CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
48.0%
Severity: High
Date : 2021-05-19
CVE-ID : CVE-2021-22206 CVE-2021-22208 CVE-2021-22209 CVE-2021-22210
CVE-2021-22211
Package : gitlab
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1888
The package gitlab before version 13.10.4-1 is vulnerable to multiple
issues including insufficient validation, access restriction bypass,
denial of service and information disclosure.
Upgrade to 13.10.4-1.
The problems have been fixed upstream in version 13.10.4.
None.
An issue has been discovered in GitLab affecting all versions prior to
11.6. Pull mirror credentials were exposed and could allow other
maintainers to view the credentials in plain-text. The issue is fixed
in GitLab versions 13.11.2, 13.10.4 and 13.9.7.
An issue has been discovered in GitLab affecting versions prior to
13.5. Improper permission check could allow the change of timestamp for
issue creation or update. The issue is fixed in GitLab versions
13.11.2, 13.10.4 and 13.9.7.
An issue has been discovered in GitLab CE/EE affecting all versions
starting from 13.8. GitLab was not properly validating authorisation
tokens which resulted in GraphQL mutation being executed. The issue is
fixed in GitLab versions 13.11.2, 13.10.4 and 13.9.7.
An issue has been discovered in GitLab CE/EE affecting all versions
starting from 13.2. When querying the repository branches through API,
GitLab was ignoring a query parameter and returning a considerable
amount of results. The issue is fixed in GitLab versions 13.11.2,
13.10.4 and 13.9.7.
An issue has been discovered in GitLab CE/EE affecting all versions
starting from 13.7. GitLab Dependency Proxy, under certain
circumstances, can impersonate a user resulting in possibly incorrect
access handling. The issue is fixed in GitLab versions 13.11.2, 13.10.4
and 13.9.7.
A remote attacker could obtain sensitive pull mirror credentials,
manipulate issue creation timestamps, execute GraphQL mutations, cause
denial of service by generating large API query responses, or
impersonate other users.
https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#pull-mirror-credentials-were-exposed
https://gitlab.com/gitlab-org/gitlab/-/issues/230864
https://hackerone.com/reports/928074
https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#non-owners-can-set-system_note_timestamp-when-creating--updating-issues
https://gitlab.com/gitlab-org/gitlab/-/issues/301212
https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#read-api-scoped-tokens-can-execute-mutations
https://gitlab.com/gitlab-org/gitlab/-/issues/327155
https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#denial-of-service-when-querying-repository-branches-api
https://gitlab.com/gitlab-org/gitlab/-/issues/322500
https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#deploytoken-will-impersonate-a-user-with-the-same-id-when-using-dependency-proxy
https://gitlab.com/gitlab-org/gitlab/-/issues/298847
https://security.archlinux.org/CVE-2021-22206
https://security.archlinux.org/CVE-2021-22208
https://security.archlinux.org/CVE-2021-22209
https://security.archlinux.org/CVE-2021-22210
https://security.archlinux.org/CVE-2021-22211
about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#denial-of-service-when-querying-repository-branches-api
about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#deploytoken-will-impersonate-a-user-with-the-same-id-when-using-dependency-proxy
about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#non-owners-can-set-system_note_timestamp-when-creating--updating-issues
about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#pull-mirror-credentials-were-exposed
about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#read-api-scoped-tokens-can-execute-mutations
gitlab.com/gitlab-org/gitlab/-/issues/230864
gitlab.com/gitlab-org/gitlab/-/issues/298847
gitlab.com/gitlab-org/gitlab/-/issues/301212
gitlab.com/gitlab-org/gitlab/-/issues/322500
gitlab.com/gitlab-org/gitlab/-/issues/327155
hackerone.com/reports/928074
security.archlinux.org/AVG-1888
security.archlinux.org/CVE-2021-22206
security.archlinux.org/CVE-2021-22208
security.archlinux.org/CVE-2021-22209
security.archlinux.org/CVE-2021-22210
security.archlinux.org/CVE-2021-22211
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
48.0%