CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-22220 79 XSS 2021-06-08 2021-06-10
4.3
None Remote Medium Not required None Partial None
An issue has been discovered in GitLab affecting all versions starting with 13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks.
2 CVE-2021-22211 863 2021-05-06 2021-05-13
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling.
3 CVE-2021-22210 770 2021-05-06 2021-05-13
5.0
None Remote Low Not required None None Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. When querying the repository branches through API, GitLab was ignoring a query parameter and returning a considerable amount of results.
4 CVE-2021-22209 863 2021-05-06 2021-05-13
5.0
None Remote Low Not required None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.
5 CVE-2021-22208 862 2021-05-06 2021-05-13
4.0
None Remote Low ??? None Partial None
An issue has been discovered in GitLab affecting versions starting with 13.5 up to 13.9.7. Improper permission check could allow the change of timestamp for issue creation or update.
6 CVE-2021-22206 312 2021-05-06 2021-05-13
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text,
7 CVE-2021-22205 20 Exec Code 2021-04-23 2021-04-30
6.5
None Remote Low ??? Partial Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
8 CVE-2021-22203 2021-04-02 2021-04-07
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.7.9. A specially crafted Wiki page allowed attackers to read arbitrary files on the server.
9 CVE-2021-22202 352 CSRF 2021-04-02 2021-04-07
4.3
None Remote Medium Not required None Partial None
An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API.
10 CVE-2021-22201 2021-04-02 2021-04-07
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server.
11 CVE-2021-22200 2021-04-02 2021-04-07
4.3
None Remote Medium Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user.
12 CVE-2021-22199 79 XSS 2021-04-22 2021-04-30
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used.
13 CVE-2021-22198 2021-04-02 2021-04-07
4.0
None Remote Low ??? None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects.
14 CVE-2021-22197 835 2021-04-02 2021-04-07
4.0
None Remote Low ??? None None Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other
15 CVE-2021-22196 79 XSS 2021-04-02 2021-04-07
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name.
16 CVE-2021-22195 77 Exec Code 2021-04-01 2021-04-07
6.8
None Remote Medium Not required Partial Partial Partial
Client side code execution in gitlab-vscode-extension v3.15.0 and earlier allows attacker to execute code on user system
17 CVE-2021-22194 312 2021-03-26 2021-03-30
2.1
None Local Low Not required Partial None None
In all versions of GitLab starting from 13.7, marshalled session keys were being stored in Redis.
18 CVE-2021-22193 209 2021-03-24 2021-03-26
3.5
None Remote Medium ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting with 7.1. A member of a private group was able to validate the use of a specific name for private project.
19 CVE-2021-22192 Exec Code 2021-03-24 2021-03-26
6.5
None Remote Low ??? Partial Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.
20 CVE-2021-22190 22 Dir. Trav. 2021-04-12 2021-04-20
4.0
None Remote Low ??? Partial None None
A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token
21 CVE-2021-22189 295 2021-03-04 2021-03-10
6.5
None Remote Low ??? Partial Partial Partial
Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues.
22 CVE-2021-22188 2021-03-03 2021-03-10
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab affecting all versions starting with 13.0. Confidential issue titles in Gitlab were readable by an unauthorised user via branch logs.
23 CVE-2021-22187 400 2021-03-02 2021-05-04
4.0
None Remote Low ??? None None Partial
An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 13.6.7. A potential resource exhaustion issue that allowed running or pending jobs to continue even after project was deleted.
24 CVE-2021-22186 863 2021-03-24 2021-03-26
4.0
None Remote Low ??? None Partial None
An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners
25 CVE-2021-22185 79 XSS 2021-03-24 2021-03-26
3.5
None Remote Medium ??? None Partial None
Insufficient input sanitization in wikis in GitLab version 13.8 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted commit to a wiki
26 CVE-2021-22184 200 +Info 2021-03-26 2021-03-30
2.1
None Local Low Not required Partial None None
An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted.
27 CVE-2021-22183 79 XSS 2021-03-04 2021-03-10
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions starting with 11.8. GitLab was vulnerable to a stored XSS in the epics page, which could be exploited with user interactions.
