CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab » Gitlab : Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-1510 770 2022-05-11 2022-05-18
5.0
None Remote Low Not required None None Partial
An issue has been discovered in GitLab affecting all versions starting from 13.9 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly handling malicious text in the CI Editor and CI Pipeline details page allowing the attacker to cause uncontrolled resource consumption.
2 CVE-2022-1431 400 2022-05-10 2022-05-18
5.0
None Remote Low Not required None None Partial
An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly handling malicious requests to the PyPi API endpoint allowing the attacker to cause uncontrolled resource consumption.
3 CVE-2022-1413 668 2022-05-19 2022-06-02
5.0
None Remote Low Not required Partial None None
Missing input masking in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 causes potentially sensitive integration properties to be disclosed in the web interface
4 CVE-2022-1352 639 2022-05-11 2022-05-19
5.0
None Remote Low Not required Partial None None
Due to an insecure direct object reference vulnerability in Gitlab EE/CE affecting all versions from 11.0 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1, an endpoint may reveal the issue title to a user who crafted an API call with the ID of the issue from a public project that restricts access to issue only to project members.
5 CVE-2022-1188 918 2022-04-04 2022-04-11
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 where a blind SSRF attack through the repository mirroring feature was possible.
6 CVE-2022-1174 400 2022-04-04 2022-04-11
5.0
None Remote Low Not required None None Partial
A potential DoS vulnerability was discovered in Gitlab CE/EE versions 13.7 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to trigger high CPU usage via a special crafted input added in Issues, Merge requests, Milestones, Snippets, Wiki pages, etc.
7 CVE-2022-1121 770 2022-04-04 2022-04-11
5.0
None Remote Low Not required None None Partial
A lack of appropriate timeouts in GitLab Pages included in GitLab CE/EE all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an attacker to cause unlimited resource consumption.
8 CVE-2022-0283 601 2022-03-28 2022-04-04
5.8
None Remote Medium Not required Partial Partial None
An issue has been discovered affecting GitLab versions prior to 13.5. An open redirect vulnerability was fixed in GitLab integration with Jira that a could cause the web application to redirect the request to the attacker specified URL.
9 CVE-2022-0244 552 2022-01-18 2022-01-25
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group was due to incorrect handling of file.
10 CVE-2022-0151 DoS 2022-01-18 2022-01-25
5.0
None Remote Low Not required None None Partial
An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not correctly handling requests to delete existing packages which could result in a Denial of Service under specific conditions.
11 CVE-2022-0136 918 2022-03-28 2022-04-04
5.5
None Remote Low ??? Partial Partial None
A vulnerability was discovered in GitLab versions 10.5 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1. GitLab was vulnerable to a blind SSRF attack through the Project Import feature.
12 CVE-2022-0090 269 2022-01-18 2022-01-25
5.0
None Remote Low Not required None Partial None
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab is configured in a way that it doesn't ignore replacement references with git sub-commands, allowing a malicious user to spoof the contents of their commits in the UI.
13 CVE-2021-39944 269 2021-12-13 2021-12-15
5.5
None Remote Low ??? Partial Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they import
14 CVE-2021-39941 200 +Info 2021-12-13 2021-12-15
5.0
None Remote Low Not required Partial None None
An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members
15 CVE-2021-39935 918 2021-12-13 2021-12-15
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API
16 CVE-2021-39915 668 2021-12-13 2021-12-16
5.0
None Remote Low Not required Partial None None
Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the names of project access tokens on arbitrary projects
17 CVE-2021-39914 400 DoS 2021-11-04 2022-05-03
5.0
None Remote Low Not required None None Partial
A regular expression denial of service issue in GitLab versions 8.13 to 14.2.5, 14.3.0 to 14.3.3 and 14.4.0 could cause excessive usage of resources when a specially crafted username was used when provisioning a new user
18 CVE-2021-39912 770 2021-11-05 2021-11-08
5.0
None Remote Low Not required None None Partial
A potential DoS vulnerability was discovered in GitLab CE/EE starting with version 13.7. Using a malformed TIFF images was possible to trigger memory exhaustion.
19 CVE-2021-39908 94 2022-04-01 2022-05-12
5.0
None Remote Low Not required None Partial None
In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 certain Unicode characters can be abused to commit malicious code into projects without being noticed in merge request or source code viewer UI.
20 CVE-2021-39907 770 2021-11-05 2021-11-08
5.0
None Remote Low Not required None None Partial
A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 13.7. The stripping of EXIF data from certain images resulted in high CPU usage.
21 CVE-2021-39898 668 2021-11-05 2021-11-08
5.0
None Remote Low Not required Partial None None
In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from.
22 CVE-2021-39897 281 2021-11-05 2021-11-08
5.0
None Remote Low Not required Partial None None
Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transferred
23 CVE-2021-39896 2021-10-04 2021-10-12
5.5
None Remote Low ??? Partial Partial None
In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may lead to repudiation issues.
