CE/EE

CVEs (414)

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2019-5474	GitLab Inc. GitLab	—	0.00	Jan 28, 2020	An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions.
CVE-2019-5465	GitLab Inc. GitLab	—	0.00	Jan 28, 2020	An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID.
CVE-2019-15583	GitLab Inc. GitLab Community Edition	—	0.00	Jan 28, 2020	An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). When an issue was moved to a public project from a private one, the associated private labels and the private project namespace would be disclosed…
CVE-2019-5464	GitLab Inc. CE/EE	—	0.00	Jan 28, 2020	A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized.
CVE-2019-15585	GitLab Inc. GitLab Community Edition	—	0.00	Jan 28, 2020	Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user's account.
CVE-2019-5462	GitLab Inc. GitLab Community Edition	—	0.00	Jan 28, 2020	A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed.
CVE-2019-15586	GitLab Inc. GitLab	—	0.00	Jan 28, 2020	A XSS exists in Gitlab CE/EE < 12.1.10 in the Mermaid plugin.
CVE-2019-20145	GitLab Inc. CE/EE	—	0.00	Jan 13, 2020	An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.4 through 12.6.1. It has Incorrect Access Control.
CVE-2019-19629	GitLab Inc. CE/EE	—	0.00	Jan 5, 2020	In GitLab EE 10.5 through 12.5.3, 12.4.5, and 12.3.8, when transferring a public project to a private group, private code would be disclosed via the Group Search API provided by the Elasticsearch integration.
CVE-2019-19628	GitLab Inc. CE/EE	—	0.02	Jan 5, 2020	In GitLab EE 11.3 through 12.5.3, 12.4.5, and 12.3.8, insufficient parameter sanitization for the Maven package registry could lead to privilege escalation and remote code execution vulnerabilities under certain conditions.
CVE-2019-19314	GitLab Inc. CE/EE	—	0.00	Jan 5, 2020	GitLab EE 8.4 through 12.5, 12.4.3, and 12.3.6 stored several tokens in plaintext.
CVE-2019-19313	GitLab Inc. CE/EE	—	0.00	Jan 5, 2020	GitLab EE 12.3 through 12.5, 12.4.3, and 12.3.6 allows Denial of Service. Certain characters were making it impossible to create, edit, or view issues and commits.
CVE-2019-19312	GitLab Inc. CE/EE	—	0.00	Jan 5, 2020	GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access Control. After a project changed to private, previously forked repositories were still able to get information about the private project through the API.
CVE-2019-19311	GitLab Inc. CE/EE	—	0.00	Jan 3, 2020	GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 allows XSS in group and profile fields.
CVE-2019-5487	GitLab Inc. GitLab	—	0.00	Dec 18, 2019	An improper access control vulnerability exists in Gitlab EE <v12.3.3, <v12.2.7, & <v12.1.13 that allowed the group search feature with Elasticsearch to return private code, merge requests and commits.
CVE-2019-15575	GitLab Inc. CE/EE	—	0.03	Dec 18, 2019	A command injection exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to inject commands via the API through the blobs scope.
CVE-2019-15576	GitLab Inc. CE/EE	—	0.01	Dec 18, 2019	An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to view private system notes from a GraphQL endpoint.
CVE-2019-15577	GitLab Inc. CE/EE	—	0.00	Dec 18, 2019	An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed project milestones to be disclosed via groups browsing.
CVE-2019-5486	GitLab Inc. CE/EE	—	0.00	Dec 18, 2019	A authentication bypass vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.10 in the Salesforce login integration that could be used by an attacker to create an account that bypassed domain restrictions and email verification requirements.
CVE-2019-5467	GitLab Inc. CE/EE	—	0.00	Sep 9, 2019	An input validation and output encoding issue was discovered in the GitLab CE/EE wiki pages feature which could result in a persistent XSS. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6.

