Vendor CVEs
GitLab Inc.
All CVEs
1,397 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-14602 | Hig | 0.42 | 7.5 | 0.02 | Jul 27, 2018 | An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. Information Disclosure can occur because the Prometheus metrics feature discloses private project pathnames. | ||
| CVE-2018-14601 | Hig | 0.42 | 7.5 | 0.01 | Jul 27, 2018 | An issue was discovered in GitLab Community and Enterprise Edition 11.1.x before 11.1.2. A Denial of Service can occur because Markdown rendering times are slow. | ||
| CVE-2018-8801 | Med | 0.42 | 6.5 | 0.01 | Apr 25, 2018 | GitLab Community and Enterprise Editions version 8.3 up to 10.x before 10.3 are vulnerable to SSRF in the Services and webhooks component. | ||
| CVE-2017-0927 | Med | 0.42 | 6.5 | 0.01 | Mar 21, 2018 | Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the deployment keys component resulting in unauthorized use of deployment keys by guest users. | ||
| CVE-2014-8540 | Med | 0.42 | 6.5 | 0.02 | Jan 5, 2018 | The groups API in GitLab 6.x and 7.x before 7.4.3 allows remote authenticated guest users to modify ownership of arbitrary groups by leveraging improper permission checks. | ||
| CVE-2017-11437 | Med | 0.42 | 6.5 | 0.01 | Aug 2, 2017 | GitLab Enterprise Edition (EE) before 8.17.7, 9.0.11, 9.1.8, 9.2.8, and 9.3.8 allows an authenticated user with the ability to create a project to use the mirroring feature to potentially read repositories belonging to other users. | ||
| CVE-2017-11438 | Med | 0.41 | 6.3 | 0.01 | Aug 2, 2017 | GitLab Community Edition (CE) and Enterprise Edition (EE) before 9.0.11, 9.1.8, 9.2.8 allow an authenticated user with the ability to create a group to add themselves to any project that is inside a subgroup. | ||
| CVE-2017-0882 | Med | 0.41 | 6.3 | 0.01 | Mar 28, 2017 | Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC. | ||
| CVE-2018-16050 | Med | 0.40 | 6.1 | 0.01 | Oct 3, 2018 | An issue was discovered in GitLab Community and Enterprise Edition 11.1.x before 11.1.5 and 11.2.x before 11.2.2. There is Persistent XSS in the Merge Request Changes View. | ||
| CVE-2018-10379 | Med | 0.40 | 6.1 | 0.01 | May 31, 2018 | An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 10.5.8, 10.6.x before 10.6.5, and 10.7.x before 10.7.2. The Move Issue feature contained a persistent XSS vulnerability. | ||
| CVE-2018-9244 | Med | 0.40 | 6.1 | 0.01 | Apr 5, 2018 | GitLab Community and Enterprise Editions version 9.2 up to 10.4 are vulnerable to XSS because a lack of input validation in the milestones component leads to cross site scripting (specifically, data-milestone-id in the milestone dropdown feature). This is fixed in 10.6.3,… | ||
| CVE-2018-9243 | Med | 0.40 | 6.1 | 0.01 | Apr 5, 2018 | GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request component leads to cross site scripting (specifically, filenames in changes tabs of merge requests). This is fixed in 10.6.3, 10.5.7, and… | ||
| CVE-2017-0924 | Med | 0.40 | 6.1 | 0.01 | Mar 21, 2018 | Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the labels component resulting in persistent cross site scripting. | ||
| CVE-2017-0923 | Med | 0.40 | 6.1 | 0.01 | Mar 21, 2018 | Gitlab Community Edition version 9.1 is vulnerable to lack of input validation in the IPython notebooks component resulting in persistent cross site scripting. | ||
| CVE-2017-0917 | Med | 0.40 | 6.1 | 0.01 | Mar 21, 2018 | Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the CI job component resulting in persistent cross site scripting. | ||
| CVE-2017-8778 | Med | 0.40 | 6.1 | 0.01 | May 4, 2017 | GitLab before 8.14.9, 8.15.x before 8.15.6, and 8.16.x before 8.16.5 has XSS via a SCRIPT element in an issue attachment or avatar that is an SVG document. | ||
| CVE-2026-3160 | Med | 0.38 | 5.8 | 0.00 | May 14, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to view Jira issues outside the configured project scope due to an integration filter… | ||
| CVE-2017-17716 | Med | 0.38 | 5.9 | 0.01 | Dec 17, 2017 | GitLab 9.4.x before 9.4.2 does not support LDAP SSL certificate verification, but a verify_certificates LDAP option was mentioned in the 9.4 release announcement. This issue occurred because code was not merged. This is related to use of the omniauth-ldap library and the… | ||
| CVE-2026-1516 | Med | 0.37 | 5.7 | 0.00 | Apr 8, 2026 | GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted… | ||
