ISHACK AI BOT

FreeBSD: VID-4405E9AD-97FE-11EE-86BB-A8A1599412C6 (CVE-2023-6512): chromium -- multiple security fixes Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 12/05/2023 Created 12/13/2023 Added 12/11/2023 Modified 01/28/2025 Description Inappropriate implementation in Web Browser UI in Google Chrome prior to 120.0.6099.62 allowed a remote attacker to potentially spoof the contents of an iframe dialog context menu via a crafted HTML page. (Chromium security severity: Low) Solution(s) freebsd-upgrade-package-chromium freebsd-upgrade-package-qt5-webengine freebsd-upgrade-package-qt6-webengine freebsd-upgrade-package-ungoogled-chromium References CVE-2023-6512

Amazon Linux AMI 2: CVE-2022-24808: Security patch for net-snmp (ALAS-2023-2366) Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 12/05/2023 Created 12/06/2023 Added 12/05/2023 Modified 01/28/2025 Description net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can use a malformed OID in a `SET` request to `NET-SNMP-AGENT-MIB::nsLogTable` to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. Solution(s) amazon-linux-ami-2-upgrade-net-snmp amazon-linux-ami-2-upgrade-net-snmp-agent-libs amazon-linux-ami-2-upgrade-net-snmp-debuginfo amazon-linux-ami-2-upgrade-net-snmp-devel amazon-linux-ami-2-upgrade-net-snmp-gui amazon-linux-ami-2-upgrade-net-snmp-libs amazon-linux-ami-2-upgrade-net-snmp-perl amazon-linux-ami-2-upgrade-net-snmp-python amazon-linux-ami-2-upgrade-net-snmp-sysvinit amazon-linux-ami-2-upgrade-net-snmp-utils References https://attackerkb.com/topics/cve-2022-24808 AL2/ALAS-2023-2366 CVE - 2022-24808

Amazon Linux AMI 2: CVE-2022-24806: Security patch for net-snmp (ALAS-2023-2366) Severity 6 CVSS (AV:N/AC:M/Au:S/C:N/I:N/A:C) Published 12/05/2023 Created 12/06/2023 Added 12/05/2023 Modified 01/28/2025 Description net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can exploit an Improper Input Validation vulnerability when SETing malformed OIDs in master agent and subagent simultaneously. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. Solution(s) amazon-linux-ami-2-upgrade-net-snmp amazon-linux-ami-2-upgrade-net-snmp-agent-libs amazon-linux-ami-2-upgrade-net-snmp-debuginfo amazon-linux-ami-2-upgrade-net-snmp-devel amazon-linux-ami-2-upgrade-net-snmp-gui amazon-linux-ami-2-upgrade-net-snmp-libs amazon-linux-ami-2-upgrade-net-snmp-perl amazon-linux-ami-2-upgrade-net-snmp-python amazon-linux-ami-2-upgrade-net-snmp-sysvinit amazon-linux-ami-2-upgrade-net-snmp-utils References https://attackerkb.com/topics/cve-2022-24806 AL2/ALAS-2023-2366 CVE - 2022-24806

Amazon Linux AMI 2: CVE-2022-24805: Security patch for net-snmp (ALAS-2023-2366) Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 12/05/2023 Created 12/06/2023 Added 12/05/2023 Modified 01/28/2025 Description net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a buffer overflow in the handling of the `INDEX` of `NET-SNMP-VACM-MIB` can cause an out-of-bounds memory access. A user with read-only credentials can exploit the issue. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. Solution(s) amazon-linux-ami-2-upgrade-net-snmp amazon-linux-ami-2-upgrade-net-snmp-agent-libs amazon-linux-ami-2-upgrade-net-snmp-debuginfo amazon-linux-ami-2-upgrade-net-snmp-devel amazon-linux-ami-2-upgrade-net-snmp-gui amazon-linux-ami-2-upgrade-net-snmp-libs amazon-linux-ami-2-upgrade-net-snmp-perl amazon-linux-ami-2-upgrade-net-snmp-python amazon-linux-ami-2-upgrade-net-snmp-sysvinit amazon-linux-ami-2-upgrade-net-snmp-utils References https://attackerkb.com/topics/cve-2022-24805 AL2/ALAS-2023-2366 CVE - 2022-24805

