GitLab
by GitLab Inc.
Source repositories
CVEs (1,214)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-13282 | 0.00 | — | 0.01 | Aug 13, 2020 | For GitLab before 13.0.12, 13.1.6, 13.2.3 after a group transfer occurs, members from a parent group keep their access level on the subgroup leading to improper access. | |||
| CVE-2020-13290 | 0.00 | — | 0.01 | Aug 12, 2020 | In GitLab before 13.0.12, 13.1.6, and 13.2.3, improper access control was used on the Applications page | |||
| CVE-2020-13291 | 0.00 | — | 0.01 | Aug 12, 2020 | In GitLab before 13.2.3, project sharing could temporarily allow too permissive access. | |||
| CVE-2020-13288 | 0.00 | — | 0.04 | Aug 12, 2020 | In GitLab before 13.0.12, 13.1.6, and 13.2.3, a stored XSS vulnerability exists in the CI/CD Jobs page | |||
| CVE-2020-13292 | 0.00 | — | 0.01 | Aug 10, 2020 | In GitLab before 13.0.12, 13.1.6 and 13.2.3, it is possible to bypass E-mail verification which is required for OAuth Flow. | |||
| CVE-2020-13294 | 0.00 | — | 0.01 | Aug 10, 2020 | In GitLab before 13.0.12, 13.1.6 and 13.2.3, access grants were not revoked when a user revoked access to an application. | |||
| CVE-2020-13293 | 0.00 | — | 0.01 | Aug 10, 2020 | In GitLab before 13.0.12, 13.1.6 and 13.2.3 using a branch with a hexadecimal name could override an existing hash. | |||
| CVE-2020-13263 | 0.00 | — | 0.01 | Jun 19, 2020 | An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions. | |||
| CVE-2020-13264 | 0.00 | — | 0.01 | Jun 19, 2020 | Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1 allows other group maintainers to view Kubernetes cluster token | |||
| CVE-2020-13261 | 0.00 | — | 0.01 | Jun 19, 2020 | Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 allows other administrators to view Amazon EKS credentials via HTML source code | |||
| CVE-2020-13262 | 0.00 | — | 0.01 | Jun 19, 2020 | Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a link | |||
| CVE-2020-13275 | 0.00 | — | 0.01 | Jun 19, 2020 | A user with an unverified email address could request an access to domain restricted groups in GitLab EE 12.2 and later through 13.0.1 | |||
| CVE-2020-13274 | 0.00 | — | 0.01 | Jun 19, 2020 | A security issue allowed achieving Denial of Service attacks through memory exhaustion by uploading malicious artifacts in all previous GitLab versions through 13.0.1 | |||
| CVE-2020-13273 | 0.00 | — | 0.01 | Jun 19, 2020 | A Denial of Service vulnerability allowed exhausting the system resources in GitLab CE/EE 12.0 and later through 13.0.1 | |||
| CVE-2020-13265 | 0.00 | — | 0.01 | Jun 19, 2020 | User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification | |||
| CVE-2020-13272 | 0.00 | — | 0.01 | Jun 19, 2020 | OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow | |||
| CVE-2020-13276 | 0.00 | — | 0.01 | Jun 19, 2020 | User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1 | |||
| CVE-2020-13277 | 0.00 | — | 0.02 | Jun 19, 2020 | An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5 | |||
| CVE-2020-13269 | 0.00 | — | 0.02 | Jun 10, 2020 | A Reflected Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code on the Static Site Editor in GitLab CE/EE 12.10 and later through 13.0.1 | |||
| CVE-2020-13270 | 0.00 | — | 0.01 | Jun 10, 2020 | Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API |
- CVE-2020-13282Aug 13, 2020risk 0.00cvss —epss 0.01
For GitLab before 13.0.12, 13.1.6, 13.2.3 after a group transfer occurs, members from a parent group keep their access level on the subgroup leading to improper access.
- CVE-2020-13290Aug 12, 2020risk 0.00cvss —epss 0.01
In GitLab before 13.0.12, 13.1.6, and 13.2.3, improper access control was used on the Applications page
- CVE-2020-13291Aug 12, 2020risk 0.00cvss —epss 0.01
In GitLab before 13.2.3, project sharing could temporarily allow too permissive access.
- CVE-2020-13288Aug 12, 2020risk 0.00cvss —epss 0.04
In GitLab before 13.0.12, 13.1.6, and 13.2.3, a stored XSS vulnerability exists in the CI/CD Jobs page
- CVE-2020-13292Aug 10, 2020risk 0.00cvss —epss 0.01
In GitLab before 13.0.12, 13.1.6 and 13.2.3, it is possible to bypass E-mail verification which is required for OAuth Flow.
- CVE-2020-13294Aug 10, 2020risk 0.00cvss —epss 0.01
In GitLab before 13.0.12, 13.1.6 and 13.2.3, access grants were not revoked when a user revoked access to an application.
- CVE-2020-13293Aug 10, 2020risk 0.00cvss —epss 0.01
In GitLab before 13.0.12, 13.1.6 and 13.2.3 using a branch with a hexadecimal name could override an existing hash.
- CVE-2020-13263Jun 19, 2020risk 0.00cvss —epss 0.01
An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions.
- CVE-2020-13264Jun 19, 2020risk 0.00cvss —epss 0.01
Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1 allows other group maintainers to view Kubernetes cluster token
- CVE-2020-13261Jun 19, 2020risk 0.00cvss —epss 0.01
Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 allows other administrators to view Amazon EKS credentials via HTML source code
- CVE-2020-13262Jun 19, 2020risk 0.00cvss —epss 0.01
Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a link
- CVE-2020-13275Jun 19, 2020risk 0.00cvss —epss 0.01
A user with an unverified email address could request an access to domain restricted groups in GitLab EE 12.2 and later through 13.0.1
- CVE-2020-13274Jun 19, 2020risk 0.00cvss —epss 0.01
A security issue allowed achieving Denial of Service attacks through memory exhaustion by uploading malicious artifacts in all previous GitLab versions through 13.0.1
- CVE-2020-13273Jun 19, 2020risk 0.00cvss —epss 0.01
A Denial of Service vulnerability allowed exhausting the system resources in GitLab CE/EE 12.0 and later through 13.0.1
- CVE-2020-13265Jun 19, 2020risk 0.00cvss —epss 0.01
User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification
- CVE-2020-13272Jun 19, 2020risk 0.00cvss —epss 0.01
OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow
- CVE-2020-13276Jun 19, 2020risk 0.00cvss —epss 0.01
User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1
- CVE-2020-13277Jun 19, 2020risk 0.00cvss —epss 0.02
An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5
- CVE-2020-13269Jun 10, 2020risk 0.00cvss —epss 0.02
A Reflected Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code on the Static Site Editor in GitLab CE/EE 12.10 and later through 13.0.1
- CVE-2020-13270Jun 10, 2020risk 0.00cvss —epss 0.01
Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API
Page 52 of 61