Source: gitlab Version: 11.8.3-1 Severity: grave Tags: security upstream Justification: user security hole
Hi, The following vulnerabilities were published for gitlab, fixed upstream in the 11.9.4, 11.8.6, and 11.7.10 releases. CVE-2018-5158[0]: | The PDF viewer does not sufficiently sanitize PostScript calculator | functions, allowing malicious JavaScript to be injected through a | crafted PDF file. This JavaScript can then be run with the permissions | of the PDF viewer by its worker. This vulnerability affects Firefox | ESR < 52.8 and Firefox < 60. CVE-2019-10109[1]: EXIF geolocation data not stripped from uploaded images CVE-2019-10110[2]: Improper authorization control "move issue" CVE-2019-10111[3]: Persistent XSS at merge request resolve conflicts CVE-2019-10113[4]: DoS potential on project languages page CVE-2019-10115[5]: Guest users of private projects have access to releases CVE-2019-10116[6]: Related branches visible in issues for guests CVE-2019-10640[7]: DoS potential for regex in CI/CD refs If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-5158 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5158 [1] https://security-tracker.debian.org/tracker/CVE-2019-10109 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10109 [2] https://security-tracker.debian.org/tracker/CVE-2019-10110 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10110 [3] https://security-tracker.debian.org/tracker/CVE-2019-10111 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10111 [4] https://security-tracker.debian.org/tracker/CVE-2019-10113 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10113 [5] https://security-tracker.debian.org/tracker/CVE-2019-10115 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10115 [6] https://security-tracker.debian.org/tracker/CVE-2019-10116 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10116 [7] https://security-tracker.debian.org/tracker/CVE-2019-10640 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10640 [8] https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/ Regards, Salvatore