GitLab Enterprise Edition
by GitLab Inc.
Source repositories
CVEs (80)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-12445 | Med | 0.35 | 5.4 | 0.01 | Mar 10, 2020 | An issue was discovered in GitLab Community and Enterprise Edition 8.4 through 11.11. A malicious user could execute JavaScript code on notes by importing a specially crafted project file. It allows XSS. | ||
| CVE-2019-15578 | Med | 0.35 | 5.3 | 0.01 | Jan 28, 2020 | An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge requests. | ||
| CVE-2020-6832 | Med | 0.35 | 5.3 | 0.01 | Jan 13, 2020 | An issue was discovered in GitLab Enterprise Edition (EE) 8.9.0 through 12.6.1. Using the project import feature, it was possible for someone to obtain issues from private projects. | ||
| CVE-2019-20147 | Med | 0.35 | 5.3 | 0.01 | Jan 13, 2020 | An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 9.1 through 12.6.1. It has Incorrect Access Control. | ||
| CVE-2018-20507 | Med | 0.35 | 5.3 | 0.01 | Dec 30, 2019 | An issue was discovered in GitLab Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | ||
| CVE-2018-20491 | Med | 0.35 | 5.4 | 0.01 | Dec 30, 2019 | An issue was discovered in GitLab Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. | ||
| CVE-2019-11548 | Med | 0.35 | 5.4 | 0.01 | Sep 9, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9. It has Incorrect Access Control. Unprivileged members of a project are able to post comments on confidential issues through an authorization issue in the note endpoint. | ||
| CVE-2019-6787 | Med | 0.35 | 6.5 | 0.01 | May 17, 2019 | An Incorrect Access Control issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. The GitLab API allowed project Maintainers and Owners to view the trigger tokens of other project users. | ||
| CVE-2019-9224 | Med | 0.35 | 5.3 | 0.02 | Apr 17, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 4 of 5). | ||
| CVE-2018-12607 | Med | 0.35 | 5.4 | 0.01 | Aug 3, 2018 | An issue was discovered in GitLab Community Edition and Enterprise Edition before 10.7.6, 10.8.x before 10.8.5, and 11.x before 11.0.1. The charts feature contained a persistent XSS issue due to a lack of output encoding. | ||
| CVE-2018-12605 | Med | 0.35 | 5.4 | 0.01 | Aug 3, 2018 | An issue was discovered in GitLab Community Edition and Enterprise Edition 10.7.x before 10.7.6. The usage of 'url_for' contained a XSS issue due to it allowing arbitrary protocols as a parameter. | ||
| CVE-2018-17453 | Med | 0.34 | 5.3 | 0.01 | Apr 15, 2023 | An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Attackers may have been able to obtain sensitive access-token data from Sentry logs via the GRPC::Unknown exception. | ||
| CVE-2019-6796 | Med | 0.33 | 6.1 | 0.01 | Apr 11, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows XSS (issue 2 of 2). The user status field contains a lack of input validation and output encoding that results in a persistent XSS. | ||
| CVE-2019-19310 | Med | 0.32 | 4.9 | 0.01 | Jan 3, 2020 | GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Information Disclosure. | ||
| CVE-2019-13011 | Med | 0.28 | 4.3 | 0.01 | Mar 10, 2020 | An issue was discovered in GitLab Enterprise Edition 8.11.0 through 12.0.2. By using brute-force a user with access to a project, but not it's repository could create a list of merge requests template names. It has excessive algorithmic complexity. | ||
| CVE-2019-12825 | Med | 0.28 | 4.3 | 0.01 | Feb 17, 2020 | Unauthorized Access to the Container Registry of other groups was discovered in GitLab Enterprise 12.0.0-pre. In other words, authenticated remote attackers can read Docker registries of other groups. When a legitimate user changes the path of a group, Docker registries are not… | ||
| CVE-2019-20144 | Med | 0.28 | 4.3 | 0.01 | Jan 13, 2020 | An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 10.8 through 12.6.1. It has Incorrect Access Control. | ||
| CVE-2019-20142 | Med | 0.28 | 4.3 | 0.01 | Jan 13, 2020 | An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 12.3 through 12.6.1. It allows Denial of Service. | ||
| CVE-2019-19263 | Med | 0.28 | 4.3 | 0.01 | Jan 3, 2020 | GitLab Enterprise Edition (EE) 8.2 and later through 12.5 has Insecure Permissions. | ||
| CVE-2019-19262 | Med | 0.28 | 4.3 | 0.01 | Jan 3, 2020 | GitLab Enterprise Edition (EE) 11.9 and later through 12.5 has Insecure Permissions. |
- risk 0.35cvss 5.4epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 8.4 through 11.11. A malicious user could execute JavaScript code on notes by importing a specially crafted project file. It allows XSS.
- risk 0.35cvss 5.3epss 0.01
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge requests.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in GitLab Enterprise Edition (EE) 8.9.0 through 12.6.1. Using the project import feature, it was possible for someone to obtain issues from private projects.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 9.1 through 12.6.1. It has Incorrect Access Control.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in GitLab Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
- risk 0.35cvss 5.4epss 0.01
An issue was discovered in GitLab Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
- risk 0.35cvss 5.4epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9. It has Incorrect Access Control. Unprivileged members of a project are able to post comments on confidential issues through an authorization issue in the note endpoint.
- risk 0.35cvss 6.5epss 0.01
An Incorrect Access Control issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. The GitLab API allowed project Maintainers and Owners to view the trigger tokens of other project users.
- risk 0.35cvss 5.3epss 0.02
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 4 of 5).
- risk 0.35cvss 5.4epss 0.01
An issue was discovered in GitLab Community Edition and Enterprise Edition before 10.7.6, 10.8.x before 10.8.5, and 11.x before 11.0.1. The charts feature contained a persistent XSS issue due to a lack of output encoding.
- risk 0.35cvss 5.4epss 0.01
An issue was discovered in GitLab Community Edition and Enterprise Edition 10.7.x before 10.7.6. The usage of 'url_for' contained a XSS issue due to it allowing arbitrary protocols as a parameter.
- risk 0.34cvss 5.3epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Attackers may have been able to obtain sensitive access-token data from Sentry logs via the GRPC::Unknown exception.
- risk 0.33cvss 6.1epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows XSS (issue 2 of 2). The user status field contains a lack of input validation and output encoding that results in a persistent XSS.
- risk 0.32cvss 4.9epss 0.01
GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Information Disclosure.
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in GitLab Enterprise Edition 8.11.0 through 12.0.2. By using brute-force a user with access to a project, but not it's repository could create a list of merge requests template names. It has excessive algorithmic complexity.
- risk 0.28cvss 4.3epss 0.01
Unauthorized Access to the Container Registry of other groups was discovered in GitLab Enterprise 12.0.0-pre. In other words, authenticated remote attackers can read Docker registries of other groups. When a legitimate user changes the path of a group, Docker registries are not…
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 10.8 through 12.6.1. It has Incorrect Access Control.
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 12.3 through 12.6.1. It allows Denial of Service.
- risk 0.28cvss 4.3epss 0.01
GitLab Enterprise Edition (EE) 8.2 and later through 12.5 has Insecure Permissions.
- risk 0.28cvss 4.3epss 0.01
GitLab Enterprise Edition (EE) 11.9 and later through 12.5 has Insecure Permissions.
Page 3 of 4