GitLab
by GitLab Inc.
Source repositories
CVEs (1,214)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-10082 | Med | 0.35 | 5.3 | 0.01 | Mar 13, 2020 | GitLab 12.2 through 12.8.1 allows Denial of Service. A denial of service vulnerability impacting the designs for public issues was discovered. | ||
| CVE-2020-10080 | Med | 0.35 | 5.3 | 0.01 | Mar 13, 2020 | GitLab 8.3 through 12.8.1 allows Information Disclosure. It was possible for certain non-members to access the Contribution Analytics page of a private group. | ||
| CVE-2020-10079 | Med | 0.35 | 5.3 | 0.01 | Mar 13, 2020 | GitLab 7.10 through 12.8.1 has Incorrect Access Control. Under certain conditions where users should have been required to configure two-factor authentication, it was not being required. | ||
| CVE-2020-10535 | Med | 0.35 | 5.3 | 0.01 | Mar 12, 2020 | GitLab 12.8.x before 12.8.6, when sign-up is enabled, allows remote attackers to bypass email domain restrictions within the two-day grace period for an unconfirmed email address. | ||
| CVE-2019-12433 | Med | 0.35 | 5.3 | 0.01 | Mar 10, 2020 | An issue was discovered in GitLab Community and Enterprise Edition 11.7 through 11.11. It has Improper Input Validation. Restricted visibility settings allow creating internal projects in private groups, leading to multiple permission issues. | ||
| CVE-2019-15582 | Med | 0.35 | 5.3 | 0.01 | Jan 28, 2020 | An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment. | ||
| CVE-2019-15581 | Med | 0.35 | 5.3 | 0.01 | Jan 28, 2020 | An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules. | ||
| CVE-2019-15579 | Med | 0.35 | 5.3 | 0.01 | Jan 28, 2020 | An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) where the assignee(s) of a confidential issue in a private project would be disclosed to a guest via milestones. | ||
| CVE-2019-20143 | Med | 0.35 | 5.3 | 0.01 | Jan 13, 2020 | An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 12.6. It has Incorrect Access Control. | ||
| CVE-2019-20148 | Med | 0.35 | 5.3 | 0.01 | Jan 13, 2020 | An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 8.13 through 12.6.1. It has Incorrect Access Control. | ||
| CVE-2019-20146 | Med | 0.35 | 5.3 | 0.01 | Jan 13, 2020 | An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.0 through 12.6. It allows Uncontrolled Resource Consumption. | ||
| CVE-2018-20496 | Med | 0.35 | 5.4 | 0.01 | Dec 30, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. | ||
| CVE-2018-20490 | Med | 0.35 | 5.4 | 0.01 | Dec 30, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. | ||
| CVE-2019-5487 | Med | 0.35 | 5.3 | 0.01 | Dec 18, 2019 | An improper access control vulnerability exists in Gitlab EE <v12.3.3, <v12.2.7, & <v12.1.13 that allowed the group search feature with Elasticsearch to return private code, merge requests and commits. | ||
| CVE-2019-18452 | Med | 0.35 | 5.3 | 0.01 | Nov 26, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4 when moving an issue to a public project from a private one. It has Insecure Permissions. | ||
| CVE-2019-18459 | Med | 0.35 | 5.3 | 0.01 | Nov 26, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 11.3 to 12.3 in the protected environments feature. It has Insecure Permissions (issue 3 of 4). | ||
| CVE-2019-15738 | Med | 0.35 | 5.3 | 0.02 | Sep 16, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. Under certain conditions, merge request IDs were being disclosed via email. | ||
| CVE-2019-15731 | Med | 0.35 | 5.3 | 0.01 | Sep 16, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. Non-members were able to comment on merge requests despite the repository being set to allow only project members to do so. | ||
| CVE-2019-15726 | Med | 0.35 | 5.3 | 0.02 | Sep 16, 2019 | An issue was discovered in GitLab Community and Enterprise Edition through 12.2.1. Embedded images and media files in markdown could be pointed to an arbitrary server, which would reveal the IP address of clients requesting the file from that server. | ||
| CVE-2019-15723 | Med | 0.35 | 5.3 | 0.01 | Sep 16, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 11.9.x and 11.10.x before 11.10.1. Merge requests created by email could be used to bypass push rules in certain situations. |
- risk 0.35cvss 5.3epss 0.01
GitLab 12.2 through 12.8.1 allows Denial of Service. A denial of service vulnerability impacting the designs for public issues was discovered.
- risk 0.35cvss 5.3epss 0.01
GitLab 8.3 through 12.8.1 allows Information Disclosure. It was possible for certain non-members to access the Contribution Analytics page of a private group.
- risk 0.35cvss 5.3epss 0.01
GitLab 7.10 through 12.8.1 has Incorrect Access Control. Under certain conditions where users should have been required to configure two-factor authentication, it was not being required.
- risk 0.35cvss 5.3epss 0.01
GitLab 12.8.x before 12.8.6, when sign-up is enabled, allows remote attackers to bypass email domain restrictions within the two-day grace period for an unconfirmed email address.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11.7 through 11.11. It has Improper Input Validation. Restricted visibility settings allow creating internal projects in private groups, leading to multiple permission issues.
- risk 0.35cvss 5.3epss 0.01
An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment.
- risk 0.35cvss 5.3epss 0.01
An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules.
- risk 0.35cvss 5.3epss 0.01
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) where the assignee(s) of a confidential issue in a private project would be disclosed to a guest via milestones.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 12.6. It has Incorrect Access Control.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 8.13 through 12.6.1. It has Incorrect Access Control.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.0 through 12.6. It allows Uncontrolled Resource Consumption.
- risk 0.35cvss 5.4epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
- risk 0.35cvss 5.4epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
- risk 0.35cvss 5.3epss 0.01
An improper access control vulnerability exists in Gitlab EE <v12.3.3, <v12.2.7, & <v12.1.13 that allowed the group search feature with Elasticsearch to return private code, merge requests and commits.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4 when moving an issue to a public project from a private one. It has Insecure Permissions.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11.3 to 12.3 in the protected environments feature. It has Insecure Permissions (issue 3 of 4).
- risk 0.35cvss 5.3epss 0.02
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. Under certain conditions, merge request IDs were being disclosed via email.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. Non-members were able to comment on merge requests despite the repository being set to allow only project members to do so.
- risk 0.35cvss 5.3epss 0.02
An issue was discovered in GitLab Community and Enterprise Edition through 12.2.1. Embedded images and media files in markdown could be pointed to an arbitrary server, which would reveal the IP address of clients requesting the file from that server.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11.9.x and 11.10.x before 11.10.1. Merge requests created by email could be used to bypass push rules in certain situations.
Page 24 of 61