Filtered by vendor Gitlab
Subscribe
Total
821 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-3486 | 1 Gitlab | 1 Gitlab | 2022-11-10 | N/A | 6.1 MEDIUM |
An open redirect vulnerability in GitLab EE/CE affecting all versions from 9.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allows an attacker to redirect users to an arbitrary location if they trust the URL. | |||||
CVE-2022-3413 | 1 Gitlab | 1 Gitlab | 2022-11-10 | N/A | 4.3 MEDIUM |
Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above. | |||||
CVE-2022-3706 | 1 Gitlab | 1 Gitlab | 2022-11-10 | N/A | 4.3 MEDIUM |
Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user retrying a job in a downstream pipeline to take ownership of the retried jobs in the upstream pipeline even if the user doesn't have access to that project. | |||||
CVE-2022-3726 | 1 Gitlab | 1 Gitlab | 2022-11-10 | N/A | 9.0 CRITICAL |
Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions from 12.6 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick a user to click on the Swagger OpenAPI viewer and issue HTTP requests that affect the victim's account. | |||||
CVE-2022-3819 | 1 Gitlab | 1 Gitlab | 2022-11-10 | N/A | 4.3 MEDIUM |
An improper authorization issue in GitLab CE/EE affecting all versions from 15.0 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a malicious users to set emojis on internal notes they don't have access to. | |||||
CVE-2022-3483 | 1 Gitlab | 1 Gitlab | 2022-11-10 | N/A | 5.4 MEDIUM |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 15.3.5, all versions starting from 15.4 before 15.4.4, all versions starting from 15.5 before 15.5.2. A malicious maintainer could exfiltrate a Datadog integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server. | |||||
CVE-2022-3285 | 1 Gitlab | 1 Gitlab | 2022-11-10 | N/A | 7.5 HIGH |
Bypass of healthcheck endpoint allow list affecting all versions from 12.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an unauthorized attacker to prevent access to GitLab | |||||
CVE-2022-3280 | 1 Gitlab | 1 Gitlab | 2022-11-10 | N/A | 6.1 MEDIUM |
An open redirect in GitLab CE/EE affecting all versions from 10.1 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick users into visiting a trustworthy URL and being redirected to arbitrary content. | |||||
CVE-2022-2761 | 1 Gitlab | 1 Gitlab | 2022-11-10 | N/A | 5.3 MEDIUM |
An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to use GitLab Flavored Markdown (GFM) references in a Jira issue to disclose the names of resources they don't have access to. | |||||
CVE-2022-3818 | 1 Gitlab | 1 Gitlab | 2022-11-10 | N/A | 5.3 MEDIUM |
An uncontrolled resource consumption issue when parsing URLs in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to cause performance issues and potentially a denial of service on the GitLab instance. | |||||
CVE-2022-3265 | 1 Gitlab | 1 Gitlab | 2022-11-10 | N/A | 5.4 MEDIUM |
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side. | |||||
CVE-2022-3793 | 1 Gitlab | 1 Gitlab | 2022-11-10 | N/A | 5.3 MEDIUM |
An improper authorization issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to read variables set directly in a GitLab CI/CD configuration file they don't have access to. | |||||
CVE-2022-2904 | 1 Gitlab | 1 Gitlab | 2022-11-03 | N/A | 5.4 MEDIUM |
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 It was possible to exploit a vulnerability in the external status checks feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side. | |||||
CVE-2022-2826 | 1 Gitlab | 1 Gitlab | 2022-11-01 | N/A | 9.8 CRITICAL |
An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. TODO | |||||
CVE-2022-3018 | 1 Gitlab | 1 Gitlab | 2022-10-28 | N/A | 4.9 MEDIUM |
An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 9.3 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 allows a project maintainer to access the DataDog integration API key from webhook logs. | |||||
CVE-2022-2882 | 1 Gitlab | 1 Gitlab | 2022-10-28 | N/A | 4.3 MEDIUM |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A malicious maintainer could exfiltrate a GitHub integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server. | |||||
CVE-2022-2497 | 1 Gitlab | 1 Gitlab | 2022-10-27 | N/A | 6.4 MEDIUM |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. A malicious developer could exfiltrate an integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server. | |||||
CVE-2020-13299 | 1 Gitlab | 1 Gitlab | 2022-10-27 | 5.5 MEDIUM | 8.1 HIGH |
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session. | |||||
CVE-2021-32823 | 2 Bindata Project, Gitlab | 2 Bindata, Gitlab | 2022-10-25 | 4.3 MEDIUM | 3.7 LOW |
In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with <user_input>.constantize there is a potential for a CPU-based DoS. In version 2.4.10 bindata improved the creation time of Bits and Integers. | |||||
CVE-2022-3639 | 1 Gitlab | 1 Gitlab | 2022-10-21 | N/A | 7.5 HIGH |
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 10.8 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. Improper data handling on branch creation could have been used to trigger high CPU usage. |