Bitnami package
gitlab
pkg:bitnami/gitlab
Vulnerabilities (1,073)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-4255 | Med | 4.3 | >= 13.7.0, < 15.4.6 | 15.4.6 | Jan 27, 2023 | An info leak issue was identified in all versions of GitLab EE from 13.7 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which exposes user email id through webhook payload. | |
| CVE-2022-4205 | Med | 6.3 | >= 1.0.0, < 12.9.8 | 12.9.8 | Jan 27, 2023 | In Gitlab EE/CE before 15.6.1, 15.5.5 and 15.4.6 using a branch with a hexadecimal name could override an existing hash. | |
| CVE-2022-4201 | Low | 3.5 | >= 11.3.0, < 15.4.6 | 15.4.6 | Jan 27, 2023 | A blind SSRF in GitLab CE/EE affecting all from 11.3 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 allows an attacker to connect to local addresses when configuring a malicious GitLab Runner. | |
| CVE-2022-4335 | Med | 4.3 | < 15.4.6 | 15.4.6 | Jan 27, 2023 | A blind SSRF vulnerability was identified in all versions of GitLab EE prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which allows an attacker to connect to a local host. | |
| CVE-2022-4092 | Med | 5.7 | >= 15.6.0, < 15.6.1 | 15.6.1 | Jan 26, 2023 | An issue has been discovered in GitLab EE affecting all versions starting from 15.6 before 15.6.1. It was possible to create a malicious README page due to improper neutralisation of user supplied input. | |
| CVE-2022-4054 | Med | 5.5 | >= 9.3.0, < 15.4.6 | 15.4.6 | Jan 26, 2023 | An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to leak a webhook secret token by changing the web | |
| CVE-2022-3902 | Med | 5.5 | >= 9.3.0, < 15.4.6 | 15.4.6 | Jan 26, 2023 | An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to unmask webhook secret tokens by reviewing the l | |
| CVE-2022-3820 | Med | 6.5 | >= 15.4.0, < 15.4.6 | 15.4.6 | Jan 26, 2023 | An issue has been discovered in GitLab affecting all versions starting from 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in | |
| CVE-2022-3740 | Med | 6.5 | >= 12.9.0, < 15.4.6 | 15.4.6 | Jan 26, 2023 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. A group owner may be able to bypass External Authorization check, if it is enabled, to access git repositories and package regis | |
| CVE-2022-3572 | Cri | 9.3 | >= 13.5.0, < 15.4.6 | 15.4.6 | Jan 26, 2023 | A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected XS | |
| CVE-2022-3482 | Med | 5.3 | >= 11.3.0, < 15.4.6 | 15.4.6 | Jan 26, 2023 | An improper access control issue in GitLab CE/EE affecting all versions from 11.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allowed an unauthorized user to see release names even when releases we set to be restricted to project members only | |
| CVE-2022-3478 | Med | 4.3 | >= 12.8.0, < 15.4.6 | 15.4.6 | Jan 26, 2023 | An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible to trigger a DoS attack by uploading a malicious nuget package. | |
| CVE-2022-2907 | Med | 5.7 | >= 12.9.0, < 15.1.6 | 15.1.6 | Jan 17, 2023 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It was possible to read repository content by an unauthorised user if a project memb | |
| CVE-2023-0042 | Med | 6.1 | >= 11.4.0, < 15.5.7 | 15.5.7 | Jan 12, 2023 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.4 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2. GitLab Pages allows redirection to arbitrary protocols. | |
| CVE-2022-4365 | Med | 5.5 | >= 11.8.0, < 15.5.7 | 15.5.7 | Jan 12, 2023 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak the sentry token by changing the configured URL in t | |
| CVE-2022-4342 | Med | 5.5 | >= 15.1.0, < 15.5.7 | 15.5.7 | Jan 12, 2023 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak masked webhook secrets by changing target URL of the | |
| CVE-2022-4167 | Med | 5.3 | >= 13.11.0, < 15.5.7 | 15.5.7 | Jan 12, 2023 | Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group owner loses the ability to revoke them. | |
| CVE-2022-4131 | Med | 4.3 | >= 10.8.0, < 15.5.7 | 15.5.7 | Jan 12, 2023 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex i | |
| CVE-2022-4037 | Med | 6.4 | < 15.5.7 | 15.5.7 | Jan 12, 2023 | An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A race condition can lead to verified email forgery and takeover of third-party accounts when using Git | |
| CVE-2022-3870 | Med | 5.3 | >= 10.0.0, < 15.5.7 | 15.5.7 | Jan 12, 2023 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. GitLab allows unauthenticated users to download user avatars using the victim's user |
- affected >= 13.7.0, < 15.4.6fixed 15.4.6
An info leak issue was identified in all versions of GitLab EE from 13.7 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which exposes user email id through webhook payload.
- affected >= 1.0.0, < 12.9.8fixed 12.9.8
In Gitlab EE/CE before 15.6.1, 15.5.5 and 15.4.6 using a branch with a hexadecimal name could override an existing hash.
- affected >= 11.3.0, < 15.4.6fixed 15.4.6
A blind SSRF in GitLab CE/EE affecting all from 11.3 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 allows an attacker to connect to local addresses when configuring a malicious GitLab Runner.
- affected < 15.4.6fixed 15.4.6
A blind SSRF vulnerability was identified in all versions of GitLab EE prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which allows an attacker to connect to a local host.
- affected >= 15.6.0, < 15.6.1fixed 15.6.1
An issue has been discovered in GitLab EE affecting all versions starting from 15.6 before 15.6.1. It was possible to create a malicious README page due to improper neutralisation of user supplied input.
- affected >= 9.3.0, < 15.4.6fixed 15.4.6
An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to leak a webhook secret token by changing the web
- affected >= 9.3.0, < 15.4.6fixed 15.4.6
An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to unmask webhook secret tokens by reviewing the l
- affected >= 15.4.0, < 15.4.6fixed 15.4.6
An issue has been discovered in GitLab affecting all versions starting from 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in
- affected >= 12.9.0, < 15.4.6fixed 15.4.6
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. A group owner may be able to bypass External Authorization check, if it is enabled, to access git repositories and package regis
- affected >= 13.5.0, < 15.4.6fixed 15.4.6
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected XS
- affected >= 11.3.0, < 15.4.6fixed 15.4.6
An improper access control issue in GitLab CE/EE affecting all versions from 11.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allowed an unauthorized user to see release names even when releases we set to be restricted to project members only
- affected >= 12.8.0, < 15.4.6fixed 15.4.6
An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible to trigger a DoS attack by uploading a malicious nuget package.
- affected >= 12.9.0, < 15.1.6fixed 15.1.6
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It was possible to read repository content by an unauthorised user if a project memb
- affected >= 11.4.0, < 15.5.7fixed 15.5.7
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.4 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2. GitLab Pages allows redirection to arbitrary protocols.
- affected >= 11.8.0, < 15.5.7fixed 15.5.7
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak the sentry token by changing the configured URL in t
- affected >= 15.1.0, < 15.5.7fixed 15.5.7
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak masked webhook secrets by changing target URL of the
- affected >= 13.11.0, < 15.5.7fixed 15.5.7
Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group owner loses the ability to revoke them.
- affected >= 10.8.0, < 15.5.7fixed 15.5.7
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex i
- affected < 15.5.7fixed 15.5.7
An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A race condition can lead to verified email forgery and takeover of third-party accounts when using Git
- affected >= 10.0.0, < 15.5.7fixed 15.5.7
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. GitLab allows unauthenticated users to download user avatars using the victim's user
Page 30 of 54