VulnerableCode Package Details - pkg:alpm/archlinux/gitlab@13.10.4-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-msda-xqbp-qfdd Aliases: CVE-2021-22903 GHSA-5hq2-xf89-9jxq	Possible Open Redirect Vulnerability in Action Pack There is a possible Open Redirect Vulnerability in Action Pack. Versions Affected: >= v6.1.0.rc2 Not affected: < v6.1.0.rc2 Fixed Versions: 6.1.3.2 Impact ------ This is similar to CVE-2021-22881. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Since rails/rails@9bc7ea5, strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, config.hosts << "sub.example.com" to permit a request with a Host header value of sub-example.com. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch put in an initializer can be used as a workaround. ```ruby class ActionDispatch::HostAuthorization::Permissions def sanitize_string(host) if host.start_with?(".") /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i else /\A#{Regexp.escape host}\z/i end end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 6-1-open-redirect.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks Jonathan Hefner (https://hackerone.com/jonathanhefner) for reporting this bug!	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-msda-xqbp-qfdd
Aliases:
CVE-2021-22903
GHSA-5hq2-xf89-9jxq

Possible Open Redirect Vulnerability in Action Pack There is a possible Open Redirect Vulnerability in Action Pack. Versions Affected: >= v6.1.0.rc2 Not affected: < v6.1.0.rc2 Fixed Versions: 6.1.3.2 Impact ------ This is similar to CVE-2021-22881. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Since rails/rails@9bc7ea5, strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, config.hosts << "sub.example.com" to permit a request with a Host header value of sub-example.com. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch put in an initializer can be used as a workaround. ```ruby class ActionDispatch::HostAuthorization::Permissions def sanitize_string(host) if host.start_with?(".") /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i else /\A#{Regexp.escape host}\z/i end end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 6-1-open-redirect.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks Jonathan Hefner (https://hackerone.com/jonathanhefner) for reporting this bug!

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
VCID-24mf-t2wp-t7cb	An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text,	CVE-2021-22206
VCID-6tyy-j5zg-zkgw	An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling.	CVE-2021-22211
VCID-6yhw-9sqw-zuge	An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.	CVE-2021-22209
VCID-n7n7-hk7v-rqa4	An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. When querying the repository branches through API, GitLab was ignoring a query parameter and returning a considerable amount of results.	CVE-2021-22210
VCID-unhf-zjns-n7fn	An issue has been discovered in GitLab affecting versions starting with 13.5 up to 13.9.7. Improper permission check could allow the change of timestamp for issue creation or update.	CVE-2021-22208

Vulnerability

Summary

Aliases

VCID-24mf-t2wp-t7cb

An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text,

CVE-2021-22206

VCID-6tyy-j5zg-zkgw

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling.

CVE-2021-22211

VCID-6yhw-9sqw-zuge

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.

CVE-2021-22209

VCID-n7n7-hk7v-rqa4

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. When querying the repository branches through API, GitLab was ignoring a query parameter and returning a considerable amount of results.

CVE-2021-22210

VCID-unhf-zjns-n7fn

An issue has been discovered in GitLab affecting versions starting with 13.5 up to 13.9.7. Improper permission check could allow the change of timestamp for issue creation or update.

CVE-2021-22208

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T18:26:46.915922+00:00	Arch Linux Importer	Affected by	VCID-msda-xqbp-qfdd	https://security.archlinux.org/AVG-1919	38.0.0
2026-04-01T18:25:34.957737+00:00	Arch Linux Importer	Fixing	VCID-24mf-t2wp-t7cb	https://security.archlinux.org/AVG-1888	38.0.0
2026-04-01T18:25:34.935813+00:00	Arch Linux Importer	Fixing	VCID-unhf-zjns-n7fn	https://security.archlinux.org/AVG-1888	38.0.0
2026-04-01T18:25:34.911092+00:00	Arch Linux Importer	Fixing	VCID-6yhw-9sqw-zuge	https://security.archlinux.org/AVG-1888	38.0.0
2026-04-01T18:25:34.886861+00:00	Arch Linux Importer	Fixing	VCID-n7n7-hk7v-rqa4	https://security.archlinux.org/AVG-1888	38.0.0
2026-04-01T18:25:34.862831+00:00	Arch Linux Importer	Fixing	VCID-6tyy-j5zg-zkgw	https://security.archlinux.org/AVG-1888	38.0.0