This repository contains the security advisories used by the GitLab dependency scanners.
You can also search for advisories on https://advisories.gitlab.com
This vulnerability database is available freely under the GitLab Advisory Database Terms, please review them before any usage.
If you know about a vulnerability that isn't listed in this repo, you can contribute to the GitLab Advisory Database database by opening an issue, or even submit the vulnerability as a YAML file in a merge request. Please review the contribution guidelines.
In case you do not want to create the advisory yourself, you can also create an
issue and mention the missing advisory. In this case, we would be grateful if
you could add a publicly available resource/links to mailing lists and/or issue
description for verification purposes. We would be very grateful, if you could
create an issue using the New Advisory
template.
We would like to thank the following authors very much for their valuable contributions.
Author | MRs/Issues |
---|---|
@candrews | !18818, !19242, !19243, !19941, !21374, !21798, !23688, !23691 |
@mrtux | !1611, !1613, !11467, !13620 |
@dmitriylewen | #195, #196, #207, #208 |
@AFDesk | #175, #187, #188, #200 |
@curvedriver | #174, #197, #199 |
@patrickmorton | #179, #180, #182 |
@blischalkcof | #168, #185, #213, #214, #220 |
@brondsem | !1500, !1501 |
@vanschelven | #210, !23063, #224 |
@dmitriylewen | #206, #223 |
@thklein | #167 |
@AB-xdev | #166 |
@rusher1 | !2246 |
@vavkamil | !4650 |
@robw-nom | !4808 |
@masahiro331 | !6889 |
@mattchrist | #173 |
@westonsteimel | !11629 |
@mburakouski | #181 |
@attritionorg | !13114 |
@hnathbar | !13474 |
@javidr | #189 |
@mrjonstrong | !13937 |
@hchriwoo | #192 |
@masakura | !14708 |
@blischalkcof | #194 |
@ryan461 | !15227 |
@steppy452 | #198 |
@rousey.thomas-heb | #203 |
@captncraig | !17282 |
@u808595 | #209 |
@opalmer | #212 |
@tywayne | !22027 |
@Bragolgirith | #221 |
@thw0rted | #222 |
@weyert-tapico | #226 |
@wichers | #229 |
@niklas.volcz | !24710 |
@flagosatfluid | #232, #239, #240, #241, #242, #244, #257 |
@delifer | #258 |
@cflucasraab | !25856 |
@sify21 | !26082 |
@yasinsd @greengeko | !26255 |
@flagosatfluid | #265 |
@Kamoot | !26608 |
@fedemengo | !26641, !26850 |
@flagosatfluid | !26642 |
@greengeko | !26649, !26857, !26898, !27717, !27720 |
@hristiyan.ivanov | !26861, #274 |
Each YAML file of the repo corresponds to a single security advisory. The file path is made of the slug of the affected package (type and name), and the identifier of the advisory, following the pattern:
package_slug/advisory_identifier.yml
For instance, security advisory CVE-2019-11324 related to Python package urllib3 is:
pypi/urllib3/CVE-2019-11324.yaml
The package slug is made of the
package type and the fully qualified package name separated by a slash /
. The
package name refers to the exact name of the package as it would appear in the
dependency configuration/lockfile.
The supported package types are:
gem
go
maven
npm
packagist
pypi
nuget
conan
swift
cargo
These correspond to:
- gems from rubygems.org
- go from source code hosting services such as
gitlab.com
orgithub.aaakk.us.kg
- Java Maven packages from Maven Central
- npm packages from npmjs.com
- PHP Composer packages from packagist.org
- Python packages from pypi.org
- Nuget packages from nuget.org
- Conan packages from conan.io
- Swift from source code hosting services such as
gitlab.com
orgithub.aaakk.us.kg
- Cargo from source code hosting services such as
gitlab.com
orgithub.aaakk.us.kg
For npm packages, the package name may include a npm scope. For instance, the package slug of @babel/cli is:
npm/@babel/cli
For Maven packages, the package name is made of the groupId
and the artifactId
separted by a slash /
.
For instance, the package slug of jackson-databind is:
maven/com.fasterxml.jackson.core/jackson-databind
For Nuget packages, the package name may be separated by .
