Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22166PUBLISHED: 2021-01-15An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method
CVE-2021-22167PUBLISHED: 2021-01-15An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers in specific project page allows attacker to have a temporary read access to the private repository
CVE-2021-22168PUBLISHED: 2021-01-15A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8.
CVE-2021-22171PUBLISHED: 2021-01-15Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link
CVE-2020-26414PUBLISHED: 2021-01-15An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string.
User Rank: Ninja
2/28/2019 | 9:35:01 PM
Yes there are deficiencies. But I believe it to be a better allocation of funding to try and create more proficient and consistent coding then trying to throw bodies at it retroactively for review. I understand that if there is a shortage in one security facet then it may persist into others. But coders and app dev individuals that could be helpful in this endeavor are not part of that shortage.
Respectfully, I understand your inquiry. But I'm an Security Engineer. Crafting solutions is part of my day to day and this is again just one person's opinion at a plausible solution. Without attempting any solutions, we will all pontificate until this article is re-written in the years to come.