Vendor CVEs
GitLab Inc.
All CVEs
1,397 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-19312 | 0.00 | — | 0.01 | Jan 5, 2020 | GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access Control. After a project changed to private, previously forked repositories were still able to get information about the private project through the API. | |||
| CVE-2019-19310 | 0.00 | — | 0.01 | Jan 3, 2020 | GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Information Disclosure. | |||
| CVE-2019-19309 | 0.00 | — | 0.01 | Jan 3, 2020 | GitLab Enterprise Edition (EE) 8.90 and later through 12.5 has Incorrect Access Control. | |||
| CVE-2019-19263 | 0.00 | — | 0.01 | Jan 3, 2020 | GitLab Enterprise Edition (EE) 8.2 and later through 12.5 has Insecure Permissions. | |||
| CVE-2019-19262 | 0.00 | — | 0.01 | Jan 3, 2020 | GitLab Enterprise Edition (EE) 11.9 and later through 12.5 has Insecure Permissions. | |||
| CVE-2019-19261 | 0.00 | — | 0.01 | Jan 3, 2020 | GitLab Enterprise Edition (EE) 6.7 and later through 12.5 allows SSRF. | |||
| CVE-2019-19260 | 0.00 | — | 0.01 | Jan 3, 2020 | GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 2 of 2). | |||
| CVE-2019-19259 | 0.00 | — | 0.01 | Jan 3, 2020 | GitLab Enterprise Edition (EE) 11.3 and later through 12.5 allows an Insecure Direct Object Reference (IDOR). | |||
| CVE-2019-19258 | 0.00 | — | 0.01 | Jan 3, 2020 | GitLab Enterprise Edition (EE) 10.8 and later through 12.5 has Incorrect Access Control. | |||
| CVE-2019-19257 | 0.00 | — | 0.01 | Jan 3, 2020 | GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 1 of 2). | |||
| CVE-2019-19256 | 0.00 | — | 0.01 | Jan 3, 2020 | GitLab Enterprise Edition (EE) 12.2 and later through 12.5 has Incorrect Access Control. | |||
| CVE-2019-19255 | 0.00 | — | 0.01 | Jan 3, 2020 | GitLab Enterprise Edition (EE) 12.3 and later through 12.5 has Incorrect Access Control. | |||
| CVE-2019-19254 | 0.00 | — | 0.01 | Jan 3, 2020 | GitLab Community Edition (CE) and Enterprise Edition (EE). 9.6 and later through 12.5 has Incorrect Access Control. | |||
| CVE-2019-19088 | 0.00 | — | 0.02 | Jan 3, 2020 | Gitlab Enterprise Edition (EE) 11.3 through 12.4.2 allows Directory Traversal. | |||
| CVE-2019-19087 | 0.00 | — | 0.01 | Jan 3, 2020 | Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 2 of 2). | |||
| CVE-2019-19086 | 0.00 | — | 0.01 | Jan 3, 2020 | Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 1 of 2). | |||
| CVE-2019-19311 | 0.00 | — | 0.01 | Jan 3, 2020 | GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 allows XSS in group and profile fields. | |||
| CVE-2018-20499 | 0.00 | — | 0.01 | Dec 30, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 11.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF. | |||
| CVE-2018-20493 | 0.00 | — | 0.01 | Dec 30, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | |||
| CVE-2018-20507 | 0.00 | — | 0.01 | Dec 30, 2019 | An issue was discovered in GitLab Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | |||
| CVE-2018-20497 | 0.00 | — | 0.01 | Dec 30, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF. | |||
| CVE-2018-20495 | 0.00 | — | 0.01 | Dec 30, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure. | |||
| CVE-2018-20490 | 0.00 | — | 0.01 | Dec 30, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. | |||
| CVE-2018-20496 | 0.00 | — | 0.01 | Dec 30, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. | |||
| CVE-2018-20488 | 0.00 | — | 0.01 | Dec 30, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure. | |||
| CVE-2018-20491 | 0.00 | — | 0.01 | Dec 30, 2019 | An issue was discovered in GitLab Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. | |||
| CVE-2018-20498 | 0.00 | — | 0.01 | Dec 30, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | |||
| CVE-2018-20501 | 0.00 | — | 0.01 | Dec 30, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | |||
| CVE-2018-20489 | 0.00 | — | 0.01 | Dec 30, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | |||
| CVE-2019-15584 | 0.00 | — | 0.01 | Dec 20, 2019 | A denial of service exists in gitlab <v12.3.2, <v12.2.6, and <v12.1.10 that would let an attacker bypass input validation in markdown fields take down the affected page. | |||
