GitLab
by GitLab Inc.
Source repositories
CVEs (1,214)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-39943 | Med | 0.28 | 4.3 | 0.01 | Feb 9, 2022 | An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via… | ||
| CVE-2022-0125 | Med | 0.28 | 4.3 | 0.01 | Jan 18, 2022 | An issue has been discovered in GitLab affecting all versions starting from 12.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not verifying that a maintainer of a project had the right access to… | ||
| CVE-2022-0124 | Med | 0.28 | 4.3 | 0.01 | Jan 18, 2022 | An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. Gitlab's Slack integration is incorrectly validating user input and allows to craft malicious URLs that are sent to slack. | ||
| CVE-2021-39942 | Med | 0.28 | 4.3 | 0.01 | Jan 18, 2022 | A denial of service vulnerability in GitLab CE/EE affecting all versions starting from 12.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows low-privileged users to bypass file size limits in the NPM package… | ||
| CVE-2021-39892 | Med | 0.28 | 4.3 | 0.01 | Jan 18, 2022 | In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users. | ||
| CVE-2021-39940 | Med | 0.28 | 4.3 | 0.01 | Dec 13, 2021 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab Maven Package registry is vulnerable to a regular expression denial of… | ||
| CVE-2021-39934 | Med | 0.28 | 4.3 | 0.01 | Dec 13, 2021 | Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | ||
| CVE-2021-39933 | Med | 0.28 | 4.3 | 0.01 | Dec 13, 2021 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression used for handling user input (notes, comments, etc) was… | ||
| CVE-2021-39932 | Med | 0.28 | 4.3 | 0.01 | Dec 13, 2021 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for… | ||
| CVE-2021-39930 | Med | 0.28 | 4.3 | 0.01 | Dec 13, 2021 | Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates | ||
| CVE-2021-39917 | Med | 0.28 | 4.3 | 0.01 | Dec 13, 2021 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression related to quick actions features was susceptible to… | ||
| CVE-2021-39916 | Med | 0.28 | 4.3 | 0.01 | Dec 13, 2021 | Lack of an access control check in the External Status Check feature allowed any authenticated user to retrieve the configuration of any External Status Check in GitLab EE starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from… | ||
| CVE-2021-39905 | Med | 0.28 | 4.3 | 0.01 | Nov 5, 2021 | An information disclosure vulnerability in the GitLab CE/EE API since version 8.9.6 allows a user to see basic information on private groups that a public project has been shared with | ||
| CVE-2021-39904 | Med | 0.28 | 4.3 | 0.01 | Nov 5, 2021 | An Improper Access Control vulnerability in the GraphQL API in all versions of GitLab CE/EE starting from 13.1 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows a Merge Request creator to resolve discussions… | ||
| CVE-2021-39902 | Med | 0.28 | 4.3 | 0.01 | Nov 4, 2021 | Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident. | ||
| CVE-2021-39889 | Med | 0.28 | 4.3 | 0.01 | Oct 5, 2021 | In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch. | ||
| CVE-2021-39870 | Med | 0.28 | 4.3 | 0.01 | Oct 5, 2021 | In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted API call. | ||
| CVE-2021-22258 | Med | 0.28 | 4.3 | 0.01 | Oct 5, 2021 | The project import/export feature in GitLab 8.9 and greater could be used to obtain otherwise private email addresses | ||
| CVE-2021-39888 | Med | 0.28 | 4.3 | 0.01 | Oct 5, 2021 | In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge… | ||
| CVE-2021-39884 | Med | 0.28 | 4.3 | 0.01 | Oct 5, 2021 | In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project. |
- risk 0.28cvss 4.3epss 0.01
An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via…
- risk 0.28cvss 4.3epss 0.01
An issue has been discovered in GitLab affecting all versions starting from 12.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not verifying that a maintainer of a project had the right access to…
- risk 0.28cvss 4.3epss 0.01
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. Gitlab's Slack integration is incorrectly validating user input and allows to craft malicious URLs that are sent to slack.
- risk 0.28cvss 4.3epss 0.01
A denial of service vulnerability in GitLab CE/EE affecting all versions starting from 12.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows low-privileged users to bypass file size limits in the NPM package…
- risk 0.28cvss 4.3epss 0.01
In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users.
- risk 0.28cvss 4.3epss 0.01
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab Maven Package registry is vulnerable to a regular expression denial of…
- risk 0.28cvss 4.3epss 0.01
Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2.
- risk 0.28cvss 4.3epss 0.01
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression used for handling user input (notes, comments, etc) was…
- risk 0.28cvss 4.3epss 0.01
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for…
- risk 0.28cvss 4.3epss 0.01
Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates
- risk 0.28cvss 4.3epss 0.01
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression related to quick actions features was susceptible to…
- risk 0.28cvss 4.3epss 0.01
Lack of an access control check in the External Status Check feature allowed any authenticated user to retrieve the configuration of any External Status Check in GitLab EE starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from…
- risk 0.28cvss 4.3epss 0.01
An information disclosure vulnerability in the GitLab CE/EE API since version 8.9.6 allows a user to see basic information on private groups that a public project has been shared with
- risk 0.28cvss 4.3epss 0.01
An Improper Access Control vulnerability in the GraphQL API in all versions of GitLab CE/EE starting from 13.1 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows a Merge Request creator to resolve discussions…
- risk 0.28cvss 4.3epss 0.01
Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident.
- risk 0.28cvss 4.3epss 0.01
In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch.
- risk 0.28cvss 4.3epss 0.01
In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted API call.
- risk 0.28cvss 4.3epss 0.01
The project import/export feature in GitLab 8.9 and greater could be used to obtain otherwise private email addresses
- risk 0.28cvss 4.3epss 0.01
In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge…
- risk 0.28cvss 4.3epss 0.01
In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project.
Page 33 of 61