[DRE-maint] Bug#924447: gitlab: CVE-2019-9170 CVE-2019-9171 CVE-2019-9172 CVE-2019-9174 CVE-2019-9175 CVE-2019-9176 CVE-2019-9178 CVE-2019-9179 CVE-2019-9217 CVE-2019-9219 CVE-2019-9220 CVE-2019-9221 CVE-2019-9222 CVE-2019-9223 CVE-2019-9224 CVE-2019-9225 CVE-2019-9485
Salvatore Bonaccorso
carnil at debian.org
Wed Mar 13 05:37:35 GMT 2019
Source: gitlab
Version: 11.5.10+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 11.8.0-1
Hi,
The following vulnerabilities were published for gitlab, filling for
tracking purpose.
CVE-2019-9170[0]:
IDOR milestone name information disclosure
CVE-2019-9171[1]:
Milestone name disclosure
CVE-2019-9172[2]:
Merge request information disclosure
CVE-2019-9174[3]:
Blind SSRF in prometheus integration
CVE-2019-9175[4]:
Burndown chart information disclosure
CVE-2019-9176[5]:
CSRF add Kubernetes cluster integration
CVE-2019-9178[6]:
Private merge request titles in public project information disclosure
CVE-2019-9179[7]:
Private namespace disclosure in email notification when issue is moved
CVE-2019-9217[8]:
NPM automatic package referencer
CVE-2019-9219[9]:
Issue board name disclosure
CVE-2019-9220[10]:
Issue DoS via Mermaid
CVE-2019-9221[11]:
Arbitrary file read via MergeRequestDiff
CVE-2019-9222[12]:
Path traversal snippet mover
CVE-2019-9223[13]:
Information disclosure repo existence
CVE-2019-9224[14]:
Milestone name disclosure
CVE-2019-9225[15]:
Issue board name disclosure
CVE-2019-9485[16]:
Privilege escalation impersonate user
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-9170
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9170
[1] https://security-tracker.debian.org/tracker/CVE-2019-9171
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9171
[2] https://security-tracker.debian.org/tracker/CVE-2019-9172
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9172
[3] https://security-tracker.debian.org/tracker/CVE-2019-9174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9174
[4] https://security-tracker.debian.org/tracker/CVE-2019-9175
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9175
[5] https://security-tracker.debian.org/tracker/CVE-2019-9176
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9176
[6] https://security-tracker.debian.org/tracker/CVE-2019-9178
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9178
[7] https://security-tracker.debian.org/tracker/CVE-2019-9179
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9179
[8] https://security-tracker.debian.org/tracker/CVE-2019-9217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9217
[9] https://security-tracker.debian.org/tracker/CVE-2019-9219
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9219
[10] https://security-tracker.debian.org/tracker/CVE-2019-9220
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9220
[11] https://security-tracker.debian.org/tracker/CVE-2019-9221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9221
[12] https://security-tracker.debian.org/tracker/CVE-2019-9222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9222
[13] https://security-tracker.debian.org/tracker/CVE-2019-9223
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9223
[14] https://security-tracker.debian.org/tracker/CVE-2019-9224
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9224
[15] https://security-tracker.debian.org/tracker/CVE-2019-9225
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9225
[16] https://security-tracker.debian.org/tracker/CVE-2019-9485
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9485
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list