VYPR

Vendor CVEs

GitLab Inc.

All CVEs

1,397 total · sorted by risk
  • CVE-2020-10981Apr 8, 2020
    risk 0.00cvss epss 0.01

    GitLab EE/CE 9.0 to 12.9 allows a maintainer to modify other maintainers' pipeline trigger descriptions within the same project.

  • CVE-2020-10952Mar 27, 2020
    risk 0.00cvss epss 0.01

    GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.

  • CVE-2020-10953Mar 27, 2020
    risk 0.00cvss epss 0.01

    In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a path traversal issue.

  • CVE-2020-10954Mar 27, 2020
    risk 0.00cvss epss 0.01

    GitLab through 12.9 is affected by a potential DoS in repository archive download.

  • CVE-2020-10955Mar 27, 2020
    risk 0.00cvss epss 0.01

    GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders.

  • CVE-2020-10956Mar 27, 2020
    risk 0.00cvss epss 0.01

    GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature.

  • CVE-2020-10073Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab EE 12.4.2 through 12.8.1 allows Denial of Service. It was internally discovered that a potential denial of service involving permissions checks could impact a project home page.

  • CVE-2020-10074Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab 10.1 through 12.8.1 has Incorrect Access Control. A scenario was discovered in which a GitLab account could be taken over through an expired link.

  • CVE-2020-10075Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab 12.5 through 12.8.1 allows HTML Injection. A particular error header was potentially susceptible to injection or potentially other vulnerabilities via unescaped input.

  • CVE-2020-10076Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab 12.1 through 12.8.1 allows XSS. A stored cross-site scripting vulnerability was discovered when displaying merge requests.

  • CVE-2020-10077Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab EE 3.0 through 12.8.1 allows SSRF. An internal investigation revealed that a particular deprecated service was creating a server side request forgery risk.

  • CVE-2020-10078Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab 12.1 through 12.8.1 allows XSS. The merge request submission form was determined to have a stored cross-site scripting vulnerability.

  • CVE-2020-10079Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab 7.10 through 12.8.1 has Incorrect Access Control. Under certain conditions where users should have been required to configure two-factor authentication, it was not being required.

  • CVE-2020-10080Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab 8.3 through 12.8.1 allows Information Disclosure. It was possible for certain non-members to access the Contribution Analytics page of a private group.

  • CVE-2020-10081Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab before 12.8.2 has Incorrect Access Control. It was internally discovered that the LFS import process could potentially be used to incorrectly access LFS objects not owned by the user.

  • CVE-2020-10082Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab 12.2 through 12.8.1 allows Denial of Service. A denial of service vulnerability impacting the designs for public issues was discovered.

  • CVE-2020-10083Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab 12.7 through 12.8.1 has Insecure Permissions. Under certain conditions involving groups, project authorization changes were not being applied.

  • CVE-2020-10085Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab 12.3.5 through 12.8.1 allows Information Disclosure. A particular view was exposing merge private merge request titles.

  • CVE-2020-10086Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab 10.4 through 12.8.1 allows Directory Traversal. A particular endpoint was vulnerable to a directory traversal vulnerability, leading to arbitrary file read.

  • CVE-2020-10087Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab before 12.8.2 allows Information Disclosure. Badge images were not being proxied, causing mixed content warnings as well as leaking the IP address of the user.

  • CVE-2020-10088Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab 12.5 through 12.8.1 has Insecure Permissions. Depending on particular group settings, it was possible for invited groups to be given the incorrect permission level.

  • CVE-2020-10089Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab 8.11 through 12.8.1 allows a Denial of Service when using several features to recursively request eachother,

  • CVE-2020-10090Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab 11.7 through 12.8.1 allows Information Disclosure. Under certain group conditions, group epic information was unintentionally being disclosed.

  • CVE-2020-10091Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab 9.3 through 12.8.1 allows XSS. A cross-site scripting vulnerability was found when viewing particular file types.

  • CVE-2020-10092Mar 13, 2020
    risk 0.00cvss epss 0.01

    GitLab 12.1 through 12.8.1 allows XSS. A cross-site scripting vulnerability was present in a particular view relating to the Grafana integration.

  • CVE-2020-10535Mar 12, 2020
    risk 0.00cvss epss 0.01

    GitLab 12.8.x before 12.8.6, when sign-up is enabled, allows remote attackers to bypass email domain restrictions within the two-day grace period for an unconfirmed email address.