| CVE-2026-6269 | Med | 0.35 | 5.4 | 0.00 | Jun 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to modify hidden merge requests… | ||
| CVE-2026-6335 | Med | 0.35 | 5.4 | 0.00 | May 14, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user to execute arbitrary code in another user's browser session due to improper sanitization. | ||
| CVE-2025-12669 | Med | 0.35 | 5.4 | 0.00 | May 14, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to inject HTML and JavaScript into email notifications sent to other users due to improper… | ||
| CVE-2026-6515 | Med | 0.35 | 5.4 | 0.00 | Apr 22, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed a user to use invalidated or incorrectly scoped credentials to access Virtual Registries under certain conditions. | ||
| CVE-2026-4332 | Med | 0.35 | 5.4 | 0.00 | Apr 8, 2026 | GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other… | ||
| CVE-2018-12607 | Med | 0.35 | 5.4 | 0.01 | Aug 3, 2018 | An issue was discovered in GitLab Community Edition and Enterprise Edition before 10.7.6, 10.8.x before 10.8.5, and 11.x before 11.0.1. The charts feature contained a persistent XSS issue due to a lack of output encoding. | ||
| CVE-2018-12606 | Med | 0.35 | 5.4 | 0.01 | Aug 3, 2018 | An issue was discovered in GitLab Community Edition and Enterprise Edition before 10.7.6, 10.8.x before 10.8.5, and 11.x before 11.0.1. The wiki contains a persistent XSS issue due to a lack of output encoding affecting a specific markdown feature. | ||
| CVE-2018-12605 | Med | 0.35 | 5.4 | 0.01 | Aug 3, 2018 | An issue was discovered in GitLab Community Edition and Enterprise Edition 10.7.x before 10.7.6. The usage of 'url_for' contained a XSS issue due to it allowing arbitrary protocols as a parameter. | ||
| CVE-2026-9204 | Med | 0.34 | 5.3 | 0.00 | Jun 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to read arbitrary files from the Gitaly server and access internal… | ||
| CVE-2026-6713 | Med | 0.34 | 5.3 | 0.00 | May 27, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an unauthorized user to enumerate private projects due to incorrect authorization checks. | ||
| CVE-2026-3848 | Med | 0.33 | 5.0 | 0.00 | Mar 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to… | ||
| CVE-2018-14604 | Med | 0.33 | 6.1 | 0.01 | Jul 27, 2018 | An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. XSS can occur in the tooltip of the job inside the CI/CD pipeline. | ||
| CVE-2021-39913 | Med | 0.29 | 4.4 | 0.00 | Nov 5, 2021 | Accidental logging of system root password in the migration log in all versions of GitLab CE/EE before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker with local file system access to obtain system… | ||
| CVE-2021-22205 | 0.29 | — | 1.00 | KEV | Apr 23, 2021 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. | ||
| CVE-2026-6277 | Med | 0.28 | 4.3 | 0.00 | Jun 11, 2026 | GitLab has remediated an issue in GitLab EE affecting all versions from 13.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with Security Manager-role permissions to manage project security… | ||
| CVE-2026-10733 | Med | 0.28 | 4.3 | 0.00 | Jun 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that could have allowed an authenticated user to cause denial of service on the CI/CD Catalog page due to improper sanitization. | ||
| CVE-2026-9807 | Med | 0.28 | 4.3 | 0.00 | May 28, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed a blocked Project Access Token to continue accessing private resources due to incorrect… | ||
| CVE-2026-8716 | Med | 0.28 | 4.3 | 0.00 | May 27, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to access CI data from a different ref type than intended. | ||
| CVE-2026-5296 | Med | 0.28 | 4.3 | 0.00 | May 27, 2026 | GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that when foundational flows were enabled at the group level, could have allowed an authenticated user with developer-role permissions to… | ||
| CVE-2026-2601 | Med | 0.28 | 4.3 | 0.00 | May 27, 2026 | GitLab has remediated an issue in GitLab EE affecting all versions from 11.5 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to access sensitive deployment data on… | ||
| CVE-2026-8144 | Med | 0.28 | 4.3 | 0.00 | May 14, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with project membership to enumerate private group members due to missing authorization… | ||