| CVE-2019-15589 | 0.00 | — | 0.01 | Dec 18, 2019 | An improper access control vulnerability exists in Gitlab <v12.3.2, <v12.2.6, <v12.1.12 which would allow a blocked user would be able to use GIT clone and pull if he had obtained a CI/CD token before. | |||
| CVE-2019-5487 | 0.00 | — | 0.01 | Dec 18, 2019 | An improper access control vulnerability exists in Gitlab EE <v12.3.3, <v12.2.7, & <v12.1.13 that allowed the group search feature with Elasticsearch to return private code, merge requests and commits. | |||
| CVE-2019-15575 | 0.00 | — | 0.02 | Dec 18, 2019 | A command injection exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to inject commands via the API through the blobs scope. | |||
| CVE-2019-15576 | 0.00 | — | 0.02 | Dec 18, 2019 | An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to view private system notes from a GraphQL endpoint. | |||
| CVE-2019-15577 | 0.00 | — | 0.01 | Dec 18, 2019 | An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed project milestones to be disclosed via groups browsing. | |||
| CVE-2019-5469 | 0.00 | — | 0.01 | Dec 18, 2019 | An IDOR vulnerability exists in GitLab <v12.1.2, <v12.0.4, and <v11.11.6 that allowed uploading files from project archive to replace other users files potentially allowing an attacker to replace project binaries or other uploaded assets. | |||
| CVE-2019-15580 | 0.00 | — | 0.01 | Dec 18, 2019 | An information exposure vulnerability exists in gitlab.com <v12.3.2, <v12.2.6, and <v12.1.10 when using the blocking merge request feature, it was possible for an unauthenticated user to see the head pipeline data of a public project even though pipeline visibility was… | |||
| CVE-2019-5486 | 0.00 | — | 0.02 | Dec 18, 2019 | A authentication bypass vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.10 in the Salesforce login integration that could be used by an attacker to create an account that bypassed domain restrictions and email verification requirements. | |||
| CVE-2019-15591 | 0.00 | — | 0.01 | Dec 18, 2019 | An improper access control vulnerability exists in GitLab <12.3.3 that allows an attacker to obtain container and dependency scanning reports through the merge request widget even though public pipelines were disabled. | |||
| CVE-2019-18446 | 0.00 | — | 0.01 | Nov 26, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.4. It has Insecure Permissions (issue 1 of 2). | |||
| CVE-2019-18447 | 0.00 | — | 0.01 | Nov 26, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Insecure Permissions. | |||
| CVE-2019-18448 | 0.00 | — | 0.01 | Nov 26, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Incorrect Access Control. | |||
| CVE-2019-18449 | 0.00 | — | 0.01 | Nov 26, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the autocomplete feature. It has Insecure Permissions (issue 2 of 2). | |||
| CVE-2019-18450 | 0.00 | — | 0.01 | Nov 26, 2019 | An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the Project labels feature. It has Insecure Permissions. | |||
| CVE-2019-18451 | 0.00 | — | 0.01 | Nov 26, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 10.7.4 through 12.4 in the InternalRedirect filtering feature. It has an Open Redirect. | |||
| CVE-2019-18452 | 0.00 | — | 0.01 | Nov 26, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4 when moving an issue to a public project from a private one. It has Insecure Permissions. | |||
| CVE-2019-18453 | 0.00 | — | 0.01 | Nov 26, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 11.6 through 12.4 in the add comments via email feature. It has Insecure Permissions. | |||
| CVE-2019-18454 | 0.00 | — | 0.01 | Nov 26, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 10.5 through 12.4 in link validation for RDoc wiki pages feature. It has XSS. | |||
| CVE-2019-18455 | 0.00 | — | 0.01 | Nov 26, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 11 through 12.4 when building Nested GraphQL queries. It has a large or infinite loop. | |||
| CVE-2019-18456 | 0.00 | — | 0.01 | Nov 26, 2019 | An issue was discovered in GitLab Community and Enterprise Edition 8.17 through 12.4 in the Search feature provided by Elasticsearch integration.. It has Insecure Permissions (issue 1 of 4). |
- CVE-2019-19312Jan 5, 2020risk 0.00cvss —epss 0.01
GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access Control. After a project changed to private, previously forked repositories were still able to get information about the private project through the API.
