Source: gitlab Version: 11.5.5+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 11.6.0+dfsg-1
Hi, The following vulnerabilities were published for gitlab, fixed in the 11.6.1, 11.5.6, and 11.4.13 versions, cf [15]. CVE-2018-20488[0]: Secret CI variable exposure CVE-2018-20489[1]: URL rel attribute not set CVE-2018-20490[2]: Persistent XSS Autocompletion CVE-2018-20491[3]: Persistent XSS wiki in IE browser CVE-2018-20492[4]: Todos improper access control CVE-2018-20493[5]: Source code disclosure merge request diff CVE-2018-20494[6]: Guest user CI job disclosure CVE-2018-20495[7]: CI job token LFS error message disclosure CVE-2018-20496[8]: Persistent XSS label reference CVE-2018-20497[9]: SSRF repository mirroring CVE-2018-20498[10]: Improper access control branches and tags CVE-2018-20499[11]: SSRF in project imports with LFS CVE-2018-20500[12]: Improper access control CI/CD settings CVE-2018-20501[13]: Missing authorization control merge requests CVE-2018-20507[14]: Missing authentication for Prometheus alert endpoint If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-20488 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20488 [1] https://security-tracker.debian.org/tracker/CVE-2018-20489 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20489 [2] https://security-tracker.debian.org/tracker/CVE-2018-20490 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20490 [3] https://security-tracker.debian.org/tracker/CVE-2018-20491 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20491 [4] https://security-tracker.debian.org/tracker/CVE-2018-20492 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20492 [5] https://security-tracker.debian.org/tracker/CVE-2018-20493 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20493 [6] https://security-tracker.debian.org/tracker/CVE-2018-20494 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20494 [7] https://security-tracker.debian.org/tracker/CVE-2018-20495 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20495 [8] https://security-tracker.debian.org/tracker/CVE-2018-20496 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20496 [9] https://security-tracker.debian.org/tracker/CVE-2018-20497 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20497 [10] https://security-tracker.debian.org/tracker/CVE-2018-20498 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20498 [11] https://security-tracker.debian.org/tracker/CVE-2018-20499 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20499 [12] https://security-tracker.debian.org/tracker/CVE-2018-20500 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20500 [13] https://security-tracker.debian.org/tracker/CVE-2018-20501 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20501 [14] https://security-tracker.debian.org/tracker/CVE-2018-20507 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20507 [15] https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/ Regards, Salvatore