| CVE-2026-6063 | Med | 0.28 | 4.3 | 0.00 | May 14, 2026 | GitLab has remediated an issue in GitLab EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user with developer-role permissions to remove code owner approval rules… | ||
| CVE-2026-3607 | Med | 0.28 | 4.3 | 0.00 | May 14, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass package protection rules due to improper access… | ||
| CVE-2026-3074 | Med | 0.28 | 4.3 | 0.00 | May 14, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to download private debugging symbols from inaccessible projects due to improper access… | ||
| CVE-2026-3073 | Med | 0.28 | 4.3 | 0.00 | May 14, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.6 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass PyPI package protection rules and upload… | ||
| CVE-2026-1338 | Med | 0.28 | 4.3 | 0.00 | May 14, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to delete protected container registry tags due to… | ||
| CVE-2025-13874 | Med | 0.28 | 4.3 | 0.00 | May 14, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with Guest permissions to view issues in projects they were not authorized to access. | ||
| CVE-2026-5377 | Med | 0.28 | 4.3 | 0.00 | Apr 22, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in public projects due to improper access control in the issue description rendering… | ||
| CVE-2026-2619 | Med | 0.28 | 4.3 | 0.00 | Apr 8, 2026 | GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user with auditor privileges to modify vulnerability flag data in private… | ||
| CVE-2026-2104 | Med | 0.28 | 4.3 | 0.00 | Apr 8, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient… | ||
| CVE-2026-1752 | Med | 0.28 | 4.3 | 0.00 | Apr 8, 2026 | GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper… |
- risk 0.42cvss 7.5epss 0.02
An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. Information Disclosure can occur because the Prometheus metrics feature discloses private project pathnames.
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11.1.x before 11.1.2. A Denial of Service can occur because Markdown rendering times are slow.
- risk 0.42cvss 6.5epss 0.01
GitLab Community and Enterprise Editions version 8.3 up to 10.x before 10.3 are vulnerable to SSRF in the Services and webhooks component.
- risk 0.42cvss 6.5epss 0.01
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the deployment keys component resulting in unauthorized use of deployment keys by guest users.
- risk 0.42cvss 6.5epss 0.02
The groups API in GitLab 6.x and 7.x before 7.4.3 allows remote authenticated guest users to modify ownership of arbitrary groups by leveraging improper permission checks.
- risk 0.42cvss 6.5epss 0.01
GitLab Enterprise Edition (EE) before 8.17.7, 9.0.11, 9.1.8, 9.2.8, and 9.3.8 allows an authenticated user with the ability to create a project to use the mirroring feature to potentially read repositories belonging to other users.
- risk 0.41cvss 6.3epss 0.01
GitLab Community Edition (CE) and Enterprise Edition (EE) before 9.0.11, 9.1.8, 9.2.8 allow an authenticated user with the ability to create a group to add themselves to any project that is inside a subgroup.
- risk 0.41cvss 6.3epss 0.01
Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11.1.x before 11.1.5 and 11.2.x before 11.2.2. There is Persistent XSS in the Merge Request Changes View.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 10.5.8, 10.6.x before 10.6.5, and 10.7.x before 10.7.2. The Move Issue feature contained a persistent XSS vulnerability.
- risk 0.40cvss 6.1epss 0.01
GitLab Community and Enterprise Editions version 9.2 up to 10.4 are vulnerable to XSS because a lack of input validation in the milestones component leads to cross site scripting (specifically, data-milestone-id in the milestone dropdown feature). This is fixed in 10.6.3,…
- risk 0.40cvss 6.1epss 0.01
GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request component leads to cross site scripting (specifically, filenames in changes tabs of merge requests). This is fixed in 10.6.3, 10.5.7, and…
- risk 0.40cvss 6.1epss 0.01
Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the labels component resulting in persistent cross site scripting.
- risk 0.40cvss 6.1epss 0.01
Gitlab Community Edition version 9.1 is vulnerable to lack of input validation in the IPython notebooks component resulting in persistent cross site scripting.
- risk 0.40cvss 6.1epss 0.01
Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the CI job component resulting in persistent cross site scripting.
