Filtered by vendor Gitlab
Subscribe
Total
1001 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-39884 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project. | |||||
| CVE-2021-39931 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 3.5 LOW | 4.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.11 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under specific condition an unauthorised project member was allowed to delete a protected branches due to a business logic error. | |||||
| CVE-2021-39932 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for users reviewing code changes. | |||||
| CVE-2021-39903 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings. | |||||
| CVE-2021-39910 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature. | |||||
| CVE-2021-4191 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API. | |||||
| CVE-2021-22217 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a specially crafted issue or merge request | |||||
| CVE-2021-22215 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.0 MEDIUM | 2.7 LOW |
| An information disclosure vulnerability in GitLab EE versions 13.11 and later allowed a project owner to leak information about the members' on-call rotations in other projects | |||||
| CVE-2021-22213 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari | |||||
| CVE-2021-22170 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| Assuming a database breach, nonce reuse issues in GitLab 11.6+ allows an attacker to decrypt some of the database's encrypted content | |||||
| CVE-2021-39934 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | |||||
| CVE-2021-22233 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| An information disclosure vulnerability in GitLab EE versions 13.10 and later allowed a user to read project details | |||||
| CVE-2022-2227 | 1 Gitlab | 1 Gitlab | 2022-07-08 | 3.5 LOW | 4.3 MEDIUM |
| Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain conditions | |||||
| CVE-2021-39875 | 1 Gitlab | 1 Gitlab | 2022-06-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint. | |||||
| CVE-2021-39869 | 1 Gitlab | 1 Gitlab | 2022-06-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project. | |||||
| CVE-2021-22208 | 1 Gitlab | 1 Gitlab | 2022-06-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting versions starting with 13.5 up to 13.9.7. Improper permission check could allow the change of timestamp for issue creation or update. | |||||
| CVE-2022-1680 | 1 Gitlab | 1 Gitlab | 2022-06-17 | 6.5 MEDIUM | 8.8 HIGH |
| An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account. | |||||
| CVE-2020-13353 | 1 Gitlab | 1 Gitaly | 2022-06-13 | 2.1 LOW | 3.2 LOW |
| When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above. | |||||
| CVE-2022-1944 | 1 Gitlab | 1 Gitlab | 2022-06-13 | 4.9 MEDIUM | 7.1 HIGH |
| When the feature is configured, improper authorization in the Interactive Web Terminal in GitLab CE/EE affecting all versions from 11.3 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows users with the Developer role to open terminals on other Developers' running jobs | |||||
| CVE-2022-1935 | 1 Gitlab | 1 Gitlab | 2022-06-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Trigger Token to misuse it from any location even when IP address restrictions were configured | |||||