Bitnami package
gitlab
pkg:bitnami/gitlab
Vulnerabilities (1,073)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-22202 | Low | 2.4 | < 13.8.7 | 13.8.7 | Apr 2, 2021 | An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API. | |
| CVE-2021-22201 | Cri | 9.6 | >= 13.9.0, < 13.9.5 | 13.9.5 | Apr 2, 2021 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server. | |
| CVE-2021-22200 | Med | 5.9 | >= 12.6.0, < 13.8.7 | 13.8.7 | Apr 2, 2021 | An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user. | |
| CVE-2021-22198 | Med | 4.3 | >= 13.8.0, < 13.8.7 | 13.8.7 | Apr 2, 2021 | An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects. | |
| CVE-2021-22197 | Low | 3.5 | >= 10.6.0, < 13.8.7 | 13.8.7 | Apr 2, 2021 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other | |
| CVE-2021-22196 | Med | 6.3 | >= 13.4.0, < 13.8.7 | 13.8.7 | Apr 2, 2021 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name. | |
| CVE-2021-22177 | Med | 4.3 | >= 12.6.0, < 13.6.7 | 13.6.7 | Apr 1, 2021 | Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command. | |
| CVE-2021-22194 | Med | 5.7 | < 13.7.8 | 13.7.8 | Mar 26, 2021 | In all versions of GitLab, marshalled session keys were being stored in Redis. | |
| CVE-2021-22184 | Med | 6.2 | >= 12.8.0, < 13.6.6 | 13.6.6 | Mar 26, 2021 | An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted. | |
| CVE-2021-22180 | Med | 4.3 | >= 13.6.0, < 13.6.7 | 13.6.7 | Mar 26, 2021 | An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages. | |
| CVE-2021-22172 | Med | 4.3 | >= 12.8.0, < 13.6.6 | 13.6.6 | Mar 26, 2021 | Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page | |
| CVE-2021-22169 | Med | 4.3 | >= 13.4.0, < 13.5.6 | 13.5.6 | Mar 24, 2021 | An issue was identified in GitLab EE 13.4 or later which leaked internal IP address via error messages. | |
| CVE-2021-22193 | Low | 3.5 | >= 7.1.0, < 13.6.6 | 13.6.6 | Mar 24, 2021 | An issue has been discovered in GitLab affecting all versions starting with 7.1. A member of a private group was able to validate the use of a specific name for private project. | |
| CVE-2021-22192 | Cri | 9.9 | >= 13.2.0, < 13.7.9 | 13.7.9 | Mar 24, 2021 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server. | |
| CVE-2021-22186 | Med | 4.9 | >= 9.4.0, < 13.7.8 | 13.7.8 | Mar 24, 2021 | An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners | |
| CVE-2021-22185 | Med | 5.4 | >= 13.8.0, < 13.8.5 | 13.8.5 | Mar 24, 2021 | Insufficient input sanitization in wikis in GitLab version 13.8 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted commit to a wiki | |
| CVE-2021-22179 | Med | 5.4 | >= 12.2.0, < 13.6.6 | 13.6.6 | Mar 24, 2021 | A vulnerability was discovered in GitLab versions before 12.2. GitLab was vulnerable to a SSRF attack through the Outbound Requests feature. | |
| CVE-2021-22178 | Med | 5.0 | >= 13.2.0, < 13.6.7 | 13.6.7 | Mar 24, 2021 | An issue has been discovered in GitLab affecting all versions starting from 13.2. Gitlab was vulnerable to SRRF attack through the Prometheus integration. | |
| CVE-2021-22176 | Med | 4.3 | >= 3.0.1, < 13.6.7 | 13.6.7 | Mar 24, 2021 | An issue has been discovered in GitLab affecting all versions starting with 3.0.1. Improper access control allows demoted project members to access details on authored merge requests | |
| CVE-2021-22189 | Med | 5.9 | >= 13.6.0, < 13.6.7 | 13.6.7 | Mar 4, 2021 | Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues. |
- affected < 13.8.7fixed 13.8.7
An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API.
- affected >= 13.9.0, < 13.9.5fixed 13.9.5
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server.
- affected >= 12.6.0, < 13.8.7fixed 13.8.7
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user.
- affected >= 13.8.0, < 13.8.7fixed 13.8.7
An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects.
- affected >= 10.6.0, < 13.8.7fixed 13.8.7
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other
- affected >= 13.4.0, < 13.8.7fixed 13.8.7
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name.
- affected >= 12.6.0, < 13.6.7fixed 13.6.7
Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command.
- affected < 13.7.8fixed 13.7.8
In all versions of GitLab, marshalled session keys were being stored in Redis.
- affected >= 12.8.0, < 13.6.6fixed 13.6.6
An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted.
- affected >= 13.6.0, < 13.6.7fixed 13.6.7
An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages.
- affected >= 12.8.0, < 13.6.6fixed 13.6.6
Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page
- affected >= 13.4.0, < 13.5.6fixed 13.5.6
An issue was identified in GitLab EE 13.4 or later which leaked internal IP address via error messages.
- affected >= 7.1.0, < 13.6.6fixed 13.6.6
An issue has been discovered in GitLab affecting all versions starting with 7.1. A member of a private group was able to validate the use of a specific name for private project.
- affected >= 13.2.0, < 13.7.9fixed 13.7.9
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.
- affected >= 9.4.0, < 13.7.8fixed 13.7.8
An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners
- affected >= 13.8.0, < 13.8.5fixed 13.8.5
Insufficient input sanitization in wikis in GitLab version 13.8 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted commit to a wiki
- affected >= 12.2.0, < 13.6.6fixed 13.6.6
A vulnerability was discovered in GitLab versions before 12.2. GitLab was vulnerable to a SSRF attack through the Outbound Requests feature.
- affected >= 13.2.0, < 13.6.7fixed 13.6.7
An issue has been discovered in GitLab affecting all versions starting from 13.2. Gitlab was vulnerable to SRRF attack through the Prometheus integration.
- affected >= 3.0.1, < 13.6.7fixed 13.6.7
An issue has been discovered in GitLab affecting all versions starting with 3.0.1. Improper access control allows demoted project members to access details on authored merge requests
- affected >= 13.6.0, < 13.6.7fixed 13.6.7
Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues.
Page 45 of 54