24 CVE-2021-39894 918 2021-10-05 2021-10-12
5.5
None Remote Low ??? Partial Partial None
In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks.
25 CVE-2021-39893 862 2021-10-05 2021-10-09
5.0
None Remote Low Not required None None Partial
A potential DOS vulnerability was discovered in GitLab starting with version 9.1 that allowed parsing files without authorisation.
26 CVE-2021-39882 319 2021-10-05 2021-10-12
5.0
None Remote Low Not required Partial None None
In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user.
27 CVE-2021-39875 200 +Info 2021-10-05 2021-10-12
5.0
None Remote Low Not required Partial None None
In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint.
28 CVE-2021-39867 918 2021-10-05 2021-10-12
5.5
None Remote Low ??? Partial Partial None
In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks.
29 CVE-2021-39866 668 2021-10-05 2021-10-12
5.5
None Remote Low ??? Partial Partial None
A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens.
30 CVE-2021-22263 269 2021-10-11 2021-10-18
5.5
None Remote Low ??? Partial Partial None
An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user account with 'external' status which is granted 'Maintainer' role on any project on the GitLab instance where 'project tokens' are allowed may elevate its privilege to 'Internal' and access Internal projects.
31 CVE-2021-22262 863 2021-10-05 2022-05-12
5.0
None Remote Low Not required None Partial None
Missing access control in all GitLab versions starting from 13.12 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page
32 CVE-2021-22257 2021-10-05 2021-10-09
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. The route for /user.keys is not restricted on instances with public visibility disabled. This allows user enumeration on such instances.
33 CVE-2021-22256 863 2021-08-25 2021-08-31
5.5
None Remote Low ??? Partial Partial None
Improper authorization in GitLab CE/EE affecting all versions since 12.6 allowed guest users to create issues for Sentry errors and track their status
34 CVE-2021-22250 2021-08-25 2022-05-03
5.5
None Remote Low ??? Partial Partial None
Improper authorization in GitLab CE/EE affecting all versions since 13.3 allowed users to view and delete impersonation tokens that administrators created for their account
35 CVE-2021-22248 2021-08-23 2022-05-03
5.0
None Remote Low Not required Partial None None
Improper authorization on the pipelines page in GitLab CE/EE affecting all versions since 13.12 allowed unauthorized users to view some pipeline information for public projects that have access to pipelines restricted to members only
36 CVE-2021-22210 770 2021-05-06 2021-05-13
5.0
None Remote Low Not required None None Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. When querying the repository branches through API, GitLab was ignoring a query parameter and returning a considerable amount of results.
37 CVE-2021-22209 863 2021-05-06 2021-05-13
5.0
None Remote Low Not required None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.
38 CVE-2021-22203 2021-04-02 2022-05-12
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions starting from 13.9 before 13.9.5, and all versions starting from 13.10 before 13.10.1. A specially crafted Wiki page allowed attackers to read arbitrary files on the server.
39 CVE-2021-22188 2021-03-03 2021-03-10
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab affecting all versions starting with 13.0. Confidential issue titles in Gitlab were readable by an unauthorised user via branch logs.
40 CVE-2021-22179 918 2021-03-24 2021-03-26
5.5
None Remote Low ??? None Partial Partial
A vulnerability was discovered in GitLab versions before 12.2. GitLab was vulnerable to a SSRF attack through the Outbound Requests feature.
41 CVE-2021-22170 326 2021-12-06 2021-12-07
5.0
None Remote Low Not required Partial None None
Assuming a database breach, nonce reuse issues in GitLab 11.6+ allows an attacker to decrypt some of the database's encrypted content
42 CVE-2021-22167 2021-01-15 2021-01-22
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers in specific project page allows attacker to have a temporary read access to the private repository
43 CVE-2021-22166 400 DoS 2021-01-15 2021-01-21
5.0
None Remote Low Not required None None Partial
An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method
44 CVE-2021-4191 287 2022-03-28 2022-04-04
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API.
45 CVE-2020-26417 200 +Info 2020-12-11 2020-12-14
5.0
None Remote Low Not required Partial None None
Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to <13.6.2, >=13.5 to <13.5.5, and >=13.1 to <13.4.7.
46 CVE-2020-26413 200 +Info 2020-12-11 2020-12-14
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.
47 CVE-2020-26408 200 +Info 2020-12-11 2021-07-21
5.0
None Remote Low Not required Partial None None
A limited information disclosure vulnerability exists in Gitlab CE/EE from >= 12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2 that allows an attacker to view limited information in user's private profile
48 CVE-2020-26406 2020-11-17 2020-12-01
5.0
None Remote Low Not required Partial None None
Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
49 CVE-2020-26405 22 Dir. Trav. 2020-11-17 2020-12-01
5.5
None Remote Low ??? None Partial Partial
Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are >=12.8, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
50 CVE-2020-15525 269 2020-07-07 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE 11.3 through 13.1.2 has Incorrect Access Control because of the Maven package upload endpoint.
Total number of vulnerabilities : 209   Page : 1 (This Page)2 3 4 5
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.