28 CVE-2021-22182 79 XSS 2021-03-03 2021-03-04
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions starting with 13.7. GitLab was vulnerable to a stored XSS in merge request.
29 CVE-2021-22180 863 2021-03-26 2021-03-30
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages.
30 CVE-2021-22179 918 2021-03-24 2021-03-26
5.5
None Remote Low ??? None Partial Partial
A vulnerability was discovered in GitLab versions before 12.2. GitLab was vulnerable to a SSRF attack through the Outbound Requests feature.
31 CVE-2021-22178 918 2021-03-24 2021-03-26
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting from 13.2. Gitlab was vulnerable to SRRF attack through the Prometheus integration.
32 CVE-2021-22177 400 2021-04-01 2021-04-05
4.0
None Remote Low ??? None None Partial
Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command.
33 CVE-2021-22176 863 2021-03-24 2021-03-26
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting with 3.0.1. Improper access control allows demoted project members to access details on authored merge requests
34 CVE-2021-22172 863 2021-03-26 2021-03-30
4.0
None Remote Low ??? Partial None None
Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page
35 CVE-2021-22171 287 2021-01-15 2021-01-22
4.3
None Remote Medium Not required Partial None None
Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link
36 CVE-2021-22169 200 +Info 2021-03-24 2021-03-25
4.0
None Remote Low ??? Partial None None
An issue was identified in GitLab EE 13.4 or later which leaked internal IP address via error messages.
37 CVE-2021-22168 400 DoS 2021-01-15 2021-01-22
4.0
None Remote Low ??? None None Partial
A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8.
38 CVE-2021-22167 2021-01-15 2021-01-22
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers in specific project page allows attacker to have a temporary read access to the private repository
39 CVE-2021-22166 400 DoS 2021-01-15 2021-01-21
5.0
None Remote Low Not required None None Partial
An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method
40 CVE-2020-26417 200 +Info 2020-12-11 2020-12-14
5.0
None Remote Low Not required Partial None None
Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to <13.6.2, >=13.5 to <13.5.5, and >=13.1 to <13.4.7.
41 CVE-2020-26416 200 +Info 2020-12-11 2020-12-14
2.1
None Local Low Not required Partial None None
Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.
42 CVE-2020-26415 200 +Info 2020-12-11 2020-12-14
4.0
None Remote Low ??? Partial None None
Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.
43 CVE-2020-26414 2021-01-15 2021-01-21
4.0
None Remote Low ??? None None Partial
An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string.
44 CVE-2020-26413 200 +Info 2020-12-11 2020-12-14
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.
45 CVE-2020-26412 200 +Info 2020-12-11 2020-12-14
4.0
None Remote Low ??? Partial None None
Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before 13.6.2.
46 CVE-2020-26411 404 2020-12-11 2020-12-14
4.0
None Remote Low ??? None None Partial
A potential DOS vulnerability was discovered in all versions of Gitlab starting from 13.4.x (>=13.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2). Using a specific query name for a project search can cause statement timeouts that can lead to a potential DOS if abused.
47 CVE-2020-26409 20 Bypass 2020-12-11 2020-12-14
4.0
None Remote Low ??? None None Partial
A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.
48 CVE-2020-26408 200 +Info 2020-12-11 2020-12-14
5.0
None Remote Low Not required Partial None None
A limited information disclosure vulnerability exists in Gitlab CE/EE from >= 12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2 that allows an attacker to view limited information in user's private profile
49 CVE-2020-26407 79 XSS 2020-12-10 2020-12-11
3.5
None Remote Medium ??? None Partial None
A XSS vulnerability exists in Gitlab CE/EE from 12.4 before 13.4.7, 13.5 before 13.5.5, and 13.6 before 13.6.2 that allows an attacker to perform cross-site scripting to other users via importing a malicious project
50 CVE-2020-26406 2020-11-17 2020-12-01
5.0
None Remote Low Not required Partial None None
Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
Total number of vulnerabilities : 510   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.