CE/EE
by GitLab Inc.
Source repositories
CVEs (414)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-13263 | 0.00 | — | 0.00 | Jun 19, 2020 | An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions. | |||
| CVE-2020-13264 | 0.00 | — | 0.00 | Jun 19, 2020 | Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1 allows other group maintainers to view Kubernetes cluster token | |||
| CVE-2020-13275 | 0.00 | — | 0.00 | Jun 19, 2020 | A user with an unverified email address could request an access to domain restricted groups in GitLab EE 12.2 and later through 13.0.1 | |||
| CVE-2020-13273 | 0.00 | — | 0.00 | Jun 19, 2020 | A Denial of Service vulnerability allowed exhausting the system resources in GitLab CE/EE 12.0 and later through 13.0.1 | |||
| CVE-2020-13265 | 0.00 | — | 0.00 | Jun 19, 2020 | User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification | |||
| CVE-2020-13277 | 0.00 | — | 0.05 | Jun 19, 2020 | An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5 | |||
| CVE-2020-13269 | 0.00 | — | 0.00 | Jun 10, 2020 | A Reflected Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code on the Static Site Editor in GitLab CE/EE 12.10 and later through 13.0.1 | |||
| CVE-2020-13270 | 0.00 | — | 0.00 | Jun 10, 2020 | Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API | |||
| CVE-2020-13268 | 0.00 | — | 0.00 | Jun 10, 2020 | A specially crafted request could be used to confirm the existence of files hosted on object storage services, without disclosing their contents. This vulnerability affects GitLab CE/EE 12.10 and later through 13.0.1 | |||
| CVE-2020-13267 | 0.00 | — | 0.00 | Jun 10, 2020 | A Stored Cross-Site Scripting vulnerability allowed the execution on Javascript payloads on the Metrics Dashboard in GitLab CE/EE 12.8 and later through 13.0.1 | |||
| CVE-2020-13271 | 0.00 | — | 0.00 | Jun 10, 2020 | A Stored Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code in the blobs API in all previous GitLab CE/EE versions through 13.0.1 | |||
| CVE-2020-13266 | 0.00 | — | 0.00 | Jun 9, 2020 | Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions | |||
| CVE-2020-12448 | 0.00 | — | 0.00 | May 7, 2020 | GitLab EE 12.8 and later allows Exposure of Sensitive Information to an Unauthorized Actor via NuGet. | |||
| CVE-2020-11649 | 0.00 | — | 0.00 | Apr 22, 2020 | An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Members of a group could still have access after the group is deleted. | |||
| CVE-2020-10975 | 0.00 | — | 0.00 | Apr 8, 2020 | GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page. | |||
| CVE-2020-10976 | 0.00 | — | 0.00 | Apr 8, 2020 | GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when querying a merge request widget. | |||
| CVE-2020-10978 | 0.00 | — | 0.00 | Apr 8, 2020 | GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public project and then moved to a private project through Web-UI and GraphQL API. | |||
| CVE-2020-10979 | 0.00 | — | 0.00 | Apr 8, 2020 | GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pipelines metrics to unauthorized users. | |||
| CVE-2020-10980 | 0.00 | — | 0.00 | Apr 8, 2020 | GitLab EE/CE 8.0.rc1 to 12.9 is vulnerable to a blind SSRF in the FogBugz integration. | |||
| CVE-2020-10981 | 0.00 | — | 0.00 | Apr 8, 2020 | GitLab EE/CE 9.0 to 12.9 allows a maintainer to modify other maintainers' pipeline trigger descriptions within the same project. |
- CVE-2020-13263Jun 19, 2020risk 0.00cvss —epss 0.00
An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions.
- CVE-2020-13264Jun 19, 2020risk 0.00cvss —epss 0.00
Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1 allows other group maintainers to view Kubernetes cluster token
- CVE-2020-13275Jun 19, 2020risk 0.00cvss —epss 0.00
A user with an unverified email address could request an access to domain restricted groups in GitLab EE 12.2 and later through 13.0.1
- CVE-2020-13273Jun 19, 2020risk 0.00cvss —epss 0.00
A Denial of Service vulnerability allowed exhausting the system resources in GitLab CE/EE 12.0 and later through 13.0.1
- CVE-2020-13265Jun 19, 2020risk 0.00cvss —epss 0.00
User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification
- CVE-2020-13277Jun 19, 2020risk 0.00cvss —epss 0.05
An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5
- CVE-2020-13269Jun 10, 2020risk 0.00cvss —epss 0.00
A Reflected Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code on the Static Site Editor in GitLab CE/EE 12.10 and later through 13.0.1
- CVE-2020-13270Jun 10, 2020risk 0.00cvss —epss 0.00
Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API
- CVE-2020-13268Jun 10, 2020risk 0.00cvss —epss 0.00
A specially crafted request could be used to confirm the existence of files hosted on object storage services, without disclosing their contents. This vulnerability affects GitLab CE/EE 12.10 and later through 13.0.1
- CVE-2020-13267Jun 10, 2020risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting vulnerability allowed the execution on Javascript payloads on the Metrics Dashboard in GitLab CE/EE 12.8 and later through 13.0.1
- CVE-2020-13271Jun 10, 2020risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code in the blobs API in all previous GitLab CE/EE versions through 13.0.1
- CVE-2020-13266Jun 9, 2020risk 0.00cvss —epss 0.00
Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions
- CVE-2020-12448May 7, 2020risk 0.00cvss —epss 0.00
GitLab EE 12.8 and later allows Exposure of Sensitive Information to an Unauthorized Actor via NuGet.
- CVE-2020-11649Apr 22, 2020risk 0.00cvss —epss 0.00
An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Members of a group could still have access after the group is deleted.
- CVE-2020-10975Apr 8, 2020risk 0.00cvss —epss 0.00
GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page.
- CVE-2020-10976Apr 8, 2020risk 0.00cvss —epss 0.00
GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when querying a merge request widget.
- CVE-2020-10978Apr 8, 2020risk 0.00cvss —epss 0.00
GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public project and then moved to a private project through Web-UI and GraphQL API.
- CVE-2020-10979Apr 8, 2020risk 0.00cvss —epss 0.00
GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pipelines metrics to unauthorized users.
- CVE-2020-10980Apr 8, 2020risk 0.00cvss —epss 0.00
GitLab EE/CE 8.0.rc1 to 12.9 is vulnerable to a blind SSRF in the FogBugz integration.
- CVE-2020-10981Apr 8, 2020risk 0.00cvss —epss 0.00
GitLab EE/CE 9.0 to 12.9 allows a maintainer to modify other maintainers' pipeline trigger descriptions within the same project.
Page 18 of 21