- CVE-2019-19310Jan 3, 2020risk 0.00cvss —epss 0.01
GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Information Disclosure.
- CVE-2019-19309Jan 3, 2020risk 0.00cvss —epss 0.01
GitLab Enterprise Edition (EE) 8.90 and later through 12.5 has Incorrect Access Control.
- CVE-2019-19263Jan 3, 2020risk 0.00cvss —epss 0.01
GitLab Enterprise Edition (EE) 8.2 and later through 12.5 has Insecure Permissions.
- CVE-2019-19262Jan 3, 2020risk 0.00cvss —epss 0.01
GitLab Enterprise Edition (EE) 11.9 and later through 12.5 has Insecure Permissions.
- CVE-2019-19261Jan 3, 2020risk 0.00cvss —epss 0.01
GitLab Enterprise Edition (EE) 6.7 and later through 12.5 allows SSRF.
- CVE-2019-19260Jan 3, 2020risk 0.00cvss —epss 0.01
GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 2 of 2).
- CVE-2019-19259Jan 3, 2020risk 0.00cvss —epss 0.01
GitLab Enterprise Edition (EE) 11.3 and later through 12.5 allows an Insecure Direct Object Reference (IDOR).
- CVE-2019-19258Jan 3, 2020risk 0.00cvss —epss 0.01
GitLab Enterprise Edition (EE) 10.8 and later through 12.5 has Incorrect Access Control.
- CVE-2019-19257Jan 3, 2020risk 0.00cvss —epss 0.01
GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 1 of 2).
- CVE-2019-19256Jan 3, 2020risk 0.00cvss —epss 0.01
GitLab Enterprise Edition (EE) 12.2 and later through 12.5 has Incorrect Access Control.
- CVE-2019-19255Jan 3, 2020risk 0.00cvss —epss 0.01
GitLab Enterprise Edition (EE) 12.3 and later through 12.5 has Incorrect Access Control.
- CVE-2019-19254Jan 3, 2020risk 0.00cvss —epss 0.01
GitLab Community Edition (CE) and Enterprise Edition (EE). 9.6 and later through 12.5 has Incorrect Access Control.
- CVE-2019-19088Jan 3, 2020risk 0.00cvss —epss 0.02
Gitlab Enterprise Edition (EE) 11.3 through 12.4.2 allows Directory Traversal.
- CVE-2019-19087Jan 3, 2020risk 0.00cvss —epss 0.01
Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 2 of 2).
- CVE-2019-19086Jan 3, 2020risk 0.00cvss —epss 0.01
Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 1 of 2).
- CVE-2019-19311Jan 3, 2020risk 0.00cvss —epss 0.01
GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 allows XSS in group and profile fields.
- CVE-2018-20499Dec 30, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 11.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF.
- CVE-2018-20493Dec 30, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
- CVE-2018-20507Dec 30, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
- CVE-2018-20497Dec 30, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF.
- CVE-2018-20495Dec 30, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure.
- CVE-2018-20490Dec 30, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
- CVE-2018-20496Dec 30, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
- CVE-2018-20488Dec 30, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure.
