CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab : Security Vulnerabilities (CVSS score between 5 and 8.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-2270 276 2022-07-01 2022-07-13
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab affecting all versions starting from 12.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab was leaking Conan packages names due to incorrect permissions verification.
2 CVE-2022-2250 601 2022-07-01 2022-07-13
5.8
None Remote Medium Not required Partial Partial None
An open redirect vulnerability in GitLab EE/CE affecting all versions from 11.1 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to redirect users to an arbitrary location if they trust the URL.
3 CVE-2022-2229 863 2022-07-01 2022-07-13
5.0
None Remote Low Not required Partial None None
An improper authorization issue in GitLab CE/EE affecting all versions from 13.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to extract the value of an unprotected variable they know the name of in public projects or private projects they're a member of.
4 CVE-2022-2185 732 Exec Code 2022-07-01 2022-07-19
7.5
None Remote Low Not required Partial Partial Partial
A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution.
5 CVE-2022-1963 2022-07-01 2022-07-13
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab reveals if a user has enabled two-factor authentication on their account in the HTML source, to unauthenticated users.
6 CVE-2022-1954 DoS 2022-07-01 2022-07-13
5.0
None Remote Low Not required None None Partial
A Regular Expression Denial of Service vulnerability in GitLab CE/EE affecting all versions from 1.0.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to make a GitLab instance inaccessible via specially crafted web server response headers
7 CVE-2022-1680 2022-06-06 2022-06-17
6.5
None Remote Low ??? Partial Partial Partial
An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account.
8 CVE-2022-1510 770 2022-05-11 2022-05-18
5.0
None Remote Low Not required None None Partial
An issue has been discovered in GitLab affecting all versions starting from 13.9 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly handling malicious text in the CI Editor and CI Pipeline details page allowing the attacker to cause uncontrolled resource consumption.
9 CVE-2022-1431 400 2022-05-10 2022-05-18
5.0
None Remote Low Not required None None Partial
An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly handling malicious requests to the PyPi API endpoint allowing the attacker to cause uncontrolled resource consumption.
10 CVE-2022-1423 863 Exec Code 2022-05-19 2022-06-02
6.5
None Remote Low ??? Partial Partial Partial
Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows a malicious actor with Developer privileges to perform cache poisoning leading to arbitrary code execution in protected branches
11 CVE-2022-1413 668 2022-05-19 2022-06-02
5.0
None Remote Low Not required Partial None None
Missing input masking in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 causes potentially sensitive integration properties to be disclosed in the web interface
12 CVE-2022-1352 639 2022-05-11 2022-05-19
5.0
None Remote Low Not required Partial None None
Due to an insecure direct object reference vulnerability in Gitlab EE/CE affecting all versions from 11.0 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1, an endpoint may reveal the issue title to a user who crafted an API call with the ID of the issue from a public project that restricts access to issue only to project members.
13 CVE-2022-1188 918 2022-04-04 2022-04-11
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 where a blind SSRF attack through the repository mirroring feature was possible.
14 CVE-2022-1174 400 2022-04-04 2022-04-11
5.0
None Remote Low Not required None None Partial
A potential DoS vulnerability was discovered in Gitlab CE/EE versions 13.7 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to trigger high CPU usage via a special crafted input added in Issues, Merge requests, Milestones, Snippets, Wiki pages, etc.
15 CVE-2022-1162 798 2022-04-04 2022-04-27
7.5
None Remote Low Not required Partial Partial Partial
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
16 CVE-2022-1121 770 2022-04-04 2022-04-11
5.0
None Remote Low Not required None None Partial
A lack of appropriate timeouts in GitLab Pages included in GitLab CE/EE all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an attacker to cause unlimited resource consumption.
17 CVE-2022-0751 2022-03-28 2022-04-05
6.8
None Remote Medium Not required Partial Partial Partial
Inaccurate display of Snippet files containing special characters in all versions of GitLab CE/EE allows an attacker to create Snippets with misleading content which could trick unsuspecting users into executing arbitrary commands
18 CVE-2022-0735 863 2022-03-28 2022-04-04
7.5
None Remote Low Not required Partial Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorised user was able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands.
19 CVE-2022-0427 352 2022-03-28 2022-04-04
6.8
None Remote Medium Not required Partial Partial Partial
Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading to potential account takeover
20 CVE-2022-0425 918 2022-04-01 2022-04-12
6.5
None Remote Low ??? Partial Partial Partial
A DNS rebinding vulnerability in the Irker IRC Gateway integration in all versions of GitLab CE/EE since version 7.9 allows an attacker to trigger Server Side Request Forgery (SSRF) attacks.
21 CVE-2022-0283 601 2022-03-28 2022-04-04
5.8
None Remote Medium Not required Partial Partial None
An issue has been discovered affecting GitLab versions prior to 13.5. An open redirect vulnerability was fixed in GitLab integration with Jira that a could cause the web application to redirect the request to the attacker specified URL.
22 CVE-2022-0249 918 2022-03-28 2022-04-04
6.4
None Remote Low Not required Partial Partial None
A vulnerability was discovered in GitLab starting with version 12. GitLab was vulnerable to a blind SSRF attack since requests to shared address space were not blocked.
23 CVE-2022-0244 552 2022-01-18 2022-01-25
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group was due to incorrect handling of file.
