CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab : Security Vulnerabilities (CVSS score >= 5)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-22230 2021-07-07 2021-07-09
6.5
None Remote Low ??? Partial Partial Partial
Improper code rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later through 13.11.6, 13.12.6, and 14.0.2.
2 CVE-2021-22221 613 2021-06-08 2021-06-15
6.4
None Remote Low Not required Partial Partial None
An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2. Insufficient expired password validation in various operations allow user to maintain limited access after their password expired
3 CVE-2021-22210 770 2021-05-06 2021-05-13
5.0
None Remote Low Not required None None Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. When querying the repository branches through API, GitLab was ignoring a query parameter and returning a considerable amount of results.
4 CVE-2021-22209 863 2021-05-06 2021-05-13
5.0
None Remote Low Not required None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.
5 CVE-2021-22205 20 Exec Code 2021-04-23 2021-04-30
6.5
None Remote Low ??? Partial Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
6 CVE-2021-22203 2021-04-02 2021-04-07
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.7.9. A specially crafted Wiki page allowed attackers to read arbitrary files on the server.
7 CVE-2021-22195 77 Exec Code 2021-04-01 2021-04-07
6.8
None Remote Medium Not required Partial Partial Partial
Client side code execution in gitlab-vscode-extension v3.15.0 and earlier allows attacker to execute code on user system
8 CVE-2021-22192 Exec Code 2021-03-24 2021-03-26
6.5
None Remote Low ??? Partial Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.
9 CVE-2021-22189 295 2021-03-04 2021-03-10
6.5
None Remote Low ??? Partial Partial Partial
Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues.
10 CVE-2021-22188 2021-03-03 2021-03-10
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab affecting all versions starting with 13.0. Confidential issue titles in Gitlab were readable by an unauthorised user via branch logs.
11 CVE-2021-22179 918 2021-03-24 2021-03-26
5.5
None Remote Low ??? None Partial Partial
A vulnerability was discovered in GitLab versions before 12.2. GitLab was vulnerable to a SSRF attack through the Outbound Requests feature.
12 CVE-2021-22175 918 2021-06-11 2021-06-21
6.8
None Remote Medium Not required Partial Partial Partial
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled
13 CVE-2021-22167 2021-01-15 2021-01-22
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers in specific project page allows attacker to have a temporary read access to the private repository
14 CVE-2021-22166 400 DoS 2021-01-15 2021-01-21
5.0
None Remote Low Not required None None Partial
An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method
15 CVE-2020-26417 200 +Info 2020-12-11 2020-12-14
5.0
None Remote Low Not required Partial None None
Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to <13.6.2, >=13.5 to <13.5.5, and >=13.1 to <13.4.7.
16 CVE-2020-26413 200 +Info 2020-12-11 2020-12-14
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.
17 CVE-2020-26408 200 +Info 2020-12-11 2021-07-21
5.0
None Remote Low Not required Partial None None
A limited information disclosure vulnerability exists in Gitlab CE/EE from >= 12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2 that allows an attacker to view limited information in user's private profile
18 CVE-2020-26406 2020-11-17 2020-12-01
5.0
None Remote Low Not required Partial None None
Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
19 CVE-2020-26405 22 Dir. Trav. 2020-11-17 2020-12-01
5.5
None Remote Low ??? None Partial Partial
Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are >=12.8, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
20 CVE-2020-15525 269 2020-07-07 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE 11.3 through 13.1.2 has Incorrect Access Control because of the Maven package upload endpoint.
21 CVE-2020-14155 190 Overflow 2020-06-15 2021-03-04
5.0
None Remote Low Not required None None Partial
libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.
22 CVE-2020-13359 200 Bypass +Info 2020-11-19 2021-07-21
5.5
None Remote Low ??? Partial Partial None
The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are >=12.10, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
23 CVE-2020-13356 Bypass 2020-11-19 2020-12-01
6.4
None Remote Low Not required Partial Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9. A specially crafted request could bypass Multipart protection and read files in certain specific paths on the server. Affected versions are: >=8.8.9, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
24 CVE-2020-13355 22 Dir. Trav. 2020-11-19 2020-12-01
5.5
None Remote Low ??? None Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: >=8.14, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
25 CVE-2020-13352 2020-11-17 2020-11-27
5.0
None Remote Low Not required Partial None None
Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group. Affected versions are: >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
26 CVE-2020-13351 276 2020-11-17 2020-11-27
5.0
None Remote Low Not required Partial None None
Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are >=13.0, <13.3.9,>=13.4.0, <13.4.5,>=13.5.0, <13.5.2.
27 CVE-2020-13347 77 2020-10-07 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable.
28 CVE-2020-13339 79 XSS 2020-10-08 2020-10-08
6.0
None Remote Medium ??? Partial Partial Partial
An issue has been discovered in GitLab affecting all versions before 13.2.10, 13.3.7 and 13.4.2: XSS in SVG File Preview. Overall impact is limited due to the current user only being impacted.
