CE/EE
by GitLab Inc.
CVEs (414)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-5463 | 0.00 | — | 0.00 | Sep 9, 2019 | An authorization issue was discovered in the GitLab CE/EE CI badge images endpoint which could result in disclosure of the build status. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6. | |||
| CVE-2018-19578 | 0.00 | — | 0.00 | Jul 10, 2019 | GitLab EE, version 11.5 before 11.5.1, is vulnerable to an insecure object reference issue that permits a user with Reporter privileges to view the Jaeger Tracing Operations page. | |||
| CVE-2018-19579 | 0.00 | — | 0.00 | Jul 10, 2019 | GitLab EE version 11.5 is vulnerable to a persistent XSS vulnerability in the Operations page. This is fixed in 11.5.1. | |||
| CVE-2018-19584 | 0.00 | — | 0.00 | Jul 10, 2019 | GitLab EE, versions 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure direct object reference vulnerability that allows authenticated, but unauthorized, users to view members and milestone details of private groups. | |||
| CVE-2018-19581 | 0.00 | — | 0.00 | Jul 10, 2019 | GitLab EE, versions 8.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure object reference vulnerability that allows a Guest user to set the weight of an issue they create. | |||
| CVE-2018-19582 | 0.00 | — | 0.00 | Jul 10, 2019 | GitLab EE, versions 11.4 before 11.4.8 and 11.5 before 11.5.1, is affected by an insecure direct object reference vulnerability that permits an unauthorized user to publish the draft merge request comments of another user. | |||
| CVE-2018-19574 | 0.00 | — | 0.00 | Jul 10, 2019 | GitLab CE/EE, versions 7.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in the OAuth authorization page. | |||
| CVE-2018-19575 | 0.00 | — | 0.00 | Jul 10, 2019 | GitLab CE/EE, versions 10.1 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an insecure direct object reference issue that allows a user to make comments on a locked issue. | |||
| CVE-2018-19576 | 0.00 | — | 0.00 | Jul 10, 2019 | GitLab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an access control issue that allows a Guest user to make changes to or delete their own comments on an issue, after the issue was made Confidential. | |||
| CVE-2018-19572 | 0.00 | — | 0.00 | Jul 10, 2019 | GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-time-of-use race condition that would allow unauthorized access to files in the GitLab Pages chroot environment. This is fixed in versions 11.5.1, 11.4.8, and 11.3.11. | |||
| CVE-2018-19570 | 0.00 | — | 0.00 | Jul 10, 2019 | GitLab CE/EE, versions 11.3 before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via unrecognized HTML tags. | |||
| CVE-2018-19577 | 0.00 | — | 0.00 | Jul 10, 2019 | Gitlab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an incorrect access control vulnerability that displays to an unauthorized user the title and namespace of a confidential issue. | |||
| CVE-2018-18643 | 0.00 | — | 0.00 | Apr 25, 2019 | GitLab CE & EE 11.2 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 have Persistent XSS. | |||
| CVE-2018-19856 | 0.00 | — | 0.00 | Mar 26, 2019 | GitLab CE/EE before 11.3.12, 11.4.x before 11.4.10, and 11.5.x before 11.5.3 allows Directory Traversal in Templates API. |
- CVE-2019-5463Sep 9, 2019risk 0.00cvss —epss 0.00
An authorization issue was discovered in the GitLab CE/EE CI badge images endpoint which could result in disclosure of the build status. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6.
- CVE-2018-19578Jul 10, 2019risk 0.00cvss —epss 0.00
GitLab EE, version 11.5 before 11.5.1, is vulnerable to an insecure object reference issue that permits a user with Reporter privileges to view the Jaeger Tracing Operations page.
- CVE-2018-19579Jul 10, 2019risk 0.00cvss —epss 0.00
GitLab EE version 11.5 is vulnerable to a persistent XSS vulnerability in the Operations page. This is fixed in 11.5.1.
- CVE-2018-19584Jul 10, 2019risk 0.00cvss —epss 0.00
GitLab EE, versions 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure direct object reference vulnerability that allows authenticated, but unauthorized, users to view members and milestone details of private groups.
- CVE-2018-19581Jul 10, 2019risk 0.00cvss —epss 0.00
GitLab EE, versions 8.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure object reference vulnerability that allows a Guest user to set the weight of an issue they create.
- CVE-2018-19582Jul 10, 2019risk 0.00cvss —epss 0.00
GitLab EE, versions 11.4 before 11.4.8 and 11.5 before 11.5.1, is affected by an insecure direct object reference vulnerability that permits an unauthorized user to publish the draft merge request comments of another user.
- CVE-2018-19574Jul 10, 2019risk 0.00cvss —epss 0.00
GitLab CE/EE, versions 7.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in the OAuth authorization page.
- CVE-2018-19575Jul 10, 2019risk 0.00cvss —epss 0.00
GitLab CE/EE, versions 10.1 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an insecure direct object reference issue that allows a user to make comments on a locked issue.
- CVE-2018-19576Jul 10, 2019risk 0.00cvss —epss 0.00
GitLab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an access control issue that allows a Guest user to make changes to or delete their own comments on an issue, after the issue was made Confidential.
- CVE-2018-19572Jul 10, 2019risk 0.00cvss —epss 0.00
GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-time-of-use race condition that would allow unauthorized access to files in the GitLab Pages chroot environment. This is fixed in versions 11.5.1, 11.4.8, and 11.3.11.
- CVE-2018-19570Jul 10, 2019risk 0.00cvss —epss 0.00
GitLab CE/EE, versions 11.3 before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via unrecognized HTML tags.
- CVE-2018-19577Jul 10, 2019risk 0.00cvss —epss 0.00
Gitlab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an incorrect access control vulnerability that displays to an unauthorized user the title and namespace of a confidential issue.
- CVE-2018-18643Apr 25, 2019risk 0.00cvss —epss 0.00
GitLab CE & EE 11.2 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 have Persistent XSS.
- CVE-2018-19856Mar 26, 2019risk 0.00cvss —epss 0.00
GitLab CE/EE before 11.3.12, 11.4.x before 11.4.10, and 11.5.x before 11.5.3 allows Directory Traversal in Templates API.
Page 21 of 21