[Git][security-tracker-team/security-tracker][master] Add new CVEs from gitlab advisory from 2020/01/30

Salvatore Bonaccorso carnil at debian.org
Mon Feb 3 08:27:49 GMT 2020



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7db940e6 by Salvatore Bonaccorso at 2020-02-03T09:27:22+01:00
Add new CVEs from gitlab advisory from 2020/01/30

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -832,8 +832,10 @@ CVE-2020-8116
 	RESERVED
 CVE-2020-8115
 	RESERVED
-CVE-2020-8114
+CVE-2020-8114 [User Permissions Not Validated in ProjectExportWorker]
 	RESERVED
+	- gitlab <unfixed>
+	NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
 CVE-2020-8113
 	RESERVED
 CVE-2020-8112 (opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through ...)
@@ -1168,34 +1170,58 @@ CVE-2020-7981 (sql.rb in Geocoder before 1.6.1 allows Boolean-based SQL injectio
 	NOTE: https://github.com/alexreisner/geocoder/commit/dcdc3d8675411edce3965941a2ca7c441ca48613
 CVE-2020-7980 (Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary  ...)
 	NOT-FOR-US: Intellian Aptus Web
-CVE-2020-7979
+CVE-2020-7979 [Private Project Names Exposed in GraphQL queries]
 	RESERVED
-CVE-2020-7978
+	- gitlab <not-affected> (Only affects Gitlab EE 12.0 and later)
+	NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7978 [Denial of Service via AsciiDoc]
 	RESERVED
-CVE-2020-7977
+	- gitlab <not-affected> (Only affects Gitlab EE 12.6 and later)
+	NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7977 [Arbitrary Change of Pipeline Status]
 	RESERVED
-CVE-2020-7976
+	- gitlab <not-affected> (Only affects Gitlab EE 8.8 and later)
+	NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7976 [Grafana Token Displayed in Plaintext]
 	RESERVED
+	- gitlab <not-affected> (Only affects Gitlab EE 12.4 and later)
+	NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
 CVE-2020-7975
 	RESERVED
-CVE-2020-7974
+CVE-2020-7974 [Last Pipeline Status Exposed]
 	RESERVED
-CVE-2020-7973
+	- gitlab <not-affected> (Only affects Gitlab EE 10.1 and later)
+	NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7973 [XSS Vulnerability in File API]
 	RESERVED
-CVE-2020-7972
+	- gitlab <unfixed>
+	NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7972 [Email Confirmation Bypass Using API]
 	RESERVED
-CVE-2020-7971
+	- gitlab <not-affected> (Only affects Gitlab EE 12.0 and later)
+	NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7971 [XSS Vulnerability in Create Groups]
 	RESERVED
+	- gitlab <unfixed>
+	NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
 CVE-2020-7970
 	RESERVED
-CVE-2020-7969
+CVE-2020-7969 [Disclosure of Issues and Merge Requests via Todos]
 	RESERVED
-CVE-2020-7968
+	- gitlab <not-affected> (Only affects Gitlab EE 8.0 and later)
+	NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7968 [Disclosure of Forked Private Project Source Code]
 	RESERVED
-CVE-2020-7967
+	- gitlab <unfixed>
+	NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7967 [Issue and Merge Request Activity Counts Exposed]
 	RESERVED
-CVE-2020-7966
+	- gitlab <not-affected> (ONly affects Gitlab EE 12.0 and later)
+	NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
+CVE-2020-7966 [Path Traversal to Arbitrary File Read]
 	RESERVED
+	- gitlab <not-affected> (Only affects Gitlab EE 11.11 and later)
+	NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
 CVE-2020-7965 (flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Con ...)
 	NOT-FOR-US: webargs
 CVE-2020-7964 (An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect  ...)
@@ -3676,8 +3702,10 @@ CVE-2020-6835 (An issue was discovered in Bftpd before 5.4. There is a heap-base
 	- bftpd <itp> (bug #640469)
 CVE-2020-6834
 	RESERVED
-CVE-2020-6833
+CVE-2020-6833 [Package and File Disclosure through GitLab Workhorse]
 	RESERVED
+	- gitlab <unfixed>
+	NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/
 CVE-2020-6832 (An issue was discovered in GitLab Enterprise Edition (EE) 8.9.0 throug ...)
 	- gitlab <unfixed>
 	NOTE: https://about.gitlab.com/releases/2020/01/13/critical-security-release-gitlab-12-dot-6-dot-4-released/



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7db940e6582564a5b913ee19e08477599fffb4ff

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7db940e6582564a5b913ee19e08477599fffb4ff
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200203/d5190a56/attachment.html>


More information about the debian-security-tracker-commits mailing list