  • CVE-2019-13121Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Enterprise Edition 10.6 through 12.0.2. The GitHub project integration was vulnerable to an SSRF vulnerability which allowed an attacker to make requests to local network resources. It has Incorrect Access Control.

  • CVE-2019-13011Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Enterprise Edition 8.11.0 through 12.0.2. By using brute-force a user with access to a project, but not it's repository could create a list of merge requests template names. It has excessive algorithmic complexity.

  • CVE-2019-13010Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Enterprise Edition 8.3 through 12.0.2. The color codes decoder was vulnerable to a resource depletion attack if specific formats were used. It allows Uncontrolled Resource Consumption.

  • CVE-2019-13009Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition 9.2 through 12.0.2. Uploaded files associated with unsaved personal snippets were accessible to unauthorized users due to improper permission settings. It has Incorrect Access Control.

  • CVE-2019-13007Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition 11.11 through 12.0.2. When an admin enabled one of the service templates, it was triggering an action that leads to resource depletion. It allows Uncontrolled Resource Consumption.

  • CVE-2019-13006Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition 9.0 and through 12.0.2. Users with access to issues, but not the repository were able to view the number of related merge requests on an issue. It has Incorrect Access Control.

  • CVE-2019-13005Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Enterprise Edition and Community Edition 1.10 through 12.0.2. The GitLab graphql service was vulnerable to multiple authorization issues that disclosed restricted user, group, and repository metadata to unauthorized users. It has Incorrect…

  • CVE-2019-13004Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.0.2. When specific encoded characters were added to comments, the comments section would become inaccessible. It has Incorrect Access Control (issue 1 of 2).

  • CVE-2019-13003Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition before 12.0.3. One of the parsers used by Gilab CI was vulnerable to a resource exhaustion attack. It allows Uncontrolled Resource Consumption.

  • CVE-2019-13002Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.0.2. Unauthorized users were able to read pipeline information of the last merge request. It has Incorrect Access Control.

  • CVE-2019-13001Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition 11.9 and later through 12.0.2. GitLab Snippets were vulnerable to an authorization issue that allowed unauthorized users to add comments to a private snippet. It allows authentication bypass.

  • CVE-2019-12446Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition 8.3 through 11.11. It allows Information Exposure through an Error Message.

  • CVE-2019-12445Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition 8.4 through 11.11. A malicious user could execute JavaScript code on notes by importing a specially crafted project file. It allows XSS.

  • CVE-2019-12444Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition 8.9 through 11.11. Wiki Pages contained a lack of input validation which resulted in a persistent XSS vulnerability.

  • CVE-2019-12443Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition 10.2 through 11.11. Multiple features contained Server-Side Request Forgery (SSRF) vulnerabilities caused by an insufficient validation to prevent DNS rebinding attacks.

  • CVE-2019-12442Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Enterprise Edition 11.7 through 11.11. The epic details page contained a lack of input validation and output encoding issue which resulted in a persistent XSS vulnerability on child epics.

  • CVE-2019-12441Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition 8.4 through 11.11. The protected branches feature contained a access control issue which resulted in a bypass of the protected branches restriction rules. It has Incorrect Access Control.

  • CVE-2019-12434Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition 10.6 through 11.11. Users could guess the URL slug of private projects through the contrast of the destination URLs of issues linked in comments. It allows Information Disclosure.

  • CVE-2019-12433Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition 11.7 through 11.11. It has Improper Input Validation. Restricted visibility settings allow creating internal projects in private groups, leading to multiple permission issues.

  • CVE-2019-12432Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition 8.13 through 11.11. Non-member users who subscribed to issue notifications could access the title of confidential issues through the unsubscription page. It allows Information Disclosure.

  • CVE-2019-12431Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition 8.13 through 11.11. Restricted users could access the metadata of private milestones through the Search API. It has Improper Access Control.

  • CVE-2019-12430Mar 10, 2020
    risk 0.00cvss epss 0.03

    An issue was discovered in GitLab Community and Enterprise Edition 11.11. A specially crafted payload would allow an authenticated malicious user to execute commands remotely through the repository download feature. It allows Command Injection.

  • CVE-2019-12429Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition 11.9 through 11.11. Unprivileged users were able to access labels, status and merge request counts of confidential issues via the milestone details page. It has Improper Access Control.

  • CVE-2019-12428Mar 10, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition 6.8 through 11.11. Users could bypass the mandatory external authentication provider sign-in restrictions by sending a specially crafted request. It has Improper Authorization.

Page 23 of 28