CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab : Security Vulnerabilities (CVSS score >= 6)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-22230 2021-07-07 2021-07-09
6.5
None Remote Low ??? Partial Partial Partial
Improper code rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later through 13.11.6, 13.12.6, and 14.0.2.
2 CVE-2021-22221 613 2021-06-08 2021-06-15
6.4
None Remote Low Not required Partial Partial None
An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2. Insufficient expired password validation in various operations allow user to maintain limited access after their password expired
3 CVE-2021-22205 20 Exec Code 2021-04-23 2021-04-30
6.5
None Remote Low ??? Partial Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
4 CVE-2021-22195 77 Exec Code 2021-04-01 2021-04-07
6.8
None Remote Medium Not required Partial Partial Partial
Client side code execution in gitlab-vscode-extension v3.15.0 and earlier allows attacker to execute code on user system
5 CVE-2021-22192 Exec Code 2021-03-24 2021-03-26
6.5
None Remote Low ??? Partial Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.
6 CVE-2021-22189 295 2021-03-04 2021-03-10
6.5
None Remote Low ??? Partial Partial Partial
Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues.
7 CVE-2021-22175 918 2021-06-11 2021-06-21
6.8
None Remote Medium Not required Partial Partial Partial
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled
8 CVE-2020-13356 Bypass 2020-11-19 2020-12-01
6.4
None Remote Low Not required Partial Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9. A specially crafted request could bypass Multipart protection and read files in certain specific paths on the server. Affected versions are: >=8.8.9, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
9 CVE-2020-13347 77 2020-10-07 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable.
10 CVE-2020-13339 79 XSS 2020-10-08 2020-10-08
6.0
None Remote Medium ??? Partial Partial Partial
An issue has been discovered in GitLab affecting all versions before 13.2.10, 13.3.7 and 13.4.2: XSS in SVG File Preview. Overall impact is limited due to the current user only being impacted.
11 CVE-2020-13327 2020-10-22 2020-11-02
6.0
None Remote Medium ??? Partial Partial Partial
An issue has been discovered in GitLab Runner affecting all versions starting from 13.4.0 before 13.4.2, all versions starting from 13.3.0 before 13.3.7, all versions starting from 13.2.0 before 13.2.10. Insecure Runner Configuration in Kubernetes Environments
12 CVE-2020-13322 863 2020-09-30 2020-10-02
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions after 12.9. Due to improper verification of permissions, an unauthorized user can create and delete deploy tokens.
13 CVE-2020-13321 Bypass 2020-09-30 2020-10-02
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions prior to 13.1. Username format restrictions could be bypassed allowing for html tags to be added.
14 CVE-2020-13309 918 2020-09-14 2020-09-21
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was vulnerable to a blind SSRF attack through the repository mirroring feature.
15 CVE-2020-13307 613 2020-09-15 2020-09-18
6.0
None Remote Medium ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not revoking current user sessions when 2 factor authentication was activated allowing a malicious user to maintain their access.
16 CVE-2020-13304 287 2020-09-14 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Same 2 factor Authentication secret code was generated which resulted an attacker to maintain access under certain conditions.
17 CVE-2020-13302 613 2020-09-14 2020-09-17
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password.
18 CVE-2020-13300 863 2020-09-14 2020-09-16
6.4
None Remote Low Not required Partial Partial None
GitLab before version 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow.
19 CVE-2020-13296 862 2020-09-30 2020-10-02
7.5
None Remote Low Not required Partial Partial Partial
An issue has been discovered in GitLab affecting versions >=10.7 <13.0.14, >=13.1.0 <13.1.8, >=13.2.0 <13.2.6. Improper Access Control for Deploy Tokens
20 CVE-2020-13295 918 2020-08-10 2020-08-12
6.5
None Remote Low ??? Partial Partial Partial
For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd with a malicious server, the Shared Runner is susceptible to SSRF.
21 CVE-2020-13290 2020-08-12 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
In GitLab before 13.0.12, 13.1.6, and 13.2.3, improper access control was used on the Applications page
22 CVE-2020-13279 74 Exec Code 2020-06-22 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
Client side code execution in gitlab-vscode-extension v2.2.0 allows attacker to execute code on user system
23 CVE-2020-13273 400 DoS 2020-06-19 2021-07-21
7.8
None Remote Low Not required None None Complete
A Denial of Service vulnerability allowed exhausting the system resources in GitLab CE/EE 12.0 and later through 13.0.1
24 CVE-2020-13272 863 2020-06-19 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow
25 CVE-2020-13270 276 2020-06-10 2020-06-17
6.5
None Remote Low ??? Partial Partial Partial
Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API
26 CVE-2020-13263 863 2020-06-19 2020-07-01
6.5
None Remote Low ??? Partial Partial Partial
An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions.