CVE-2019-5474Jan 28, 2020
GitLab Inc.
GitLab
risk 0.00cvss —epss 0.00
An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions.
CVE-2019-5465Jan 28, 2020
GitLab Inc.
GitLab
risk 0.00cvss —epss 0.00
An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID.
CVE-2019-15583Jan 28, 2020
GitLab Inc.
GitLab Community Edition
risk 0.00cvss —epss 0.00
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). When an issue was moved to a public project from a private one, the associated private labels and the private project namespace would be disclosed…
CVE-2019-5464Jan 28, 2020
GitLab Inc.
CE/EE
risk 0.00cvss —epss 0.00
A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized.
CVE-2019-15585Jan 28, 2020
GitLab Inc.
GitLab Community Edition
risk 0.00cvss —epss 0.00
Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user's account.
CVE-2019-5462Jan 28, 2020
GitLab Inc.
GitLab Community Edition
risk 0.00cvss —epss 0.00
A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed.
CVE-2019-15586Jan 28, 2020
GitLab Inc.
GitLab
risk 0.00cvss —epss 0.00
A XSS exists in Gitlab CE/EE < 12.1.10 in the Mermaid plugin.
CVE-2019-20145Jan 13, 2020
GitLab Inc.
CE/EE
risk 0.00cvss —epss 0.00
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.4 through 12.6.1. It has Incorrect Access Control.
CVE-2019-19629Jan 5, 2020
GitLab Inc.
CE/EE
risk 0.00cvss —epss 0.00
In GitLab EE 10.5 through 12.5.3, 12.4.5, and 12.3.8, when transferring a public project to a private group, private code would be disclosed via the Group Search API provided by the Elasticsearch integration.
CVE-2019-19628Jan 5, 2020
GitLab Inc.
CE/EE
risk 0.00cvss —epss 0.02
In GitLab EE 11.3 through 12.5.3, 12.4.5, and 12.3.8, insufficient parameter sanitization for the Maven package registry could lead to privilege escalation and remote code execution vulnerabilities under certain conditions.
CVE-2019-19314Jan 5, 2020
GitLab Inc.
CE/EE
risk 0.00cvss —epss 0.00
GitLab EE 8.4 through 12.5, 12.4.3, and 12.3.6 stored several tokens in plaintext.
CVE-2019-19313Jan 5, 2020
GitLab Inc.
CE/EE
risk 0.00cvss —epss 0.00
GitLab EE 12.3 through 12.5, 12.4.3, and 12.3.6 allows Denial of Service. Certain characters were making it impossible to create, edit, or view issues and commits.
CVE-2019-19312Jan 5, 2020
GitLab Inc.
CE/EE
risk 0.00cvss —epss 0.00
GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access Control. After a project changed to private, previously forked repositories were still able to get information about the private project through the API.
CVE-2019-19311Jan 3, 2020
GitLab Inc.
CE/EE
risk 0.00cvss —epss 0.00
GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 allows XSS in group and profile fields.
CVE-2019-5487Dec 18, 2019
GitLab Inc.
GitLab
risk 0.00cvss —epss 0.00
An improper access control vulnerability exists in Gitlab EE <v12.3.3, <v12.2.7, & <v12.1.13 that allowed the group search feature with Elasticsearch to return private code, merge requests and commits.
CVE-2019-15575Dec 18, 2019
GitLab Inc.
CE/EE
risk 0.00cvss —epss 0.03
A command injection exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to inject commands via the API through the blobs scope.
CVE-2019-15576Dec 18, 2019
GitLab Inc.
CE/EE
risk 0.00cvss —epss 0.01
An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to view private system notes from a GraphQL endpoint.
CVE-2019-15577Dec 18, 2019
GitLab Inc.
CE/EE
risk 0.00cvss —epss 0.00
An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed project milestones to be disclosed via groups browsing.
CVE-2019-5486Dec 18, 2019
GitLab Inc.
CE/EE
risk 0.00cvss —epss 0.00
A authentication bypass vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.10 in the Salesforce login integration that could be used by an attacker to create an account that bypassed domain restrictions and email verification requirements.
CVE-2019-5467Sep 9, 2019
GitLab Inc.
CE/EE
risk 0.00cvss —epss 0.00
An input validation and output encoding issue was discovered in the GitLab CE/EE wiki pages feature which could result in a persistent XSS. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6.

Page 20 of 21