Bitnami package
gitlab
pkg:bitnami/gitlab
Vulnerabilities (1,073)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-3351 | Med | 4.3 | >= 13.7.0, < 15.2.5 | 15.2.5 | Oct 17, 2022 | An issue has been discovered in GitLab EE affecting all versions starting from 13.7 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A user's primary email may be disclosed to an attacker through group member events webh | |
| CVE-2022-3331 | Low | 3.5 | >= 14.5.0, < 15.1.6 | 15.1.6 | Oct 17, 2022 | An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab's Zentao integration has an insecure direct object reference vulnerability that | |
| CVE-2022-3330 | Med | 4.3 | >= 15.0.0, < 15.2.5 | 15.2.5 | Oct 17, 2022 | It was possible for a guest user to read a todo targeting an inaccessible note in Gitlab CE/EE affecting all versions from 15.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1. | |
| CVE-2022-3325 | Low | 2.7 | >= 12.8.0, < 15.2.5 | 15.2.5 | Oct 17, 2022 | Improper access control in the GitLab CE/EE API affecting all versions starting from 12.8 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. Allowed for editing the approval rules via the API by an unauthorised user. | |
| CVE-2022-3293 | Low | 3.5 | >= 9.3.0, < 15.2.5 | 15.2.5 | Oct 17, 2022 | Email addresses were leaked in WebHook logs in GitLab EE affecting all versions from 9.3 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 | |
| CVE-2022-3291 | Med | 6.5 | >= 14.9.0, < 15.2.5 | 15.2.5 | Oct 17, 2022 | Serialization of sensitive data in GitLab EE affecting all versions from 14.9 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 can leak sensitive information via cache | |
| CVE-2022-3288 | Low | 3.5 | < 15.2.5 | 15.2.5 | Oct 17, 2022 | A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to manipulate pages where the content of the default branch would be expected. | |
| CVE-2022-3286 | Med | 5.3 | >= 14.2.0, < 15.2.5 | 15.2.5 | Oct 17, 2022 | Lack of IP address checking in GitLab EE affecting all versions from 14.2 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows a group member to bypass IP restrictions when using a deploy token | |
| CVE-2022-3283 | Hig | 7.5 | < 15.2.5 | 15.2.5 | Oct 17, 2022 | A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 While cloning an issue with special crafted content added to the description coul | |
| CVE-2022-3279 | Low | 2.7 | < 15.2.5 | 15.2.5 | Oct 17, 2022 | An unhandled exception in job log parsing in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to prevent access to job logs | |
| CVE-2022-3067 | Med | 6.5 | >= 14.4.0, < 15.2.5 | 15.2.5 | Oct 17, 2022 | An issue has been discovered in the Import functionality of GitLab CE/EE affecting all versions starting from 14.4 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an authenticated user to read arbitr | |
| CVE-2022-3066 | Med | 5.4 | >= 10.0.0, < 15.2.5 | 15.2.5 | Oct 17, 2022 | An issue has been discovered in GitLab affecting all versions starting from 10.0 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an unauthorised user to create issues in a project. | |
| CVE-2022-3060 | Hig | 7.3 | >= 12.7.0, < 15.2.5 | 15.2.5 | Oct 17, 2022 | Improper control of a resource identifier in Error Tracking in GitLab CE/EE affecting all versions from 12.7 allows an authenticated attacker to generate content which could cause a victim to make unintended arbitrary requests | |
| CVE-2022-3031 | Low | 3.7 | < 15.1.6 | 15.1.6 | Oct 17, 2022 | An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It may be possible for an attacker to guess a user's password by brute force by sending crafted request | |
| CVE-2022-3030 | Med | 4.3 | < 15.1.6 | 15.1.6 | Oct 17, 2022 | An improper access control issue in GitLab CE/EE affecting all versions starting before 15.1.6, all versions from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of pipeline status to unauthorized users. | |
| CVE-2022-2992 | Cri | 9.9 | >= 11.10.0, < 15.1.6 | 15.1.6 | Oct 17, 2022 | A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. | |
| CVE-2022-2931 | Hig | 7.5 | < 15.1.6 | 15.1.6 | Oct 17, 2022 | A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. Malformed content added to the issue description could have been used to trigger high C | |
| CVE-2022-2908 | Med | 4.3 | >= 10.7.0, < 15.1.5 | 15.1.5 | Oct 17, 2022 | A potential DoS vulnerability was discovered in Gitlab CE/EE versions starting from 10.7 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1 allowed an attacker to trigger high CPU usage via a special crafted input added in | |