Debian: CVE-2023-49284: fish -- security update Severity 6 CVSS (AV:L/AC:M/Au:S/C:C/I:N/A:C) Published 12/05/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description fish is a smart and user-friendly command line shell for macOS, Linux, and the rest of the family. fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation. While this may cause unexpected behavior with direct input (for example, echo \UFDD2HOME has the same output as echo $HOME), this may become a minor security problem if the output is being fed from an external program into a command substitution where this output may not be expected. This design flaw was introduced in very early versions of fish, predating the version control system, and is thought to be present in every version of fish released in the last 15 years or more, although with different characters. Code execution does not appear to be possible, but denial of service (through large brace expansion) or information disclosure (such as variable expansion) is potentially possible under certain circumstances. fish shell 3.6.2 has been released to correct this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) debian-upgrade-fish References https://attackerkb.com/topics/cve-2023-49284 CVE - 2023-49284

Apache OFBiz: CVE-2023-49070: Code Injection vulnerability. Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/05/2023 Created 01/10/2025 Added 12/23/2024 Modified 12/23/2024 Description Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10 Solution(s) apache-ofbiz-upgrade-latest References https://attackerkb.com/topics/cve-2023-49070 CVE - 2023-49070

Red Hat OpenShift: CVE-2023-45287: golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges. Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/05/2023 Created 03/01/2024 Added 02/29/2024 Modified 01/28/2025 Description Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels. Solution(s) linuxrpm-upgrade-buildah linuxrpm-upgrade-butane linuxrpm-upgrade-containernetworking-plugins linuxrpm-upgrade-microshift linuxrpm-upgrade-openshift linuxrpm-upgrade-openshift-clients linuxrpm-upgrade-podman linuxrpm-upgrade-runc linuxrpm-upgrade-skopeo References https://attackerkb.com/topics/cve-2023-45287 CVE - 2023-45287 RHSA-2023:7200 RHSA-2023:7201 RHSA-2024:0269 RHSA-2024:0281 RHSA-2024:0748 RHSA-2024:1078 RHSA-2024:1859 RHSA-2024:1901 RHSA-2024:2180 RHSA-2024:2193 RHSA-2024:2239 RHSA-2024:2245 RHSA-2024:2272 RHSA-2024:2729 RHSA-2024:2730 RHSA-2024:2767 RHSA-2024:2988 RHSA-2024:3316 RHSA-2024:4429 View more

FreeBSD: VID-9CBBC506-93C1-11EE-8E38-002590C1F29C (CVE-2023-6534): FreeBSD -- TCP spoofing vulnerability in pf(4) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 12/05/2023 Created 12/20/2023 Added 12/14/2023 Modified 01/28/2025 Description In versions of FreeBSD 14.0-RELEASE before 14-RELEASE-p2, FreeBSD 13.2-RELEASE before 13.2-RELEASE-p7 and FreeBSD 12.4-RELEASE before 12.4-RELEASE-p9, the pf(4) packet filter incorrectly validates TCP sequence numbers. This could allow a malicious actor to execute a denial-of-service attack against hosts behind the firewall. Solution(s) freebsd-upgrade-base-12_4-release-p6 freebsd-upgrade-base-13_2-release-p4 freebsd-upgrade-base-14_0-release-p2 References CVE-2023-6534

Cisco ASA: CVE-2023-20275: Cisco Adaptive Security Appliance and Firepower Threat Defense Software VPN Packet Validation Vulnerability Severity 4 CVSS (AV:N/AC:L/Au:S/C:N/I:P/A:N) Published 12/05/2023 Created 12/15/2023 Added 12/12/2023 Modified 01/22/2025 Description A vulnerability in the AnyConnect SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to send packets with another VPN user's source IP address. This vulnerability is due to improper validation of the packet's inner source IP address after decryption. An attacker could exploit this vulnerability by sending crafted packets through the tunnel. A successful exploit could allow the attacker to send a packet impersonating another VPN user's IP address. It is not possible for the attacker to receive return packets. Solution(s) cisco-asa-update-latest References https://attackerkb.com/topics/cve-2023-20275 CVE - 2023-20275 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-vpn-Y88QOm77 cisco-sa-asa-ssl-vpn-Y88QOm77

Amazon Linux AMI 2: CVE-2023-44446: Security patch for gstreamer1-plugins-bad-free (ALAS-2023-2355) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/05/2023 Created 12/06/2023 Added 12/05/2023 Modified 01/28/2025 Description GStreamer MXF File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of MXF video files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22299. Solution(s) amazon-linux-ami-2-upgrade-gstreamer1-plugins-bad-free amazon-linux-ami-2-upgrade-gstreamer1-plugins-bad-free-debuginfo amazon-linux-ami-2-upgrade-gstreamer1-plugins-bad-free-devel References https://attackerkb.com/topics/cve-2023-44446 AL2/ALAS-2023-2355 CVE - 2023-44446

