Filtered by vendor Gitlab
Subscriptions
Total
981 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-39866 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 5.4 Medium |
| A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens. | ||||
| CVE-2021-22252 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 6.5 Medium |
| A confusion between tag and branch names in GitLab CE/EE affecting all versions since 13.7 allowed a Developer to access protected CI variables which should only be accessible to Maintainers | ||||
| CVE-2020-10087 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 7.5 High |
| GitLab before 12.8.2 allows Information Disclosure. Badge images were not being proxied, causing mixed content warnings as well as leaking the IP address of the user. | ||||
| CVE-2021-22217 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 6.5 Medium |
| A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a specially crafted issue or merge request | ||||
| CVE-2021-39891 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.9 Medium |
| In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure. | ||||
| CVE-2021-39934 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.3 Medium |
| Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | ||||
| CVE-2021-39932 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.3 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for users reviewing code changes. | ||||
| CVE-2021-39931 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.3 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.11 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under specific condition an unauthorised project member was allowed to delete a protected branches due to a business logic error. | ||||
| CVE-2021-39916 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.3 Medium |
| Lack of an access control check in the External Status Check feature allowed any authenticated user to retrieve the configuration of any External Status Check in GitLab EE starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | ||||
| CVE-2021-39910 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.3 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature. | ||||
| CVE-2021-39903 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 6.5 Medium |
| In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings. | ||||
| CVE-2021-39900 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 2.7 Low |
| Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs. | ||||
| CVE-2021-39898 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 5.3 Medium |
| In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from. | ||||
| CVE-2021-39884 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.3 Medium |
| In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project. | ||||
| CVE-2022-2227 | 1 Gitlab | 1 Gitlab | 2022-07-08 | 4.3 Medium |
| Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain conditions | ||||
| CVE-2021-22208 | 1 Gitlab | 1 Gitlab | 2022-06-28 | 4.3 Medium |
| An issue has been discovered in GitLab affecting versions starting with 13.5 up to 13.9.7. Improper permission check could allow the change of timestamp for issue creation or update. | ||||
| CVE-2021-39875 | 1 Gitlab | 1 Gitlab | 2022-06-28 | 5.3 Medium |
| In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint. | ||||
| CVE-2021-39869 | 1 Gitlab | 1 Gitlab | 2022-06-28 | 6.5 Medium |
| In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project. | ||||
| CVE-2022-1680 | 1 Gitlab | 1 Gitlab | 2022-06-17 | 8.8 High |
| An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account. | ||||
| CVE-2020-13353 | 1 Gitlab | 1 Gitaly | 2022-06-13 | 3.2 Low |
| When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above. | ||||