Gitlab reports: Execute environment stop actions as the owner of the stop action job Prevent code injection in Product Analytics funnels YAML SSRF via Dependency Proxy Denial of Service via sending a large glm_source parameter CI_JOB_TOKEN can be used to obtain GitLab session token Variables from settings are not overwritten by PEP if a template is included Guests can disclose the full source code of projects using custom group-level templates IdentitiesController allows linking of arbitrary unclaimed provider identities Open redirect in repo/tree/:id endpoint can lead to account takeover through broken OAuth flow Open redirect in release permanent links can lead to account takeover through broken OAuth flow Guest user with Admin group member permission can edit custom role to gain other permissions Exposure of protected and masked CI/CD variables by abusing on-demand DAST Credentials disclosed when repository mirroring fails Commit information visible through release atom endpoint for guest users Dependency Proxy Credentials are Logged in Plaintext in graphql Logs User Application can spoof the redirect url Group Developers can view group runners…Read More
References
Back to Main