Amazon Linux AMI 2: CVE-2023-44429: Security patch for gstreamer1-plugins-bad-free (ALAS-2023-2355) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/05/2023 Created 12/06/2023 Added 12/05/2023 Modified 01/28/2025 Description GStreamer AV1 Codec Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of AV1 encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22226. Solution(s) amazon-linux-ami-2-upgrade-gstreamer1-plugins-bad-free amazon-linux-ami-2-upgrade-gstreamer1-plugins-bad-free-debuginfo amazon-linux-ami-2-upgrade-gstreamer1-plugins-bad-free-devel References https://attackerkb.com/topics/cve-2023-44429 AL2/ALAS-2023-2355 CVE - 2023-44429

Oracle Linux: CVE-2023-42917: ELSA-2023-7715:webkit2gtk3 security update (IMPORTANT) (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/05/2023 Created 12/20/2023 Added 12/14/2023 Modified 02/05/2025 Description A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1. A flaw was found in WebKitGTK. Processing malicious web content may lead to remote code execution. This vulnerability is known to be actively exploited in the wild and was included in the CISA's KEV catalog. Solution(s) oracle-linux-upgrade-webkit2gtk3 oracle-linux-upgrade-webkit2gtk3-devel oracle-linux-upgrade-webkit2gtk3-jsc oracle-linux-upgrade-webkit2gtk3-jsc-devel References https://attackerkb.com/topics/cve-2023-42917 CVE - 2023-42917 ELSA-2023-7715 ELSA-2023-7716

Ubuntu: USN-6545-1 (CVE-2023-42916): WebKitGTK vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 11/30/2023 Created 12/13/2023 Added 12/12/2023 Modified 01/28/2025 Description An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1. Solution(s) ubuntu-upgrade-libjavascriptcoregtk-4-0-18 ubuntu-upgrade-libjavascriptcoregtk-4-1-0 ubuntu-upgrade-libjavascriptcoregtk-6-0-1 ubuntu-upgrade-libwebkit2gtk-4-0-37 ubuntu-upgrade-libwebkit2gtk-4-1-0 References https://attackerkb.com/topics/cve-2023-42916 CVE - 2023-42916 USN-6545-1

CentOS Linux: CVE-2023-5869: Important: postgresql security update (CESA-2023:7783) Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 11/30/2023 Created 12/01/2023 Added 11/30/2023 Modified 01/28/2025 Description A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory. Solution(s) centos-upgrade-postgresql centos-upgrade-postgresql-contrib centos-upgrade-postgresql-debuginfo centos-upgrade-postgresql-devel centos-upgrade-postgresql-docs centos-upgrade-postgresql-libs centos-upgrade-postgresql-plperl centos-upgrade-postgresql-plpython centos-upgrade-postgresql-pltcl centos-upgrade-postgresql-server centos-upgrade-postgresql-static centos-upgrade-postgresql-test centos-upgrade-postgresql-upgrade References CVE-2023-5869

Ubuntu: USN-6545-1 (CVE-2023-42917): WebKitGTK vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/30/2023 Created 12/13/2023 Added 12/12/2023 Modified 01/28/2025 Description A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1. Solution(s) ubuntu-upgrade-libjavascriptcoregtk-4-0-18 ubuntu-upgrade-libjavascriptcoregtk-4-1-0 ubuntu-upgrade-libjavascriptcoregtk-6-0-1 ubuntu-upgrade-libwebkit2gtk-4-0-37 ubuntu-upgrade-libwebkit2gtk-4-1-0 References https://attackerkb.com/topics/cve-2023-42917 CVE - 2023-42917 USN-6545-1

Rocky Linux: CVE-2023-42917: webkit2gtk3 (RLSA-2023-7716) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/30/2023 Created 03/07/2024 Added 03/05/2024 Modified 01/28/2025 Description A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1. Solution(s) rocky-upgrade-webkit2gtk3 rocky-upgrade-webkit2gtk3-debuginfo rocky-upgrade-webkit2gtk3-debugsource rocky-upgrade-webkit2gtk3-devel rocky-upgrade-webkit2gtk3-devel-debuginfo rocky-upgrade-webkit2gtk3-jsc rocky-upgrade-webkit2gtk3-jsc-debuginfo rocky-upgrade-webkit2gtk3-jsc-devel rocky-upgrade-webkit2gtk3-jsc-devel-debuginfo References https://attackerkb.com/topics/cve-2023-42917 CVE - 2023-42917 https://errata.rockylinux.org/RLSA-2023:7716

