FreeBSD: VID-C5BD9068-440F-11EA-9CDB-001B217B3468 (CVE-2020-7971): Gitlab -- Multiple Vulnerabilities
Description
Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.
From VID-C5BD9068-440F-11EA-9CDB-001B217B3468:
Gitlab reports:
Path Traversal to Arbitrary File Read
User Permissions Not Validated in ProjectExportWorker
XSS Vulnerability in File API
Package and File Disclosure through GitLab Workhorse
XSS Vulnerability in Create Groups
Issue and Merge Request Activity Counts Exposed
Email Confirmation Bypass Using AP
Disclosure of Forked Private Project Source Code
Private Project Names Exposed in GraphQL queries
Disclosure of Issues and Merge Requests via Todos
Denial of Service via AsciiDoc
Last Pipeline Status Exposed
Arbitrary Change of Pipeline Status
Grafana Token Displayed in Plaintext
Update excon gem
Update rdoc gem
Update rack-cors gem
Update rubyzip gem
Solution(s)
- freebsd-upgrade-package-gitlab-ce
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center