GitLab
by GitLab Inc.
Source repositories
CVEs (1,214)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-26411 | Med | 0.28 | 4.3 | 0.01 | Dec 11, 2020 | A potential DOS vulnerability was discovered in all versions of Gitlab starting from 13.4.x (>=13.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2). Using a specific query name for a project search can cause statement timeouts that can lead to a potential DOS if abused. | ||
| CVE-2020-26415 | Med | 0.28 | 4.3 | 0.01 | Dec 11, 2020 | Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2. | ||
| CVE-2020-13349 | Med | 0.28 | 4.3 | 0.01 | Nov 17, 2020 | An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, <13.3.9,>=13.4, <13.4.5,>=13.5,… | ||
| CVE-2020-13335 | Med | 0.28 | 4.3 | 0.01 | Oct 7, 2020 | Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group. | ||
| CVE-2020-13333 | Med | 0.28 | 4.3 | 0.02 | Oct 6, 2020 | A potential DOS vulnerability was discovered in GitLab versions 13.1, 13.2 and 13.3. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage. | ||
| CVE-2020-13326 | Med | 0.28 | 4.3 | 0.01 | Sep 30, 2020 | A vulnerability was discovered in GitLab versions prior to 13.1. Under certain conditions the restriction for Github project import could be bypassed. | ||
| CVE-2020-13319 | Med | 0.28 | 4.3 | 0.01 | Sep 30, 2020 | An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. Missing permission check for adding time spent on an issue. | ||
| CVE-2020-13313 | Med | 0.28 | 4.3 | 0.01 | Sep 14, 2020 | A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. An unauthorized project maintainer could edit the subgroup badges due to the lack of authorization control. | ||
| CVE-2020-13311 | Med | 0.28 | 4.3 | 0.01 | Sep 14, 2020 | A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Wiki was vulnerable to a parser attack that prohibits anyone from accessing the Wiki functionality through the user interface. | ||
| CVE-2020-13287 | Med | 0.28 | 4.3 | 0.01 | Sep 14, 2020 | A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Project reporters and above could see confidential EPIC attached to confidential issues | ||
| CVE-2020-13265 | Med | 0.28 | 4.3 | 0.01 | Jun 19, 2020 | User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification | ||
| CVE-2020-13266 | Med | 0.28 | 4.3 | 0.01 | Jun 9, 2020 | Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions | ||
| CVE-2019-13006 | Med | 0.28 | 4.3 | 0.01 | Mar 10, 2020 | An issue was discovered in GitLab Community and Enterprise Edition 9.0 and through 12.0.2. Users with access to issues, but not the repository were able to view the number of related merge requests on an issue. It has Incorrect Access Control. | ||
| CVE-2019-13005 | Med | 0.28 | 4.3 | 0.01 | Mar 10, 2020 | An issue was discovered in GitLab Enterprise Edition and Community Edition 1.10 through 12.0.2. The GitLab graphql service was vulnerable to multiple authorization issues that disclosed restricted user, group, and repository metadata to unauthorized users. It has Incorrect… | ||
| CVE-2019-13001 | Med | 0.28 | 4.3 | 0.01 | Mar 10, 2020 | An issue was discovered in GitLab Community and Enterprise Edition 11.9 and later through 12.0.2. GitLab Snippets were vulnerable to an authorization issue that allowed unauthorized users to add comments to a private snippet. It allows authentication bypass. | ||
| CVE-2019-12434 | Med | 0.28 | 4.3 | 0.01 | Mar 10, 2020 | An issue was discovered in GitLab Community and Enterprise Edition 10.6 through 11.11. Users could guess the URL slug of private projects through the contrast of the destination URLs of issues linked in comments. It allows Information Disclosure. | ||
| CVE-2019-12431 | Med | 0.28 | 4.3 | 0.01 | Mar 10, 2020 | An issue was discovered in GitLab Community and Enterprise Edition 8.13 through 11.11. Restricted users could access the metadata of private milestones through the Search API. It has Improper Access Control. | ||
| CVE-2019-15594 | Med | 0.28 | 4.3 | 0.01 | Feb 14, 2020 | GitLab 11.8 and later contains a security vulnerability that allows a user to obtain details of restricted pipelines via the merge request endpoint. | ||
| CVE-2019-15592 | Med | 0.28 | 4.3 | 0.01 | Feb 14, 2020 | GitLab 12.2.2 and below contains a security vulnerability that allows a guest user in a private project to see the merge request ID associated to an issue via the activity timeline. | ||
| CVE-2019-5465 | Med | 0.28 | 4.3 | 0.01 | Jan 28, 2020 | An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID. |
- risk 0.28cvss 4.3epss 0.01
A potential DOS vulnerability was discovered in all versions of Gitlab starting from 13.4.x (>=13.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2). Using a specific query name for a project search can cause statement timeouts that can lead to a potential DOS if abused.
- risk 0.28cvss 4.3epss 0.01
Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.
- risk 0.28cvss 4.3epss 0.01
An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, <13.3.9,>=13.4, <13.4.5,>=13.5,…
- risk 0.28cvss 4.3epss 0.01
Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group.
- risk 0.28cvss 4.3epss 0.02
A potential DOS vulnerability was discovered in GitLab versions 13.1, 13.2 and 13.3. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage.
- risk 0.28cvss 4.3epss 0.01
A vulnerability was discovered in GitLab versions prior to 13.1. Under certain conditions the restriction for Github project import could be bypassed.
- risk 0.28cvss 4.3epss 0.01
An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. Missing permission check for adding time spent on an issue.
- risk 0.28cvss 4.3epss 0.01
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. An unauthorized project maintainer could edit the subgroup badges due to the lack of authorization control.
- risk 0.28cvss 4.3epss 0.01
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Wiki was vulnerable to a parser attack that prohibits anyone from accessing the Wiki functionality through the user interface.
- risk 0.28cvss 4.3epss 0.01
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Project reporters and above could see confidential EPIC attached to confidential issues
- risk 0.28cvss 4.3epss 0.01
User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification
- risk 0.28cvss 4.3epss 0.01
Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 9.0 and through 12.0.2. Users with access to issues, but not the repository were able to view the number of related merge requests on an issue. It has Incorrect Access Control.
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in GitLab Enterprise Edition and Community Edition 1.10 through 12.0.2. The GitLab graphql service was vulnerable to multiple authorization issues that disclosed restricted user, group, and repository metadata to unauthorized users. It has Incorrect…
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11.9 and later through 12.0.2. GitLab Snippets were vulnerable to an authorization issue that allowed unauthorized users to add comments to a private snippet. It allows authentication bypass.
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 10.6 through 11.11. Users could guess the URL slug of private projects through the contrast of the destination URLs of issues linked in comments. It allows Information Disclosure.
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 8.13 through 11.11. Restricted users could access the metadata of private milestones through the Search API. It has Improper Access Control.
- risk 0.28cvss 4.3epss 0.01
GitLab 11.8 and later contains a security vulnerability that allows a user to obtain details of restricted pipelines via the merge request endpoint.
- risk 0.28cvss 4.3epss 0.01
GitLab 12.2.2 and below contains a security vulnerability that allows a guest user in a private project to see the merge request ID associated to an issue via the activity timeline.
- risk 0.28cvss 4.3epss 0.01
An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID.
Page 35 of 61