GitLab
by GitLab Inc.
Source repositories
CVEs (1,214)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-13302 | 0.00 | — | 0.01 | Sep 14, 2020 | A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password. | |||
| CVE-2020-13297 | 0.00 | — | 0.01 | Sep 14, 2020 | A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. When 2 factor authentication was enabled for groups, a malicious user could bypass that restriction by sending a specific query to the API endpoint. | |||
| CVE-2020-13304 | 0.00 | — | 0.02 | Sep 14, 2020 | A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Same 2 factor Authentication secret code was generated which resulted an attacker to maintain access under certain conditions. | |||
| CVE-2020-13314 | 0.00 | — | 0.01 | Sep 14, 2020 | A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab Omniauth endpoint allowed a malicious user to submit content to be displayed back to the user within error messages. | |||
| CVE-2020-13311 | 0.00 | — | 0.01 | Sep 14, 2020 | A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Wiki was vulnerable to a parser attack that prohibits anyone from accessing the Wiki functionality through the user interface. | |||
| CVE-2020-13312 | 0.00 | — | 0.01 | Sep 14, 2020 | A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab OAuth endpoint was vulnerable to brute-force attacks through a specific parameter. | |||
| CVE-2020-13313 | 0.00 | — | 0.01 | Sep 14, 2020 | A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. An unauthorized project maintainer could edit the subgroup badges due to the lack of authorization control. | |||
| CVE-2020-13317 | 0.00 | — | 0.01 | Sep 14, 2020 | A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8, and 13.3.4. An insufficient check in the GraphQL api allowed a maintainer to delete a repository. | |||
| CVE-2020-13318 | 0.00 | — | 0.01 | Sep 14, 2020 | A vulnerability was discovered in GitLab versions before 13.0.12, 13.1.10, 13.2.8 and 13.3.4. GitLabs EKS integration was vulnerable to a cross-account assume role attack. | |||
| CVE-2020-13284 | 0.00 | — | 0.01 | Sep 14, 2020 | A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token | |||
| CVE-2020-13289 | 0.00 | — | 0.01 | Sep 14, 2020 | A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. In certain cases an invalid username could be accepted when 2FA is activated. | |||
| CVE-2020-13287 | 0.00 | — | 0.01 | Sep 14, 2020 | A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Project reporters and above could see confidential EPIC attached to confidential issues | |||
| CVE-2020-13316 | 0.00 | — | 0.01 | Sep 14, 2020 | A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not validating a Deploy-Token and allowed a disabled repository be accessible via a git command line. | |||
| CVE-2020-13299 | 0.00 | — | 0.01 | Sep 14, 2020 | A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session. | |||
| CVE-2020-13300 | 0.00 | — | 0.01 | Sep 14, 2020 | GitLab CE/EE version 13.3 prior to 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow. | |||
| CVE-2020-13286 | 0.00 | — | 0.01 | Aug 13, 2020 | For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery. | |||
| CVE-2020-13281 | 0.00 | — | 0.01 | Aug 13, 2020 | For GitLab before 13.0.12, 13.1.6, 13.2.3 a denial of service exists in the project import feature | |||
| CVE-2020-13280 | 0.00 | — | 0.01 | Aug 13, 2020 | For GitLab before 13.0.12, 13.1.6, 13.2.3 a memory exhaustion flaw exists due to excessive logging of an invite email error message. | |||
| CVE-2020-13285 | 0.00 | — | 0.01 | Aug 13, 2020 | For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting (XSS) vulnerability exists in the issue reference number tooltip. | |||
| CVE-2020-13283 | 0.00 | — | 0.01 | Aug 13, 2020 | For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issues list via milestone title. |
- CVE-2020-13302Sep 14, 2020risk 0.00cvss —epss 0.01
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password.
- CVE-2020-13297Sep 14, 2020risk 0.00cvss —epss 0.01
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. When 2 factor authentication was enabled for groups, a malicious user could bypass that restriction by sending a specific query to the API endpoint.
- CVE-2020-13304Sep 14, 2020risk 0.00cvss —epss 0.02
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Same 2 factor Authentication secret code was generated which resulted an attacker to maintain access under certain conditions.
- CVE-2020-13314Sep 14, 2020risk 0.00cvss —epss 0.01
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab Omniauth endpoint allowed a malicious user to submit content to be displayed back to the user within error messages.
- CVE-2020-13311Sep 14, 2020risk 0.00cvss —epss 0.01
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Wiki was vulnerable to a parser attack that prohibits anyone from accessing the Wiki functionality through the user interface.
- CVE-2020-13312Sep 14, 2020risk 0.00cvss —epss 0.01
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab OAuth endpoint was vulnerable to brute-force attacks through a specific parameter.
- CVE-2020-13313Sep 14, 2020risk 0.00cvss —epss 0.01
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. An unauthorized project maintainer could edit the subgroup badges due to the lack of authorization control.
- CVE-2020-13317Sep 14, 2020risk 0.00cvss —epss 0.01
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8, and 13.3.4. An insufficient check in the GraphQL api allowed a maintainer to delete a repository.
- CVE-2020-13318Sep 14, 2020risk 0.00cvss —epss 0.01
A vulnerability was discovered in GitLab versions before 13.0.12, 13.1.10, 13.2.8 and 13.3.4. GitLabs EKS integration was vulnerable to a cross-account assume role attack.
- CVE-2020-13284Sep 14, 2020risk 0.00cvss —epss 0.01
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token
- CVE-2020-13289Sep 14, 2020risk 0.00cvss —epss 0.01
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. In certain cases an invalid username could be accepted when 2FA is activated.
- CVE-2020-13287Sep 14, 2020risk 0.00cvss —epss 0.01
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Project reporters and above could see confidential EPIC attached to confidential issues
- CVE-2020-13316Sep 14, 2020risk 0.00cvss —epss 0.01
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not validating a Deploy-Token and allowed a disabled repository be accessible via a git command line.
- CVE-2020-13299Sep 14, 2020risk 0.00cvss —epss 0.01
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session.
- CVE-2020-13300Sep 14, 2020risk 0.00cvss —epss 0.01
GitLab CE/EE version 13.3 prior to 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow.
- CVE-2020-13286Aug 13, 2020risk 0.00cvss —epss 0.01
For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery.
- CVE-2020-13281Aug 13, 2020risk 0.00cvss —epss 0.01
For GitLab before 13.0.12, 13.1.6, 13.2.3 a denial of service exists in the project import feature
- CVE-2020-13280Aug 13, 2020risk 0.00cvss —epss 0.01
For GitLab before 13.0.12, 13.1.6, 13.2.3 a memory exhaustion flaw exists due to excessive logging of an invite email error message.
- CVE-2020-13285Aug 13, 2020risk 0.00cvss —epss 0.01
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting (XSS) vulnerability exists in the issue reference number tooltip.
- CVE-2020-13283Aug 13, 2020risk 0.00cvss —epss 0.01
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issues list via milestone title.
Page 51 of 61