Arch Linux alert ASA-202102-11 (gitlab)
| From: | Remi Gacogne via arch-security <arch-security@lists.archlinux.org> | |
| To: | arch-security@archlinux.org | |
| Subject: | [ASA-202102-11] gitlab: information disclosure | |
| Date: | Fri, 12 Feb 2021 08:05:43 +0100 | |
| Message-ID: | <e262fafa-2765-ec49-f618-e89f34775f0f@archlinux.org> | |
| Cc: | Remi Gacogne <rgacogne@archlinux.org> |
Arch Linux Security Advisory ASA-202102-11 ========================================== Severity: Medium Date : 2021-02-06 CVE-ID : CVE-2021-22172 Package : gitlab Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-1521 Summary ======= The package gitlab before version 13.8.2-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 13.8.2-1. # pacman -Syu "gitlab>=13.8.2-1" The problem has been fixed upstream in version 13.8.2. Workaround ========== None. Description =========== Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page. The issue is fixed in versions 13.8.2, 13.7.6 and 13.6.6. Impact ====== A guest user can view tag data that should be inaccessible on the releases page of a private project. References ========== https://about.gitlab.com/blog/2021/02/01/security-release... https://about.gitlab.com/blog/2021/02/01/security-release... https://gitlab.com/gitlab-org/gitlab-foss/-/commit/41b1c0... https://security.archlinux.org/CVE-2021-22172