Gitlab : Security Vulnerabilities CVSS score between 3 and 3.99
An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.
| Max Base Score | 3.5 |
| Published | 2023-09-29 |
| Updated | 2023-10-02 |
| EPSS | 0.05% |
An information disclosure issue in Gitlab CE/EE affecting all versions from 13.6 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1, resulted in the Sidekiq log including webhook tokens when the log format was set to `default`.
| Max Base Score | 3.9 |
| Published | 2023-07-13 |
| Updated | 2023-07-20 |
| EPSS | 0.04% |
An issue has been discovered in GitLab affecting all versions starting from 11.10 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible to disclose the branch names when attacker has a fork of a project that was switched to private.
| Max Base Score | 3.7 |
| Published | 2023-04-05 |
| Updated | 2023-04-12 |
| EPSS | 0.05% |
A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited.
| Max Base Score | 3.8 |
| Published | 2022-08-05 |
| Updated | 2022-08-11 |
| EPSS | 0.05% |
An issue has been discovered in GitLab EE affecting all versions starting from 12.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. In GitLab, if a group enables the setting to restrict access to users belonging to specific domains, that allow-list may be bypassed if a Maintainer uses the 'Invite a group' feature to invite a group that has members that don't comply with domain allow-list.
| Max Base Score | 3.5 |
| Published | 2022-07-01 |
| Updated | 2022-07-13 |
| EPSS | 0.08% |
Missing sanitization of logged exception messages in all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 of GitLab CE/EE causes potential sensitive values in invalid URLs to be logged
| Max Base Score | 3.5 |
| Published | 2022-04-11 |
| Updated | 2022-04-18 |
| EPSS | 0.05% |
A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain conditions caused imported projects to show an incorrect user in the 'Access Granted' column in the project membership pages
| Max Base Score | 3.5 |
| Published | 2022-04-04 |
| Updated | 2022-04-11 |
| EPSS | 0.05% |
In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description.
| Max Base Score | 3.5 |
| Published | 2021-10-05 |
| Updated | 2021-10-09 |
| EPSS | 0.07% |
An issue has been discovered in GitLab affecting all versions starting with 7.1. A member of a private group was able to validate the use of a specific name for private project.
| Max Base Score | 3.5 |
| Published | 2021-03-24 |
| Updated | 2021-03-26 |
| EPSS | 0.08% |
When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above.
| Max Base Score | 3.2 |
| Published | 2020-11-17 |
| Updated | 2022-06-13 |
| EPSS | 0.04% |
10 vulnerabilities found