- risk 0.40cvss 6.1epss 0.01
GitLab before 8.14.9, 8.15.x before 8.15.6, and 8.16.x before 8.16.5 has XSS via a SCRIPT element in an issue attachment or avatar that is an SVG document.
- risk 0.38cvss 5.8epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to view Jira issues outside the configured project scope due to an integration filter…
- risk 0.38cvss 5.9epss 0.01
GitLab 9.4.x before 9.4.2 does not support LDAP SSL certificate verification, but a verify_certificates LDAP option was mentioned in the 9.4 release announcement. This issue occurred because code was not merged. This is related to use of the omniauth-ldap library and the…
- risk 0.37cvss 5.7epss 0.00
GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted…
- risk 0.35cvss 5.4epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to modify hidden merge requests…
- risk 0.35cvss 5.4epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user to execute arbitrary code in another user's browser session due to improper sanitization.
- risk 0.35cvss 5.4epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to inject HTML and JavaScript into email notifications sent to other users due to improper…
- risk 0.35cvss 5.4epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed a user to use invalidated or incorrectly scoped credentials to access Virtual Registries under certain conditions.
- risk 0.35cvss 5.4epss 0.00
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other…
- risk 0.35cvss 5.4epss 0.01
An issue was discovered in GitLab Community Edition and Enterprise Edition before 10.7.6, 10.8.x before 10.8.5, and 11.x before 11.0.1. The charts feature contained a persistent XSS issue due to a lack of output encoding.
- risk 0.35cvss 5.4epss 0.01
An issue was discovered in GitLab Community Edition and Enterprise Edition before 10.7.6, 10.8.x before 10.8.5, and 11.x before 11.0.1. The wiki contains a persistent XSS issue due to a lack of output encoding affecting a specific markdown feature.
- risk 0.35cvss 5.4epss 0.01
An issue was discovered in GitLab Community Edition and Enterprise Edition 10.7.x before 10.7.6. The usage of 'url_for' contained a XSS issue due to it allowing arbitrary protocols as a parameter.
- risk 0.34cvss 5.3epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to read arbitrary files from the Gitaly server and access internal…
- risk 0.34cvss 5.3epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an unauthorized user to enumerate private projects due to incorrect authorization checks.
- risk 0.33cvss 5.0epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to…
- risk 0.33cvss 6.1epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. XSS can occur in the tooltip of the job inside the CI/CD pipeline.
- risk 0.29cvss 4.4epss 0.00
Accidental logging of system root password in the migration log in all versions of GitLab CE/EE before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker with local file system access to obtain system…
- risk 0.29cvss —epss 1.00
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
- risk 0.28cvss 4.3epss 0.00
GitLab has remediated an issue in GitLab EE affecting all versions from 13.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with Security Manager-role permissions to manage project security…
- risk 0.28cvss 4.3epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that could have allowed an authenticated user to cause denial of service on the CI/CD Catalog page due to improper sanitization.
- risk 0.28cvss 4.3epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed a blocked Project Access Token to continue accessing private resources due to incorrect…
- risk 0.28cvss 4.3epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to access CI data from a different ref type than intended.
- risk 0.28cvss 4.3epss 0.00
GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that when foundational flows were enabled at the group level, could have allowed an authenticated user with developer-role permissions to…
- risk 0.28cvss 4.3epss 0.00
GitLab has remediated an issue in GitLab EE affecting all versions from 11.5 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to access sensitive deployment data on…
- risk 0.28cvss 4.3epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with project membership to enumerate private group members due to missing authorization…
- risk 0.28cvss 4.3epss 0.00
GitLab has remediated an issue in GitLab EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user with developer-role permissions to remove code owner approval rules…
- risk 0.28cvss 4.3epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass package protection rules due to improper access…
- risk 0.28cvss 4.3epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to download private debugging symbols from inaccessible projects due to improper access…
- risk 0.28cvss 4.3epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.6 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass PyPI package protection rules and upload…
- risk 0.28cvss 4.3epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to delete protected container registry tags due to…
- risk 0.28cvss 4.3epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with Guest permissions to view issues in projects they were not authorized to access.
- risk 0.28cvss 4.3epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in public projects due to improper access control in the issue description rendering…
- risk 0.28cvss 4.3epss 0.00
GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user with auditor privileges to modify vulnerability flag data in private…
- risk 0.28cvss 4.3epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient…
- risk 0.28cvss 4.3epss 0.00
GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper…
Page 2 of 28