FreeBSD : Gitlab -- Multiple vulnerabilities (5d5e5cda-38e6-11eb-bbbf-001b217b3468)

medium Nessus Plugin ID 143543

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Gitlab reports :

XSS in Zoom Meeting URL

Limited Information Disclosure in Private Profile

User email exposed via GraphQL endpoint

Group and project membership potentially exposed via GraphQL

Search terms logged in search parameter in rails logs

Un-authorised access to feature flag user list

A specific query on the explore page causes statement timeouts

Exposure of starred projects on private user profiles

Uncontrolled Resource Consumption in any Markdown field using Mermaid

Former group members able to view updates to confidential epics

Update GraphicsMagick dependency

Update GnuPG dependency

Update libxml dependency

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?7bd03e15

http://www.nessus.org/u?17aac690

Plugin Details

Severity: Medium

ID: 143543

File Name: freebsd_pkg_5d5e5cda38e611ebbbbf001b217b3468.nasl

Version: 1.5

Type: local

Published: 12/8/2020

Updated: 5/11/2022

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2020-26408

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2020-26407

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:gitlab-ce, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 12/7/2020

Vulnerability Publication Date: 12/7/2020

Reference Information

CVE: CVE-2020-13357, CVE-2020-26407, CVE-2020-26408, CVE-2020-26409, CVE-2020-26411