CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-32823 400 2021-06-24 2021-06-30
4.3
None Remote Medium Not required None None Partial
In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with <user_input>.constantize there is a potential for a CPU-based DoS. In version 2.4.10 bindata improved the creation time of Bits and Integers.
2 CVE-2021-22233 200 +Info 2021-07-07 2021-07-09
4.0
None Remote Low ??? Partial None None
An information disclosure vulnerability in GitLab EE versions 13.10 and later allowed a user to read project details
3 CVE-2021-22232 74 2021-07-06 2021-07-08
3.5
None Remote Medium ??? None Partial None
HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE
4 CVE-2021-22231 DoS 2021-07-07 2021-07-09
4.0
None Remote Low ??? None None Partial
A denial of service in user's profile page is found starting with GitLab CE/EE 8.0 that allows attacker to reject access to their profile page via using a specially crafted username.
5 CVE-2021-22230 2021-07-07 2021-07-09
6.5
None Remote Low ??? Partial Partial Partial
Improper code rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later through 13.11.6, 13.12.6, and 14.0.2.
6 CVE-2021-22229 2021-07-06 2021-07-08
4.3
None Remote Medium Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8. Under a special condition it was possible to access data of an internal repository through project fork done by a project member.
7 CVE-2021-22228 287 2021-07-06 2021-07-08
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions. Improper access control allows unauthorised users to access project details using Graphql.
8 CVE-2021-22227 79 XSS 2021-07-07 2021-07-10
4.3
None Remote Medium Not required None Partial None
A reflected cross-site script vulnerability in GitLab before versions 13.11.6, 13.12.6 and 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf if they clicked it
9 CVE-2021-22226 2021-07-06 2021-07-09
4.9
None Remote Medium ??? Partial Partial None
Under certain conditions, some users were able to push to protected branches that were restricted to deploy keys in GitLab CE/EE since version 13.9
10 CVE-2021-22225 79 XSS 2021-07-07 2021-07-09
3.5
None Remote Medium ??? None Partial None
Insufficient input sanitization in markdown in GitLab version 13.11 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown
11 CVE-2021-22224 352 CSRF 2021-07-07 2021-07-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim
12 CVE-2021-22223 79 XSS 2021-07-06 2021-07-09
4.3
None Remote Medium Not required None Partial None
Client-Side code injection through Feature Flag name in GitLab CE/EE starting with 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link
13 CVE-2021-22221 613 2021-06-08 2021-06-15
6.4
None Remote Low Not required Partial Partial None
An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2. Insufficient expired password validation in various operations allow user to maintain limited access after their password expired
14 CVE-2021-22220 79 XSS 2021-06-08 2021-06-10
4.3
None Remote Medium Not required None Partial None
An issue has been discovered in GitLab affecting all versions starting with 13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks.
15 CVE-2021-22219 532 +Info 2021-06-08 2021-06-15
4.0
None Remote Low ??? Partial None None
GitLab CE/EE since version 9.5 allows a high privilege user to obtain sensitive information from log files because the sensitive information was not correctly registered for log masking.
16 CVE-2021-22218 295 2021-06-08 2021-06-17
4.0
None Remote Low ??? None Partial None
All versions of GitLab CE/EE starting with 12.8 were affected by an issue in the handling of x509 certificates that could be used to spoof author of signed commits.
17 CVE-2021-22217 400 DoS 2021-06-08 2021-06-15
4.0
None Remote Low ??? None None Partial
A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a specially crafted issue or merge request
18 CVE-2021-22216 400 DoS 2021-06-08 2021-06-15
4.0
None Remote Low ??? None None Partial
A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a very long issue or merge request description
19 CVE-2021-22215 668 +Info 2021-06-08 2021-07-07
4.0
None Remote Low ??? Partial None None
An information disclosure vulnerability in GitLab EE versions 13.11 and later allowed a project owner to leak information about the members' on-call rotations in other projects
20 CVE-2021-22214 918 2021-06-08 2021-06-16
4.3
None Remote Medium Not required Partial None None
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited
21 CVE-2021-22213 200 +Info 2021-06-08 2021-06-15
4.3
None Remote Medium Not required Partial None None
A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari
22 CVE-2021-22211 863 2021-05-06 2021-05-13
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling.