| CVE-2022-2884 | Cri | 9.9 | >= 11.3.4, < 15.1.5 | 15.1.5 | Oct 17, 2022 | A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint | |
| CVE-2022-2865 | Hig | 7.3 | >= 9.0.0, < 15.1.6 | 15.1.6 | Oct 17, 2022 | A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4 and 15.3 prior to 15.3.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers |
- affected >= 13.7.0, < 15.2.5fixed 15.2.5
An issue has been discovered in GitLab EE affecting all versions starting from 13.7 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A user's primary email may be disclosed to an attacker through group member events webh
- affected >= 14.5.0, < 15.1.6fixed 15.1.6
An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab's Zentao integration has an insecure direct object reference vulnerability that
- affected >= 15.0.0, < 15.2.5fixed 15.2.5
It was possible for a guest user to read a todo targeting an inaccessible note in Gitlab CE/EE affecting all versions from 15.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1.
- affected >= 12.8.0, < 15.2.5fixed 15.2.5
Improper access control in the GitLab CE/EE API affecting all versions starting from 12.8 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. Allowed for editing the approval rules via the API by an unauthorised user.
- affected >= 9.3.0, < 15.2.5fixed 15.2.5
Email addresses were leaked in WebHook logs in GitLab EE affecting all versions from 9.3 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1
- affected >= 14.9.0, < 15.2.5fixed 15.2.5
Serialization of sensitive data in GitLab EE affecting all versions from 14.9 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 can leak sensitive information via cache
- affected < 15.2.5fixed 15.2.5
A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to manipulate pages where the content of the default branch would be expected.
- affected >= 14.2.0, < 15.2.5fixed 15.2.5
Lack of IP address checking in GitLab EE affecting all versions from 14.2 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows a group member to bypass IP restrictions when using a deploy token
- affected < 15.2.5fixed 15.2.5
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 While cloning an issue with special crafted content added to the description coul
- affected < 15.2.5fixed 15.2.5
An unhandled exception in job log parsing in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to prevent access to job logs
- affected >= 14.4.0, < 15.2.5fixed 15.2.5
An issue has been discovered in the Import functionality of GitLab CE/EE affecting all versions starting from 14.4 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an authenticated user to read arbitr
- affected >= 10.0.0, < 15.2.5fixed 15.2.5
An issue has been discovered in GitLab affecting all versions starting from 10.0 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an unauthorised user to create issues in a project.
- affected >= 12.7.0, < 15.2.5fixed 15.2.5
Improper control of a resource identifier in Error Tracking in GitLab CE/EE affecting all versions from 12.7 allows an authenticated attacker to generate content which could cause a victim to make unintended arbitrary requests
- affected < 15.1.6fixed 15.1.6
An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It may be possible for an attacker to guess a user's password by brute force by sending crafted request
- affected < 15.1.6fixed 15.1.6
An improper access control issue in GitLab CE/EE affecting all versions starting before 15.1.6, all versions from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of pipeline status to unauthorized users.
- affected >= 11.10.0, < 15.1.6fixed 15.1.6
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
- affected < 15.1.6fixed 15.1.6
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. Malformed content added to the issue description could have been used to trigger high C
- affected >= 10.7.0, < 15.1.5fixed 15.1.5
A potential DoS vulnerability was discovered in Gitlab CE/EE versions starting from 10.7 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1 allowed an attacker to trigger high CPU usage via a special crafted input added in
- affected >= 11.3.4, < 15.1.5fixed 15.1.5
A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint
- affected >= 9.0.0, < 15.1.6fixed 15.1.6
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4 and 15.3 prior to 15.3.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers
Page 32 of 54