24 CVE-2022-0172 863 Bypass 2022-01-18 2022-01-25
6.4
None Remote Low Not required Partial Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.3. Under certain conditions it was possible to bypass the IP restriction for public projects through GraphQL allowing unauthorised users to read titles of issues, merge requests and milestones.
25 CVE-2022-0154 352 CSRF 2022-01-18 2022-01-26
6.0
None Remote Medium ??? Partial Partial Partial
An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account.
26 CVE-2022-0151 DoS 2022-01-18 2022-01-25
5.0
None Remote Low Not required None None Partial
An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not correctly handling requests to delete existing packages which could result in a Denial of Service under specific conditions.
27 CVE-2022-0136 918 2022-03-28 2022-04-04
5.5
None Remote Low ??? Partial Partial None
A vulnerability was discovered in GitLab versions 10.5 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1. GitLab was vulnerable to a blind SSRF attack through the Project Import feature.
28 CVE-2022-0090 269 2022-01-18 2022-01-25
5.0
None Remote Low Not required None Partial None
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab is configured in a way that it doesn't ignore replacement references with git sub-commands, allowing a malicious user to spoof the contents of their commits in the UI.
29 CVE-2021-39944 269 2021-12-13 2021-12-15
5.5
None Remote Low ??? Partial Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they import
30 CVE-2021-39941 200 +Info 2021-12-13 2021-12-15
5.0
None Remote Low Not required Partial None None
An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members
31 CVE-2021-39937 269 2021-12-13 2021-12-15
6.5
None Remote Low ??? Partial Partial Partial
A collision in access memoization logic in all versions of GitLab CE/EE before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, leads to potential elevated privileges in groups and projects under rare circumstances
32 CVE-2021-39935 918 2021-12-13 2021-12-15
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API
33 CVE-2021-39915 668 2021-12-13 2021-12-16
5.0
None Remote Low Not required Partial None None
Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the names of project access tokens on arbitrary projects
34 CVE-2021-39914 400 DoS 2021-11-04 2022-05-03
5.0
None Remote Low Not required None None Partial
A regular expression denial of service issue in GitLab versions 8.13 to 14.2.5, 14.3.0 to 14.3.3 and 14.4.0 could cause excessive usage of resources when a specially crafted username was used when provisioning a new user
35 CVE-2021-39913 532 2021-11-05 2022-07-12
7.2
None Local Low Not required Complete Complete Complete
Accidental logging of system root password in the migration log in all versions of GitLab CE/EE before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker with local file system access to obtain system root-level privileges
36 CVE-2021-39912 770 2021-11-05 2021-11-08
5.0
None Remote Low Not required None None Partial
A potential DoS vulnerability was discovered in GitLab CE/EE starting with version 13.7. Using a malformed TIFF images was possible to trigger memory exhaustion.
37 CVE-2021-39908 94 2022-04-01 2022-05-12
5.0
None Remote Low Not required None Partial None
In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 certain Unicode characters can be abused to commit malicious code into projects without being noticed in merge request or source code viewer UI.
38 CVE-2021-39907 770 2021-11-05 2021-11-08
5.0
None Remote Low Not required None None Partial
A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 13.7. The stripping of EXIF data from certain images resulted in high CPU usage.
39 CVE-2021-39898 200 +Info 2021-11-05 2022-07-12
5.0
None Remote Low Not required Partial None None
In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from.
40 CVE-2021-39897 281 2021-11-05 2021-11-08
5.0
None Remote Low Not required Partial None None
Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transferred
41 CVE-2021-39896 2021-10-04 2021-10-12
5.5
None Remote Low ??? Partial Partial None
In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may lead to repudiation issues.
42 CVE-2021-39894 918 2021-10-05 2021-10-12
5.5
None Remote Low ??? Partial Partial None
In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks.
43 CVE-2021-39893 862 2021-10-05 2021-10-09
5.0
None Remote Low Not required None None Partial
A potential DOS vulnerability was discovered in GitLab starting with version 9.1 that allowed parsing files without authorisation.
44 CVE-2021-39890 287 Bypass 2021-12-06 2021-12-07
7.5
None Remote Low Not required Partial Partial Partial
It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above.
45 CVE-2021-39882 319 2021-10-05 2021-10-12
5.0
None Remote Low Not required Partial None None
In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user.
46 CVE-2021-39875 200 +Info 2021-10-05 2021-10-12
5.0
None Remote Low Not required Partial None None
In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint.
47 CVE-2021-39867 918 2021-10-05 2021-10-12
5.5
None Remote Low ??? Partial Partial None
In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks.
48 CVE-2021-39866 2021-10-05 2022-07-12
5.5
None Remote Low ??? Partial Partial None
A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens.
49 CVE-2021-22263 269 2021-10-11 2021-10-18
5.5
None Remote Low ??? Partial Partial None
An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user account with 'external' status which is granted 'Maintainer' role on any project on the GitLab instance where 'project tokens' are allowed may elevate its privilege to 'Internal' and access Internal projects.
50 CVE-2021-22262 863 2021-10-05 2022-05-12
5.0
None Remote Low Not required None Partial None
Missing access control in all GitLab versions starting from 13.12 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page
Total number of vulnerabilities : 316   Page : 1 (This Page)2 3 4 5 6 7
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.