CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab : Security Vulnerabilities (CVSS score between 7 and 8.99)

CVSS Scores Greater Than: 0   1   2   3   4   5   6   7   8   9  
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-2185 732 Exec Code 2022-07-01 2022-07-19
7.5
 None Remote Low Not required Partial Partial Partial
A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution.
2 CVE-2022-1162 798 2022-04-04 2022-04-27
7.5
 None Remote Low Not required Partial Partial Partial
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
3 CVE-2022-0735 863 2022-03-28 2022-04-04
7.5
 None Remote Low Not required Partial Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorised user was able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands.
4 CVE-2021-39913 532 2021-11-05 2022-07-12
7.2
 None Local Low Not required Complete Complete Complete
Accidental logging of system root password in the migration log in all versions of GitLab CE/EE before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker with local file system access to obtain system root-level privileges
5 CVE-2021-39890 287 Bypass 2021-12-06 2021-12-07
7.5
 None Remote Low Not required Partial Partial Partial
It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above.
6 CVE-2021-22205 94 Exec Code 2021-04-23 2022-07-12
7.5
 None Remote Low Not required Partial Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
7 CVE-2021-22203 2021-04-02 2022-07-22
7.5
 None Remote Low Not required Partial Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions starting from 13.9 before 13.9.5, and all versions starting from 13.10 before 13.10.1. A specially crafted Wiki page allowed attackers to read arbitrary files on the server.
8 CVE-2020-13296 862 2020-09-30 2020-10-02
7.5
 None Remote Low Not required Partial Partial Partial
An issue has been discovered in GitLab affecting versions >=10.7 <13.0.14, >=13.1.0 <13.1.8, >=13.2.0 <13.2.6. Improper Access Control for Deploy Tokens
9 CVE-2020-13273 400 DoS 2020-06-19 2021-07-21
7.8
 None Remote Low Not required None None Complete
A Denial of Service vulnerability allowed exhausting the system resources in GitLab CE/EE 12.0 and later through 13.0.1
10 CVE-2020-10980 918 2020-04-08 2020-04-09
7.5
 None Remote Low Not required Partial Partial Partial
GitLab EE/CE 8.0.rc1 to 12.9 is vulnerable to a blind SSRF in the FogBugz integration.
11 CVE-2020-10956 918 2020-03-27 2020-04-01
7.5
 None Remote Low Not required Partial Partial Partial
GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature.
12 CVE-2020-10077 918 2020-03-13 2020-03-18
7.5
 None Remote Low Not required Partial Partial Partial
GitLab EE 3.0 through 12.8.1 allows SSRF. An internal investigation revealed that a particular deprecated service was creating a server side request forgery risk.
13 CVE-2020-10074 2020-03-13 2020-03-18
7.5
 None Remote Low Not required Partial Partial Partial
GitLab 10.1 through 12.8.1 has Incorrect Access Control. A scenario was discovered in which a GitLab account could be taken over through an expired link.
14 CVE-2020-8114 276 2020-02-05 2020-02-07
7.5
 None Remote Low Not required Partial Partial Partial
GitLab EE 8.9 and later through 12.7.2 has Insecure Permission
15 CVE-2020-8113 269 2020-03-06 2020-03-18
7.5
 None Remote Low Not required Partial Partial Partial
GitLab 10.7 and later through 12.7.2 has Incorrect Access Control.
16 CVE-2019-19628 22 Exec Code Dir. Trav. 2020-01-05 2020-01-10
7.5
 None Remote Low Not required Partial Partial Partial
In GitLab EE 11.3 through 12.5.3, 12.4.5, and 12.3.8, insufficient parameter sanitization for the Maven package registry could lead to privilege escalation and remote code execution vulnerabilities under certain conditions.
17 CVE-2019-19088 22 Dir. Trav. 2020-01-03 2020-01-06
7.5
 None Remote Low Not required Partial Partial Partial
Gitlab Enterprise Edition (EE) 11.3 through 12.4.2 allows Directory Traversal.
18 CVE-2019-15741 2019-09-16 2020-08-24
7.5
 None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
19 CVE-2019-15585 287 2020-01-28 2020-01-29
7.5
 None Remote Low Not required Partial Partial Partial
Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user's account.
20 CVE-2019-14943 798 2019-08-29 2019-09-04
7.5
 None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.1.4. It uses Hard-coded Credentials.
21 CVE-2019-12443 918 2020-03-10 2020-03-10
7.5
 None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 10.2 through 11.11. Multiple features contained Server-Side Request Forgery (SSRF) vulnerabilities caused by an insufficient validation to prevent DNS rebinding attacks.
22 CVE-2019-12428 Bypass 2020-03-10 2020-08-24
7.5
 None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 6.8 through 11.11. Users could bypass the mandatory external authentication provider sign-in restrictions by sending a specially crafted request. It has Improper Authorization.
23 CVE-2019-9756 639 2019-04-17 2020-08-24
7.5
 None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a different vulnerability than CVE-2019-9732.
24 CVE-2019-9732 2019-05-29 2020-08-24
7.5
 None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control.
25 CVE-2019-9485 2019-05-29 2020-08-24
7.5
 None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Insecure Permissions.
26 CVE-2019-9218 2019-05-29 2020-08-24
7.5
 None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 1 of 5).
27 CVE-2019-9217 2019-04-17 2020-08-24
7.5
 None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. Its User Interface has a Misrepresentation of Critical Information.
28 CVE-2019-9174 918 2019-04-17 2019-04-17
7.5
 None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows SSRF.
29 CVE-2019-6960 2019-09-09 2020-08-24
7.5
 None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. Access to the internal wiki is permitted when an external wiki service is enabled.
30 CVE-2019-5464 918 2020-01-28 2020-01-31
7.5
 None Remote Low Not required Partial Partial Partial
A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized.
31 CVE-2018-18843 918 2018-12-04 2019-02-05
7.5
 None Remote Low Not required Partial Partial Partial
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4.4 has SSRF.
32 CVE-2018-18649 Exec Code 2018-11-29 2020-08-24
7.5
 None Remote Low Not required Partial Partial Partial
An issue was discovered in the wiki API in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for remote code execution.
33 CVE-2018-14364 22 Exec Code Dir. Trav. 2018-07-18 2018-09-15
7.5
 None Remote Low Not required Partial Partial Partial
GitLab Community and Enterprise Edition before 10.7.7, 10.8.x before 10.8.6, and 11.x before 11.0.4 allows Directory Traversal with write access and resultant remote code execution via the GitLab projects import component.
34 CVE-2018-8971 20 2018-03-24 2019-03-05
7.5
 None Remote Low Not required Partial Partial Partial
The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x before 10.5.6 has an incorrect omniauth-auth0 configuration, leading to signing in unintended users.
35 CVE-2017-0916 20 Exec Code 2018-03-21 2019-10-09
7.5
 None Remote Low Not required Partial Partial Partial
Gitlab Community Edition version 10.3 is vulnerable to a lack of input validation in the system_hook_push queue through web hook component resulting in remote code execution.
36 CVE-2017-0915 20 Exec Code 2018-03-21 2019-10-09
7.5
 None Remote Low Not required Partial Partial Partial
Gitlab Community Edition version 10.2.4 is vulnerable to a lack of input validation in the GitlabProjectsImportService resulting in remote code execution.
Total number of vulnerabilities : 36   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.