FreeBSD : Gitlab -- multiple vulnerabilities (dc0c201c-31da-11e8-ac53-d8cb8abf62dd)

medium Nessus Plugin ID 108704

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

GitLab reports : SSRF in services and web hooks There were multiple server-side request forgery issues in the Services feature. An attacker could make requests to servers within the same network of the GitLab instance. This could lead to information disclosure, authentication bypass, or potentially code execution. This issue has been assigned CVE-2018-8801. Gitlab Auth0 integration issue There was an issue with the GitLab omniauth-auth0 configuration which resulted in the Auth0 integration signing in the wrong users.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?ec048c91

http://www.nessus.org/u?3ee4bab5

Plugin Details

Severity: Medium

ID: 108704

File Name: freebsd_pkg_dc0c201c31da11e8ac53d8cb8abf62dd.nasl

Version: 1.6

Type: local

Published: 3/29/2018

Updated: 11/22/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2018-8801

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:gitlab, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/27/2018

Vulnerability Publication Date: 3/20/2018

Reference Information

CVE: CVE-2018-8801