characters, for example:
nuget/Node.js
identifiers
(array of strings) is an array that includes public identifiers for the advisory. If a vulnerability (and the corresponding advisory) cannot be linked to a CVE, you can use our internal idGMS-<year>-<nr>
where<year>
is the year in which the vulnerability was disclosed and<nr>
is a sequence number. In order to generate a new, unique valid id, you can use our helper scriptidentifier/identifer.rb
which can be invoked withidentifier/identifer.rb -n . <year>
where<year>
is the year in which the vulnerability has been disclosed, e.g.2017
.identifier
(string, DEPERECATED) should be the CVE id when it exists. If a vulnerability (and the corresponding advisory) cannot be linked to a CVE, you can use our internal idGMS-<year>-<nr>
where<year>
is the year in which the vulnerability was disclosed and<nr>
is a sequence number. In order to generate a new, unique valid id, you can use our helper scriptidentifier/identifer.rb
which can be invoked withidentifier/identifer.rb -n . <year>
where<year>
is the year in which the vulnerability has been disclosed, e.g.2017
.package_slug
(string): Package type and package name separated by a slash.title
(string): A short description of the security flaw.description
(string): A long description of the security flaw and the possible risks. The CommonMark flavor of Markdown can be used.pubdate
(string): The date on which the advisory was made public, in ISO-8601 format;pubdate
refers to the publication date provided by the data-source from which the advisory originates (e.g., NVD).date
(string): The last date on which the advisory was modified, in ISO-8601 format;date
refers to the modification date provided by the data-source from which the advisory originates (e.g., NVD).affected_range
(string): The range of affected versions. Machine-readable syntax used by the package manager.affected_versions
(string): The range of affected versions. Human-readable version for display.fixed_versions
(array of strings): The versions fixing the vulnerability. The order is not relevant.not_impacted
(string, optional): Environments not affected by the vulnerability.solution
(string, optional): How to remediate the vulnerability.credit
(string, optional): The names of the people who reported the vulnerability or helped fixing it.urls
(array of strings): URLs of: detailed advisory, documented exploit, vulnerable source code, etc. The order is not relevant.links
(array of objects, optional): Meta-information regarding the advisory pointing to resources that are helpful to better understand the context. The key has to be alphanumeric. Every object has two properties: a requiredname
(string) and an optionaltype
(poc
,blog
).cwe_ids
(array of strings): List of CWEs that are related to the advisory.cvss_v2
(string, optional): The CVSS attack vector (version 2.x) for a given vulnerability (see https://www.first.org/cvss/v2/ for more details).cvss_v3
(string, optional): The CVSS attack vector (version 3.x) for a given vulnerability (see https://www.first.org/cvss/v3-1/ for more details).versions
(array, optional): Version meta information. This array contains meta-information about the versions that are mentioned in theaffected_range
andfixed_version
fields. A meta-information object includes the following properties:number
: The version number.commit
: Meta information related to a Git commit with the following properties:tags
: The git commit tags that are assiciated with this particular version.sha
: The git commit SHA.timestamp
: The git commit timestamp. This is also the property by which all the meta-information objects, which are contained in theversions
array, are sorted in ascending order.
The syntax to be used in affected_range
depends on the package type:
gem
: gem requirementmaven
: Maven Dependency Version Requirement Specificationnpm
: node-semverphp
: PHP Composer version constraintspypi
: PEP440go
: go semvernuget
: NuGet semverconan
: node-semver flavourswift
: node-semver flavourcargo
: node-semver flavour
The YAML schema also supports temporary fields. All temporary field names start with
an underscore _
character. Note that temporary fields may disappear in the
future.
Our YAML file schema for advisories is specified in ci/schema/schema.json.
Here's a sample document:
---
identifier: "CVE-2021-28965"
identifiers:
- "CVE-2021-28965"
package_slug: "gem/rexml"
title: "Improper Restriction of XML External Entity Reference"
description: "The REXML gem does not properly address XML round-trip issues. An incorrect
document can be produced after parsing and serializing."
date: "2021-06-02"
pubdate: "2021-04-21"
affected_range: "<3.2.5"
fixed_versions:
- "3.2.5"
affected_versions: "All versions before 3.2.5"
not_impacted: "All versions starting from 3.2.5"
solution: "Upgrade to version 3.2.5 or above."
urls:
- "https://nvd.nist.gov/vuln/detail/CVE-2021-28965"
- "https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/"
links:
- url: "https://hackerone.com/reports/1104077"
type: "poc"
- url: "https://nvd.nist.gov/vuln/detail/CVE-2021-28965"
- url: "https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/"
cwe_ids:
- "CWE-611"
cvss_v2: "AV:N/AC:L/Au:N/C:N/I:P/A:N"
cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
uuid: "d3422009-4cd3-49e6-bc8a-b0581fed6612"
For some advisories you may find the comments below listed in the advisory headers:
# community-sync
: synchronizes the advisories automatically with our community database independent of its creation date of the advisory.
We apply the following semantic versioning scheme to the GitLab Advisory DB:
- patch version increment: for updated/patched/added advisories.
- minor version increment: backwards-compatible YAML schema changes (e.g., adding/removing optional fields).
- major version increment: non-backwards-compatible YAML schema changes (e.g., adding/removing required fields)
All notable changes concerning minor and major updates are tracked in the changelog which is based on Keep a Changelog.
Our GitLab Advisory Database Terms prohibit the use of data contained in the GitLab Advisory Database (or more specifically the gemnasium-db) by 3rd party tools. 3rd party integrators can use the MIT-licensed, time-delayed gemnasium-db clone https://gitlab.com/gitlab-org/advisories-community instead.