Debian: CVE-2023-49081: python-aiohttp -- security update Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:N) Published 11/30/2023 Created 12/17/2024 Added 12/16/2024 Modified 02/05/2025 Description aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0. Solution(s) debian-upgrade-python-aiohttp References https://attackerkb.com/topics/cve-2023-49081 CVE - 2023-49081 DSA-5828-1

Debian: CVE-2023-42916: webkit2gtk, wpewebkit -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 11/30/2023 Created 12/20/2023 Added 12/19/2023 Modified 01/28/2025 Description An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1. Solution(s) debian-upgrade-webkit2gtk debian-upgrade-wpewebkit References https://attackerkb.com/topics/cve-2023-42916 CVE - 2023-42916 DSA-5575-1

FreeBSD: VID-3B14B2B4-9014-11EE-98B3-001B217B3468 (CVE-2023-5995): Gitlab -- Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 11/30/2023 Created 12/05/2023 Added 12/02/2023 Modified 01/28/2025 Description An issue has been discovered in GitLab EE affecting all versions starting from 16.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the policy bot to gain access to internal projects. Solution(s) freebsd-upgrade-package-gitlab-ce References CVE-2023-5995

Debian: CVE-2023-42917: webkit2gtk, wpewebkit -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/30/2023 Created 12/20/2023 Added 12/19/2023 Modified 01/28/2025 Description A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1. Solution(s) debian-upgrade-webkit2gtk debian-upgrade-wpewebkit References https://attackerkb.com/topics/cve-2023-42917 CVE - 2023-42917 DSA-5575-1

FreeBSD: VID-3B14B2B4-9014-11EE-98B3-001B217B3468 (CVE-2023-3949): Gitlab -- Vulnerabilities Severity 5 CVSS (AV:N/AC:L/Au:N/C:P/I:N/A:N) Published 11/30/2023 Created 12/05/2023 Added 12/02/2023 Modified 01/28/2025 Description An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for unauthorized users to view a public projects' release descriptions via an atom endpoint when release access on the public was set to only project members. Solution(s) freebsd-upgrade-package-gitlab-ce References CVE-2023-3949

FreeBSD: VID-3B14B2B4-9014-11EE-98B3-001B217B3468 (CVE-2023-4912): Gitlab -- Vulnerabilities Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 11/30/2023 Created 12/05/2023 Added 12/02/2023 Modified 01/28/2025 Description An issue has been discovered in GitLab EE affecting all versions starting from 10.5 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted mermaid diagram input. Solution(s) freebsd-upgrade-package-gitlab-ce References CVE-2023-4912

FreeBSD: VID-3B14B2B4-9014-11EE-98B3-001B217B3468 (CVE-2023-5226): Gitlab -- Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 11/30/2023 Created 12/05/2023 Added 12/02/2023 Modified 01/28/2025 Description An issue has been discovered in GitLab affecting all versions before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. Under certain circumstances, a malicious actor bypass prohibited branch checks using a specially crafted branch name to manipulate repository content in the UI. Solution(s) freebsd-upgrade-package-gitlab-ce References CVE-2023-5226

FreeBSD: VID-3B14B2B4-9014-11EE-98B3-001B217B3468 (CVE-2023-3443): Gitlab -- Vulnerabilities Severity 4 CVSS (AV:N/AC:L/Au:S/C:N/I:P/A:N) Published 11/30/2023 Created 12/05/2023 Added 12/02/2023 Modified 01/28/2025 Description An issue has been discovered in GitLab affecting all versions starting from 12.1 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a Guest user to add an emoji on confidential work items. Solution(s) freebsd-upgrade-package-gitlab-ce References CVE-2023-3443

FreeBSD: VID-3B14B2B4-9014-11EE-98B3-001B217B3468 (CVE-2023-4317): Gitlab -- Vulnerabilities Severity 4 CVSS (AV:N/AC:L/Au:S/C:N/I:P/A:N) Published 11/30/2023 Created 12/05/2023 Added 12/02/2023 Modified 01/28/2025 Description An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a user with the Developer role to update a pipeline schedule from an unprotected branch to a protected branch. Solution(s) freebsd-upgrade-package-gitlab-ce References CVE-2023-4317