CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab : Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-22220 79 XSS 2021-06-08 2021-06-10
4.3
None Remote Medium Not required None Partial None
An issue has been discovered in GitLab affecting all versions starting with 13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks.
2 CVE-2021-22219 532 +Info 2021-06-08 2021-06-15
4.0
None Remote Low ??? Partial None None
GitLab CE/EE since version 9.5 allows a high privilege user to obtain sensitive information from log files because the sensitive information was not correctly registered for log masking.
3 CVE-2021-22218 295 2021-06-08 2021-06-17
4.0
None Remote Low ??? None Partial None
All versions of GitLab CE/EE starting with 12.8 were affected by an issue in the handling of x509 certificates that could be used to spoof author of signed commits.
4 CVE-2021-22217 400 DoS 2021-06-08 2021-06-15
4.0
None Remote Low ??? None None Partial
A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a specially crafted issue or merge request
5 CVE-2021-22216 400 DoS 2021-06-08 2021-06-15
4.0
None Remote Low ??? None None Partial
A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a very long issue or merge request description
6 CVE-2021-22214 918 2021-06-08 2021-06-16
4.3
None Remote Medium Not required Partial None None
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited
7 CVE-2021-22213 200 +Info 2021-06-08 2021-06-15
4.3
None Remote Medium Not required Partial None None
A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari
8 CVE-2021-22208 862 2021-05-06 2021-05-13
4.0
None Remote Low ??? None Partial None
An issue has been discovered in GitLab affecting versions starting with 13.5 up to 13.9.7. Improper permission check could allow the change of timestamp for issue creation or update.
9 CVE-2021-22206 312 2021-05-06 2021-05-13
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text,
10 CVE-2021-22202 352 CSRF 2021-04-02 2021-04-07
4.3
None Remote Medium Not required None Partial None
An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API.
11 CVE-2021-22201 2021-04-02 2021-04-07
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server.
12 CVE-2021-22200 2021-04-02 2021-04-07
4.3
None Remote Medium Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user.
13 CVE-2021-22198 2021-04-02 2021-04-07
4.0
None Remote Low ??? None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects.
14 CVE-2021-22197 835 2021-04-02 2021-04-07
4.0
None Remote Low ??? None None Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other
15 CVE-2021-22190 22 Dir. Trav. 2021-04-12 2021-04-20
4.0
None Remote Low ??? Partial None None
A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token
16 CVE-2021-22187 400 2021-03-02 2021-05-04
4.0
None Remote Low ??? None None Partial
An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 13.6.7. A potential resource exhaustion issue that allowed running or pending jobs to continue even after project was deleted.
17 CVE-2021-22186 863 2021-03-24 2021-03-26
4.0
None Remote Low ??? None Partial None
An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners
18 CVE-2021-22180 863 2021-03-26 2021-03-30
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages.
19 CVE-2021-22178 918 2021-03-24 2021-03-26
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting from 13.2. Gitlab was vulnerable to SRRF attack through the Prometheus integration.
20 CVE-2021-22177 400 2021-04-01 2021-04-05
4.0
None Remote Low ??? None None Partial
Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command.
21 CVE-2021-22176 863 2021-03-24 2021-03-26
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting with 3.0.1. Improper access control allows demoted project members to access details on authored merge requests
22 CVE-2021-22172 863 2021-03-26 2021-03-30
4.0
None Remote Low ??? Partial None None
Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page
23 CVE-2021-22171 287 2021-01-15 2021-01-22
4.3
None Remote Medium Not required Partial None None
Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link
24 CVE-2021-22169 200 +Info 2021-03-24 2021-03-25
4.0
None Remote Low ??? Partial None None
An issue was identified in GitLab EE 13.4 or later which leaked internal IP address via error messages.
25 CVE-2021-22168 400 DoS 2021-01-15 2021-01-22
4.0
None Remote Low ??? None None Partial
A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8.
26 CVE-2020-26415 200 +Info 2020-12-11 2020-12-14
4.0
None Remote Low ??? Partial None None
Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.
27 CVE-2020-26414 2021-01-15 2021-01-21
4.0
None Remote Low ??? None None Partial
An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string.
28 CVE-2020-26412 200 +Info 2020-12-11 2020-12-14
4.0
None Remote Low ??? Partial None None
Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before 13.6.2.
29 CVE-2020-26411 404 2020-12-11 2020-12-14
4.0
None Remote Low ??? None None Partial
A potential DOS vulnerability was discovered in all versions of Gitlab starting from 13.4.x (>=13.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2). Using a specific query name for a project search can cause statement timeouts that can lead to a potential DOS if abused.
