 2020/01/30
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -832,8 +832,10 @@ CVE-2020-8116
RESERVED
CVE-2020-8115
RESERVED
-CVE-2020-8114
+CVE-2020-8114 [User Permissions Not Validated in ProjectExportWorker]
RESERVED
+ - gitlab <unfixed>
+ NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
CVE-2020-8113
RESERVED
CVE-2020-8112 (opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through ...)
@@ -1168,34 +1170,58 @@ CVE-2020-7981 (sql.rb in Geocoder before 1.6.1 allows Boolean-based SQL injectio
NOTE: https://github.com/alexreisner/geocoder/commit/dcdc3d8675411edce3965941a2ca7c441ca48613
CVE-2020-7980 (Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary ...)
NOT-FOR-US: Intellian Aptus Web
-CVE-2020-7979
+CVE-2020-7979 [Private Project Names Exposed in GraphQL queries]
RESERVED
-CVE-2020-7978
+ - gitlab <not-affected> (Only affects Gitlab EE 12.0 and later)
+ NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7978 [Denial of Service via AsciiDoc]
RESERVED
-CVE-2020-7977
+ - gitlab <not-affected> (Only affects Gitlab EE 12.6 and later)
+ NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7977 [Arbitrary Change of Pipeline Status]
RESERVED
-CVE-2020-7976
+ - gitlab <not-affected> (Only affects Gitlab EE 8.8 and later)
+ NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7976 [Grafana Token Displayed in Plaintext]
RESERVED
+ - gitlab <not-affected> (Only affects Gitlab EE 12.4 and later)
+ NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
CVE-2020-7975
RESERVED
-CVE-2020-7974
+CVE-2020-7974 [Last Pipeline Status Exposed]
RESERVED
-CVE-2020-7973
+ - gitlab <not-affected> (Only affects Gitlab EE 10.1 and later)
+ NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7973 [XSS Vulnerability in File API]
RESERVED
-CVE-2020-7972
+ - gitlab <unfixed>
+ NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7972 [Email Confirmation Bypass Using API]
RESERVED
-CVE-2020-7971
+ - gitlab <not-affected> (Only affects Gitlab EE 12.0 and later)
+ NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7971 [XSS Vulnerability in Create Groups]
RESERVED
+ - gitlab <unfixed>
+ NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
CVE-2020-7970
RESERVED
-CVE-2020-7969
+CVE-2020-7969 [Disclosure of Issues and Merge Requests via Todos]
RESERVED
-CVE-2020-7968
+ - gitlab <not-affected> (Only affects Gitlab EE 8.0 and later)
+ NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7968 [Disclosure of Forked Private Project Source Code]
RESERVED
-CVE-2020-7967
+ - gitlab <unfixed>
+ NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7967 [Issue and Merge Request Activity Counts Exposed]
RESERVED
-CVE-2020-7966
+ - gitlab <not-affected> (ONly affects Gitlab EE 12.0 and later)
+ NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7966 [Path Traversal to Arbitrary File Read]
RESERVED
+ - gitlab <not-affected> (Only affects Gitlab EE 11.11 and later)
+ NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
CVE-2020-7965 (flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Con ...)
NOT-FOR-US: webargs
CVE-2020-7964 (An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect ...)
@@ -3676,8 +3702,10 @@ CVE-2020-6835 (An issue was discovered in Bftpd before 5.4. There is a heap-base
- bftpd <itp> (bug #640469)
CVE-2020-6834
RESERVED
-CVE-2020-6833
+CVE-2020-6833 [Package and File Disclosure through GitLab Workhorse]
RESERVED
+ - gitlab <unfixed>
+ NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
CVE-2020-6832 (An issue was discovered in GitLab Enterprise Edition (EE) 8.9.0 throug ...)
- gitlab <unfixed>
NOTE: https://about.gitlab.com/releases/2020/01/13/critical-security-release-gitlab-12-dot-6-dot-4-released/
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7db940e6582564a5b913ee19e08477599fffb4ff
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7db940e6582564a5b913ee19e08477599fffb4ff
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200203/d5190a56/attachment.html>
More information about the debian-security-tracker-commits
mailing list