Bug 1150095 - VUL-0: gitlab: GitLab Security Release: 12.2.3, 12.1.8, and 12.0.8
VUL-0: gitlab: GitLab Security Release: 12.2.3, 12.1.8, and 12.0.8
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Marcus Rückert
Security Team bot
https://smash.suse.de/issue/242049/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-10 06:38 UTC by Alexander Bergmann
Modified: 2019-10-16 11:38 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-09-10 06:38:45 UTC
Aug 29, 2019 - Andrew Kelly  

GitLab Security Release: 12.2.3, 12.1.8, and 12.0.8 

- CVE-2019-15728: Kubernetes Integration Server-Side Request Forgery
- CVE-2019-15730: Server-Side Request Forgery in Jira Integration
- CVE-2019-15722: Markdown Clientside Resource Exhaustion
- CVE-2019-15729: Pipeline Status Disclosure
- CVE-2019-15721: Group Runner Authorization Issue
- CVE-2019-15727: CI Metrics Disclosure
- CVE-2019-15726: User IP Disclosed by Embedded Image and Media
- CVE-2019-15724: Label Description HTML Injection
- CVE-2019-15725: IDOR in Epic Notes API
- CVE-2019-15723: Push Rule Bypass
- CVE-2019-15732: Project Visibility Restriction Bypass
- CVE-2019-15731: Merge Request Discussion Restriction Bypass
- CVE-2019-15738: Disclosure of Merge Request IDs
- CVE-2019-15737: Weak Authentication In Certain Account Actions
- CVE-2019-15734: Disclosure of Commit Title and Comments
- CVE-2019-15739: Stored XSS via Markdown
- CVE-2019-15740: EXIF Geolocation Data Exposure
- CVE-2019-15733: Default Branch Name Exposure
- CVE-2019-15736: Potential Denial of Service via CI Pipelines

References:
https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/
Comment 1 Marcus Rückert 2019-10-16 11:38:05 UTC
all long done