30 CVE-2020-26409 20 Bypass 2020-12-11 2020-12-14
4.0
None Remote Low ??? None None Partial
A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.
31 CVE-2020-13357 639 2020-12-11 2020-12-14
4.0
None Remote Low ??? Partial None None
An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.
32 CVE-2020-13354 400 2020-11-17 2020-11-30
4.0
None Remote Low ??? None None Partial
A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage. Affected versions are: >=12.6, <13.3.9.
33 CVE-2020-13350 352 CSRF 2020-11-17 2020-11-27
4.3
None Remote Medium Not required None None Partial
CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners. Affected versions are >=13.5.0, <13.5.2,>=13.4.0, <13.4.5,<13.3.9.
34 CVE-2020-13349 2020-11-17 2020-11-27
4.0
None Remote Low ??? None None Partial
An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
35 CVE-2020-13348 Bypass 2020-11-17 2020-11-27
4.0
None Remote Low ??? None Partial None
An issue has been discovered in GitLab EE affecting all versions starting from 10.2. Required CODEOWNERS approval could be bypassed by targeting a branch without the CODEOWNERS file. Affected versions are >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
36 CVE-2020-13346 200 +Info 2020-10-07 2020-10-15
4.0
None Remote Low ??? Partial None None
Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API.
37 CVE-2020-13343 668 2020-10-06 2020-10-14
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting from 11.2. Unauthorized Users Can View Custom Project Template
38 CVE-2020-13342 400 2020-10-07 2020-10-15
4.0
None Remote Low ??? None None Partial
An issue has been discovered in GitLab affecting versions prior to 13.2.10, 13.3.7 and 13.4.2: Lack of Rate Limiting at Re-Sending Confirmation Email
39 CVE-2020-13341 732 2020-10-12 2020-10-26
4.0
None Remote Low ??? None Partial None
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Insufficient permission check allows attacker with developer role to perform various deletions.
40 CVE-2020-13335 287 2020-10-07 2020-10-20
4.0
None Remote Low ??? None Partial None
Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group.
41 CVE-2020-13333 400 2020-10-06 2020-10-29
4.0
None Remote Low ??? None None Partial
A potential DOS vulnerability was discovered in GitLab versions 13.1, 13.2 and 13.3. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage.
42 CVE-2020-13323 863 2020-09-30 2020-10-02
4.3
None Remote Medium Not required Partial None None
A vulnerability was discovered in GitLab versions prior 13.1. Under certain conditions private merge requests could be read via Todos
43 CVE-2020-13320 863 2020-09-30 2020-10-02
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab before version 12.10.13 that allowed a project member with limited permissions to view the project security dashboard.
44 CVE-2020-13319 862 2020-09-30 2020-10-02
4.0
None Remote Low ??? None Partial None
An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. Missing permission check for adding time spent on an issue.
45 CVE-2020-13318 863 2020-09-14 2020-09-16
4.9
None Remote Medium ??? Partial Partial None
A vulnerability was discovered in GitLab versions before 13.0.12, 13.1.10, 13.2.8 and 13.3.4. GitLabs EKS integration was vulnerable to a cross-account assume role attack.
46 CVE-2020-13317 20 2020-09-14 2020-09-16
4.0
None Remote Low ??? None Partial None
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8, and 13.3.4. An insufficient check in the GraphQL api allowed a maintainer to delete a repository.
47 CVE-2020-13316 862 2020-09-14 2020-09-16
4.0
None Remote Low ??? Partial None None
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not validating a Deploy-Token and allowed a disabled repository be accessible via a git command line.
48 CVE-2020-13313 863 2020-09-14 2020-09-16
4.0
None Remote Low ??? None Partial None
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. An unauthorized project maintainer could edit the subgroup badges due to the lack of authorization control.
49 CVE-2020-13311 74 2020-09-14 2020-09-16
4.0
None Remote Low ??? None None Partial
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Wiki was vulnerable to a parser attack that prohibits anyone from accessing the Wiki functionality through the user interface.
50 CVE-2020-13310 DoS 2020-09-14 2020-09-16
4.0
None Remote Low ??? None None Partial
A vulnerability was discovered in GitLab runner versions before 13.1.3, 13.2.3 and 13.3.1. It was possible to make the gitlab-runner process crash by sending malformed queries, resulting in a denial of service.
Total number of vulnerabilities : 207   Page : 1 (This Page)2 3 4 5
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.