- CVE-2018-20491Dec 30, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
- CVE-2018-20498Dec 30, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
- CVE-2018-20501Dec 30, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
- CVE-2018-20489Dec 30, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
- CVE-2019-15584Dec 20, 2019risk 0.00cvss —epss 0.01
A denial of service exists in gitlab <v12.3.2, <v12.2.6, and <v12.1.10 that would let an attacker bypass input validation in markdown fields take down the affected page.
- CVE-2019-15589Dec 18, 2019risk 0.00cvss —epss 0.01
An improper access control vulnerability exists in Gitlab <v12.3.2, <v12.2.6, <v12.1.12 which would allow a blocked user would be able to use GIT clone and pull if he had obtained a CI/CD token before.
- CVE-2019-5487Dec 18, 2019risk 0.00cvss —epss 0.01
An improper access control vulnerability exists in Gitlab EE <v12.3.3, <v12.2.7, & <v12.1.13 that allowed the group search feature with Elasticsearch to return private code, merge requests and commits.
- CVE-2019-15575Dec 18, 2019risk 0.00cvss —epss 0.02
A command injection exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to inject commands via the API through the blobs scope.
- CVE-2019-15576Dec 18, 2019risk 0.00cvss —epss 0.02
An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to view private system notes from a GraphQL endpoint.
- CVE-2019-15577Dec 18, 2019risk 0.00cvss —epss 0.01
An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed project milestones to be disclosed via groups browsing.
- CVE-2019-5469Dec 18, 2019risk 0.00cvss —epss 0.01
An IDOR vulnerability exists in GitLab <v12.1.2, <v12.0.4, and <v11.11.6 that allowed uploading files from project archive to replace other users files potentially allowing an attacker to replace project binaries or other uploaded assets.
- CVE-2019-15580Dec 18, 2019risk 0.00cvss —epss 0.01
An information exposure vulnerability exists in gitlab.com <v12.3.2, <v12.2.6, and <v12.1.10 when using the blocking merge request feature, it was possible for an unauthenticated user to see the head pipeline data of a public project even though pipeline visibility was…
- CVE-2019-5486Dec 18, 2019risk 0.00cvss —epss 0.02
A authentication bypass vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.10 in the Salesforce login integration that could be used by an attacker to create an account that bypassed domain restrictions and email verification requirements.
- CVE-2019-15591Dec 18, 2019risk 0.00cvss —epss 0.01
An improper access control vulnerability exists in GitLab <12.3.3 that allows an attacker to obtain container and dependency scanning reports through the merge request widget even though public pipelines were disabled.
- CVE-2019-18446Nov 26, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.4. It has Insecure Permissions (issue 1 of 2).
- CVE-2019-18447Nov 26, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Insecure Permissions.
- CVE-2019-18448Nov 26, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Incorrect Access Control.
- CVE-2019-18449Nov 26, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the autocomplete feature. It has Insecure Permissions (issue 2 of 2).
- CVE-2019-18450Nov 26, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the Project labels feature. It has Insecure Permissions.
- CVE-2019-18451Nov 26, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 10.7.4 through 12.4 in the InternalRedirect filtering feature. It has an Open Redirect.
- CVE-2019-18452Nov 26, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4 when moving an issue to a public project from a private one. It has Insecure Permissions.
- CVE-2019-18453Nov 26, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11.6 through 12.4 in the add comments via email feature. It has Insecure Permissions.
- CVE-2019-18454Nov 26, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 10.5 through 12.4 in link validation for RDoc wiki pages feature. It has XSS.
- CVE-2019-18455Nov 26, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 11 through 12.4 when building Nested GraphQL queries. It has a large or infinite loop.
- CVE-2019-18456Nov 26, 2019risk 0.00cvss —epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition 8.17 through 12.4 in the Search feature provided by Elasticsearch integration.. It has Insecure Permissions (issue 1 of 4).
Page 25 of 28