FreeBSD : GitLab -- multiple vulnerabilities (86291013-16e6-11e8-ae9f-d43d7e971a1b)

High Nessus Plugin ID 106939

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

GitLab reports : SnippetFinder information disclosure The GitLab SnippetFinder component contained an information disclosure which allowed access to snippets restricted to Only team members or configured as disabled. The issue is now resolved in the latest version. LDAP API authorization issue An LDAP API endpoint contained an authorization vulnerability which unintentionally disclosed bulk LDAP groups data. This issue is now fixed in the latest release.
Persistent XSS mermaid markdown The mermaid markdown feature contained a persistent XSS issue that is now resolved in the latest release.
Insecure direct object reference Todo API The Todo API was vulnerable to an insecure direct object reference issue which resulted in an information disclosure of confidential data. GitHub import access control issue An improper access control weakness issue was discovered in the GitHub import feature. The issue allowed an attacker to create projects under other accounts which they shouldn't have access to. The issue is now resolved in the latest version. Protected variables information disclosure The CI jobs protected tag feature contained a vulnerability which resulted in an information disclosure of protected variables. The issue is now resolved in the latest release.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?1d363718

http://www.nessus.org/u?d5fb51c1

Plugin Details

Severity: High

ID: 106939

File Name: freebsd_pkg_8629101316e611e8ae9fd43d7e971a1b.nasl

Version: Revision: 3.1

Type: local

Published: 2018/02/22

Modified: 2018/02/22

Dependencies: 12634

Risk Information

Risk Factor: High

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:gitlab, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2018/02/21

Vulnerability Publication Date: 2018/02/07