QID 375379

GitLab, the software, is a web-based Git repository manager with wiki and issue tracking features.

The GitLab update fixes the following vulnerabilities:
CVE-2021-22171 : Ability to steal a user's API access token through GitLab Pages

CVE-2021-22166 : Prometheus denial of service via HTTP request with custom method

CVE-2021-22167: Unauthorized user is able to access private repository information under specific conditions

CVE-2021-22168: Regular expression denial of service in NuGet API

CVE-2020-26414: Regular expression denial of service in package uploads

Affected Versions:
GitLab Community Edition (CE) and Enterprise Edition (EE): CVE-2021-22171: From 11.5.0 Prior to 13.5.6 and From 13.6.0 prior to 13.6.4 and From 13.7.0 prior to 13.7.2 CVE-2021-22166: From 13.7.0 Prior to 13.7.2 and From 13.6.0 prior to 13.6.4 and From 13.7.0 prior to 13.7.2 CVE-2021-22167: From 12.1 Prior to 13.5.6 and From 13.6.0 prior to 13.6.4 and From 13.7.0 prior to 13.7.2 CVE-2021-22168: From 12.8 Prior to 13.5.6 and From 13.6.0 prior to 13.6.4 and From 13.7.0 prior to 13.7.2 CVE-2020-26414: From 12.4 Prior to 13.5.6 and From 13.6.0 prior to 13.6.4 and From 13.7.0 prior to 13.7.2 QID Detection Logic:(Authenticated)
It fires gitlab-rake gitlab:env:info command to check vulnerable version of GitLab.

On successful exploit the attacker may cause denial of service on the affected target.