FreeBSD : Gitlab -- Multiple Vulnerabilities (54006796-cf7b-11ed-a5d5-001b217b3468)

critical Nessus Plugin ID 173722

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 54006796-cf7b-11ed-a5d5-001b217b3468 advisory.

- Gitlab reports: Cross-site scripting in Maximum page reached page Private project guests can read new changes using a fork Mirror repository error reveals password in Settings UI DOS and high resource consumption of Prometheus server through abuse of Prometheus integration proxy endpoint Unauthenticated users can view Environment names from public projects limited to project members only Copying information to the clipboard could lead to the execution of unexpected commands Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL Arbitrary HTML injection possible when :soft_email_confirmation feature flag is enabled in the latest release Framing of arbitrary content (leading to open redirects) on any page allowing user controlled markdown MR for security reports are available to everyone API timeout when searching for group issues Unauthorised user can add child epics linked to victim's epic in an unrelated group GitLab search allows to leak internal notes Ambiguous branch name exploitation in GitLab Improper permissions checks for moving an issue Private project branches names can be leaked through a fork (CVE-2022-3375, CVE-2022-3513, CVE-2023-0155)

- An issue has been discovered in GitLab affecting all versions starting from 13.6 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1, allowing reading of environment names supposed to be restricted to project members only. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N, 5.8). It is now mitigated in the latest release and is assigned CVE-2023-0319. (CVE-2023-0319)

- An issue has been discovered in GitLab affecting all versions starting from 8.1 to 15.8.5, and from 15.9 to 15.9.4, and from 15.10 to 15.10.1. It was possible to add a branch with an ambiguous name that could be used to social engineer users. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N, 3.7). It is now mitigated in the latest release and is assigned CVE-2023-0450. (CVE-2023-0450)

- An issue has been discovered in GitLab affecting all versions starting from 13.11 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible that a project member demoted to a user role could read project updates by doing a diff with a pre-existing fork. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-0485. (CVE-2023-0485)

- An issue has been discovered in GitLab affecting all versions starting from 15.6 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. On certain instances, a stored XSS was possible via a malicious email address, which only affected the admins when they tried to impersonate the account with the malicious payload. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, 5.4). It is now mitigated in the latest release and is assigned CVE-2023-0523. (CVE-2023-0523)

- An issue has been discovered in GitLab affecting versions starting from 15.1 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. A maintainer could modify a webhook URL to leak masked webhook secrets by adding a new parameter to the url. This addresses an incomplete fix for CVE-2022-4342. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N, 5.5). It is now mitigated in the latest release and is assigned CVE-2023-0838. (CVE-2023-0838)

- An issue has been discovered in GitLab affecting all versions from 15.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. Due to improper permissions checks it was possible for an unauthorised user to remove an issue from an epic. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-1071. (CVE-2023-1071)

- An information disclosure vulnerability has been discovered in GitLab EE/CE affecting all versions starting from 11.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 will allow an admin to leak password from repository mirror configuration. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N, 5.8). It is now mitigated in the latest release and is assigned CVE-2023-1098. (CVE-2023-1098)

- Improper authorization in GitLab EE affecting all versions from 12.3.0 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 allows an unauthorized access to security reports in merge requests. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-1167. (CVE-2023-1167)

- An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to a victim's epic in an unrelated group. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-1417. (CVE-2023-1417)

- An issue was identified in GitLab CE/EE affecting all versions from 1.0 prior to 15.8.5, 15.9 prior to 15.9.4, and 15.10 prior to 15.10.1 where non-printable characters are copied from clipboard, allowing unexpected commands to be executed on the victim machine. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N, 5.7). It is now mitigated in the latest release and is assigned CVE-2023-1708. (CVE-2023-1708)

- A sensitive information disclosure vulnerability in GitLab affecting all versions from 15.0 prior to 15.8.5, 15.9 prior to 15.9.4 and 15.10 prior to 15.10.1 allows an attacker to view the count of internal notes for a given issue. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-1710 (CVE-2023-1710)

- A denial of service condition exists in the Prometheus server bundled with GitLab affecting all versions from 11.10 to 15.8.5, 15.9 to 15.9.4 and 15.10 to 15.10.1. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L, 5.8). It is now mitigated in the latest release and is assigned CVE-2023-1733. (CVE-2023-1733)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?43e3f19d

http://www.nessus.org/u?70e347ee

Plugin Details

Severity: Critical

ID: 173722

File Name: freebsd_pkg_54006796cf7b11eda5d5001b217b3468.nasl

Version: 1.7

Type: local

Published: 3/31/2023

Updated: 5/14/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-1708

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:freebsd:freebsd, p-cpe:/a:freebsd:freebsd:gitlab-ce

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/31/2023

Vulnerability Publication Date: 3/30/2023

Reference Information

CVE: CVE-2022-3375, CVE-2022-3513, CVE-2023-0155, CVE-2023-0319, CVE-2023-0450, CVE-2023-0485, CVE-2023-0523, CVE-2023-0838, CVE-2023-1071, CVE-2023-1098, CVE-2023-1167, CVE-2023-1417, CVE-2023-1708, CVE-2023-1710, CVE-2023-1733

IAVA: 2023-A-0168-S