23 CVE-2021-22210 770 2021-05-06 2021-05-13
5.0
None Remote Low Not required None None Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. When querying the repository branches through API, GitLab was ignoring a query parameter and returning a considerable amount of results.
24 CVE-2021-22209 863 2021-05-06 2021-05-13
5.0
None Remote Low Not required None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.
25 CVE-2021-22208 862 2021-05-06 2021-05-13
4.0
None Remote Low ??? None Partial None
An issue has been discovered in GitLab affecting versions starting with 13.5 up to 13.9.7. Improper permission check could allow the change of timestamp for issue creation or update.
26 CVE-2021-22206 312 2021-05-06 2021-05-13
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text,
27 CVE-2021-22205 20 Exec Code 2021-04-23 2021-04-30
6.5
None Remote Low ??? Partial Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
28 CVE-2021-22203 2021-04-02 2021-04-07
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.7.9. A specially crafted Wiki page allowed attackers to read arbitrary files on the server.
29 CVE-2021-22202 352 CSRF 2021-04-02 2021-04-07
4.3
None Remote Medium Not required None Partial None
An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API.
30 CVE-2021-22201 2021-04-02 2021-04-07
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server.
31 CVE-2021-22200 2021-04-02 2021-04-07
4.3
None Remote Medium Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user.
32 CVE-2021-22199 79 XSS 2021-04-22 2021-04-30
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used.
33 CVE-2021-22198 2021-04-02 2021-04-07
4.0
None Remote Low ??? None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects.
34 CVE-2021-22197 835 2021-04-02 2021-04-07
4.0
None Remote Low ??? None None Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other
35 CVE-2021-22196 79 XSS 2021-04-02 2021-04-07
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name.
36 CVE-2021-22195 77 Exec Code 2021-04-01 2021-04-07
6.8
None Remote Medium Not required Partial Partial Partial
Client side code execution in gitlab-vscode-extension v3.15.0 and earlier allows attacker to execute code on user system
37 CVE-2021-22194 312 2021-03-26 2021-07-13
2.1
None Local Low Not required Partial None None
In all versions of GitLab, marshalled session keys were being stored in Redis.
38 CVE-2021-22193 209 2021-03-24 2021-03-26
3.5
None Remote Medium ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting with 7.1. A member of a private group was able to validate the use of a specific name for private project.
39 CVE-2021-22192 Exec Code 2021-03-24 2021-03-26
6.5
None Remote Low ??? Partial Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.
40 CVE-2021-22190 22 Dir. Trav. 2021-04-12 2021-04-20
4.0
None Remote Low ??? Partial None None
A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token
41 CVE-2021-22189 295 2021-03-04 2021-03-10
6.5
None Remote Low ??? Partial Partial Partial
Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues.
42 CVE-2021-22188 2021-03-03 2021-03-10
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab affecting all versions starting with 13.0. Confidential issue titles in Gitlab were readable by an unauthorised user via branch logs.
43 CVE-2021-22187 400 2021-03-02 2021-05-04
4.0
None Remote Low ??? None None Partial
An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 13.6.7. A potential resource exhaustion issue that allowed running or pending jobs to continue even after project was deleted.
44 CVE-2021-22186 863 2021-03-24 2021-03-26
4.0
None Remote Low ??? None Partial None
An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners
45 CVE-2021-22185 79 XSS 2021-03-24 2021-03-26
3.5
None Remote Medium ??? None Partial None
Insufficient input sanitization in wikis in GitLab version 13.8 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted commit to a wiki
46 CVE-2021-22184 200 +Info 2021-03-26 2021-03-30
2.1
None Local Low Not required Partial None None
An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted.
47 CVE-2021-22183 79 XSS 2021-03-04 2021-03-10
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions starting with 11.8. GitLab was vulnerable to a stored XSS in the epics page, which could be exploited with user interactions.
48 CVE-2021-22182 79 XSS 2021-03-03 2021-03-04
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions starting with 13.7. GitLab was vulnerable to a stored XSS in merge request.
49 CVE-2021-22181 400 DoS 2021-06-11 2021-06-21
4.0
None Remote Low ??? None None Partial
A denial of service vulnerability in GitLab CE/EE affecting all versions since 11.8 allows an attacker to create a recursive pipeline relationship and exhaust resources.
50 CVE-2021-22180 863 2021-03-26 2021-03-30
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages.
Total number of vulnerabilities : 532   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.