29 CVE-2020-13334 863 2020-10-07 2020-10-15
5.0
None Remote Low Not required None Partial None
In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, improper authorization checks allow a non-member of a project/group to change the confidentiality attribute of issue via mutation GraphQL query
30 CVE-2020-13327 2020-10-22 2020-11-02
6.0
None Remote Medium ??? Partial Partial Partial
An issue has been discovered in GitLab Runner affecting all versions starting from 13.4.0 before 13.4.2, all versions starting from 13.3.0 before 13.3.7, all versions starting from 13.2.0 before 13.2.10. Insecure Runner Configuration in Kubernetes Environments
31 CVE-2020-13325 DoS 2020-09-30 2020-10-02
5.5
None Remote Low ??? None Partial Partial
A vulnerability was discovered in GitLab versions prior 13.1. The comment section of the issue page was not restricting the characters properly, potentially resulting in a denial of service.
32 CVE-2020-13322 863 2020-09-30 2020-10-02
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions after 12.9. Due to improper verification of permissions, an unauthorized user can create and delete deploy tokens.
33 CVE-2020-13321 Bypass 2020-09-30 2020-10-02
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions prior to 13.1. Username format restrictions could be bypassed allowing for html tags to be added.
34 CVE-2020-13315 DoS 2020-09-14 2020-09-21
5.0
None Remote Low Not required None None Partial
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The profile activity page was not restricting the amount of results one could request, potentially resulting in a denial of service.
35 CVE-2020-13314 2020-09-14 2020-09-16
5.0
None Remote Low Not required None Partial None
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab Omniauth endpoint allowed a malicious user to submit content to be displayed back to the user within error messages.
36 CVE-2020-13312 522 2020-09-14 2021-07-21
5.0
None Remote Low Not required Partial None None
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab OAuth endpoint was vulnerable to brute-force attacks through a specific parameter.
37 CVE-2020-13309 918 2020-09-14 2020-09-21
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was vulnerable to a blind SSRF attack through the repository mirroring feature.
38 CVE-2020-13307 613 2020-09-15 2020-09-18
6.0
None Remote Medium ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not revoking current user sessions when 2 factor authentication was activated allowing a malicious user to maintain their access.
39 CVE-2020-13306 770 DoS 2020-09-14 2020-09-16
5.0
None Remote Low Not required None None Partial
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab Webhook feature could be abused to perform denial of service attacks due to the lack of rate limitation.
40 CVE-2020-13304 287 2020-09-14 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Same 2 factor Authentication secret code was generated which resulted an attacker to maintain access under certain conditions.
41 CVE-2020-13302 613 2020-09-14 2020-09-17
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password.
42 CVE-2020-13300 863 2020-09-14 2020-09-16
6.4
None Remote Low Not required Partial Partial None
GitLab before version 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow.
43 CVE-2020-13299 613 2020-09-14 2020-09-16
5.5
None Remote Low ??? Partial Partial None
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session.
44 CVE-2020-13298 20 2020-09-14 2021-07-21
5.0
None Remote Low Not required Partial None None
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Conan package upload functionality was not properly validating the supplied parameters, which resulted in the limited files disclosure.
45 CVE-2020-13296 862 2020-09-30 2020-10-02
7.5
None Remote Low Not required Partial Partial Partial
An issue has been discovered in GitLab affecting versions >=10.7 <13.0.14, >=13.1.0 <13.1.8, >=13.2.0 <13.2.6. Improper Access Control for Deploy Tokens
46 CVE-2020-13295 918 2020-08-10 2020-08-12
6.5
None Remote Low ??? Partial Partial Partial
For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd with a malicious server, the Shared Runner is susceptible to SSRF.
47 CVE-2020-13294 2020-08-10 2020-10-06
5.5
None Remote Low ??? Partial Partial None
In GitLab before 13.0.12, 13.1.6 and 13.2.3, access grants were not revoked when a user revoked access to an application.
48 CVE-2020-13293 704 2020-08-10 2021-07-21
5.5
None Remote Low ??? None Partial Partial
In GitLab before 13.0.12, 13.1.6 and 13.2.3 using a branch with a hexadecimal name could override an existing hash.
49 CVE-2020-13292 287 Bypass 2020-08-10 2020-08-11
5.5
None Remote Low ??? Partial Partial None
In GitLab before 13.0.12, 13.1.6 and 13.2.3, it is possible to bypass E-mail verification which is required for OAuth Flow.
50 CVE-2020-13291 2020-08-12 2020-08-17
5.5
None Remote Low ??? Partial Partial None
In GitLab before 13.2.3, project sharing could temporarily allow too permissive access.
Total number of vulnerabilities : 260   Page : 1 (This Page)2 3 4 5 6
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.