27 CVE-2020-10980 918 2020-04-08 2020-04-09
7.5
None Remote Low Not required Partial Partial Partial
GitLab EE/CE 8.0.rc1 to 12.9 is vulnerable to a blind SSRF in the FogBugz integration.
28 CVE-2020-10956 918 2020-03-27 2020-04-01
7.5
None Remote Low Not required Partial Partial Partial
GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature.
29 CVE-2020-10083 281 2020-03-13 2020-03-17
6.4
None Remote Low Not required Partial Partial None
GitLab 12.7 through 12.8.1 has Insecure Permissions. Under certain conditions involving groups, project authorization changes were not being applied.
30 CVE-2020-10077 918 2020-03-13 2020-03-18
7.5
None Remote Low Not required Partial Partial Partial
GitLab EE 3.0 through 12.8.1 allows SSRF. An internal investigation revealed that a particular deprecated service was creating a server side request forgery risk.
31 CVE-2020-10074 2020-03-13 2020-03-18
7.5
None Remote Low Not required Partial Partial Partial
GitLab 10.1 through 12.8.1 has Incorrect Access Control. A scenario was discovered in which a GitLab account could be taken over through an expired link.
32 CVE-2020-8114 276 2020-02-05 2020-02-07
7.5
None Remote Low Not required Partial Partial Partial
GitLab EE 8.9 and later through 12.7.2 has Insecure Permission
33 CVE-2020-8113 269 2020-03-06 2020-03-18
7.5
None Remote Low Not required Partial Partial Partial
GitLab 10.7 and later through 12.7.2 has Incorrect Access Control.
34 CVE-2019-19628 22 Exec Code Dir. Trav. 2020-01-05 2020-01-10
7.5
None Remote Low Not required Partial Partial Partial
In GitLab EE 11.3 through 12.5.3, 12.4.5, and 12.3.8, insufficient parameter sanitization for the Maven package registry could lead to privilege escalation and remote code execution vulnerabilities under certain conditions.
35 CVE-2019-19261 918 2020-01-03 2020-01-09
6.8
None Remote Medium Not required Partial Partial Partial
GitLab Enterprise Edition (EE) 6.7 and later through 12.5 allows SSRF.
36 CVE-2019-19088 22 Dir. Trav. 2020-01-03 2020-01-06
7.5
None Remote Low Not required Partial Partial Partial
Gitlab Enterprise Edition (EE) 11.3 through 12.4.2 allows Directory Traversal.
37 CVE-2019-18457 281 2019-11-26 2019-11-27
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 11.8 through 12.4 when handling Security tokens.. It has Insecure Permissions.
38 CVE-2019-15741 2019-09-16 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
39 CVE-2019-15737 2019-09-16 2020-08-24
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in GitLab Community and Enterprise Edition through 12.2.1. Certain account actions needed improved authentication and session management.
40 CVE-2019-15589 2019-12-18 2019-12-27
6.5
None Remote Low ??? Partial Partial Partial
An improper access control vulnerability exists in Gitlab <v12.3.2, <v12.2.6, <v12.1.12 which would allow a blocked user would be able to use GIT clone and pull if he had obtained a CI/CD token before.
41 CVE-2019-15585 287 2020-01-28 2020-01-29
7.5
None Remote Low Not required Partial Partial Partial
Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user's account.
42 CVE-2019-14943 798 2019-08-29 2019-09-04
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.1.4. It uses Hard-coded Credentials.
43 CVE-2019-12443 918 2020-03-10 2020-03-10
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 10.2 through 11.11. Multiple features contained Server-Side Request Forgery (SSRF) vulnerabilities caused by an insufficient validation to prevent DNS rebinding attacks.
44 CVE-2019-12430 78 Exec Code 2020-03-10 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 11.11. A specially crafted payload would allow an authenticated malicious user to execute commands remotely through the repository download feature. It allows Command Injection.
45 CVE-2019-12428 Bypass 2020-03-10 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 6.8 through 11.11. Users could bypass the mandatory external authentication provider sign-in restrictions by sending a specially crafted request. It has Improper Authorization.
46 CVE-2019-9890 2019-04-17 2020-08-24
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in GitLab Community and Enterprise Edition 10.x and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Insecure Permissions.
47 CVE-2019-9756 639 2019-04-17 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a different vulnerability than CVE-2019-9732.
48 CVE-2019-9732 2019-05-29 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control.
49 CVE-2019-9485 2019-05-29 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Insecure Permissions.
50 CVE-2019-9218 2019-05-29 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 1 of 5).
Total number of vulnerabilities : 88   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.