vulnerability
FreeBSD: VID-467B7CBE-257D-11E9-8573-001B217B3468 (CVE-2019-6786): Gitlab -- Multiple vulnerabilities
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:L/Au:S/C:P/I:N/A:N) | 2019-01-31 | 2019-02-01 | 2019-09-20 |
Description
Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.
From VID-467B7CBE-257D-11E9-8573-001B217B3468:
Gitlab reports:
Remote Command Execution via GitLab Pages
Covert Redirect to Steal GitHub/Bitbucket Tokens
Remote Mirror Branches Leaked by Git Transfer Refs
Denial of Service with Markdown
Guests Can View List of Group Merge Requests
Guest Can View Merge Request Titles via System Notes
Persistent XSS via KaTeX
Emails Sent to Unauthorized Users
Hyperlink Injection in Notification Emails
Unauthorized Access to LFS Objects
Trigger Token Exposure
Upgrade Rails to 5.0.7.1 and 4.2.11
Contributed Project Information Visible in Private Profile
Imported Project Retains Prior Visibility Setting
Error disclosure on Project Import
Persistent XSS in User Status
Last Commit Status Leaked to Guest Users
Mitigations for IDN Homograph and RTLO Attacks
Access to Internal Wiki When External Wiki Enabled
User Can Comment on Locked Project Issues
Unauthorized Reaction Emojis by Guest Users
User Retains Project Role After Removal from Private Group
GitHub Token Leaked to Maintainers
Unauthenticated Blind SSRF in Jira Integration
Unauthorized Access to Group Membership
Validate SAML Response in Group SAML SSO
Solution
References
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.