Filtered by vendor Gitlab
Subscribe
Total
821 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3060 | 1 Gitlab | 1 Gitlab | 2022-10-19 | N/A | 7.3 HIGH |
| Improper control of a resource identifier in Error Tracking in GitLab CE/EE affecting all versions from 12.7 allows an authenticated attacker to generate content which could cause a victim to make unintended arbitrary requests | |||||
| CVE-2022-3030 | 1 Gitlab | 1 Gitlab | 2022-10-19 | N/A | 4.3 MEDIUM |
| An improper access control issue in GitLab CE/EE affecting all versions starting before 15.1.6, all versions from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of pipeline status to unauthorized users. | |||||
| CVE-2022-2533 | 1 Gitlab | 1 Gitlab | 2022-10-19 | N/A | 7.4 HIGH |
| An issue has been discovered in GitLab affecting all versions starting from 12.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid Deploy Token to misuse it from any location. | |||||
| CVE-2022-3031 | 1 Gitlab | 1 Gitlab | 2022-10-19 | N/A | 7.5 HIGH |
| An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It may be possible for an attacker to guess a user's password by brute force by sending crafted requests to a specific endpoint, even if the victim user has 2FA enabled on their account. | |||||
| CVE-2022-3067 | 1 Gitlab | 1 Gitlab | 2022-10-19 | N/A | 6.5 MEDIUM |
| An issue has been discovered in the Import functionality of GitLab CE/EE affecting all versions starting from 14.4 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an authenticated user to read arbitrary projects' content given the project's ID. | |||||
| CVE-2022-3066 | 1 Gitlab | 1 Gitlab | 2022-10-19 | N/A | 5.4 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 10.0 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an unauthorised user to create issues in a project. | |||||
| CVE-2020-10977 | 1 Gitlab | 1 Gitlab | 2022-10-06 | 2.1 LOW | 5.5 MEDIUM |
| GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects. | |||||
| CVE-2021-39913 | 1 Gitlab | 1 Gitlab | 2022-10-06 | 7.2 HIGH | 6.7 MEDIUM |
| Accidental logging of system root password in the migration log in all versions of GitLab CE/EE before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker with local file system access to obtain system root-level privileges | |||||
| CVE-2021-39911 | 1 Gitlab | 1 Gitlab | 2022-10-06 | 4.0 MEDIUM | 4.3 MEDIUM |
| An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers | |||||
| CVE-2021-39904 | 1 Gitlab | 1 Gitlab | 2022-10-06 | 4.0 MEDIUM | 4.3 MEDIUM |
| An Improper Access Control vulnerability in the GraphQL API in all versions of GitLab CE/EE starting from 13.1 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows a Merge Request creator to resolve discussions and apply suggestions after a project owner has locked the Merge Request | |||||
| CVE-2021-39888 | 1 Gitlab | 1 Gitlab | 2022-10-06 | 4.0 MEDIUM | 4.3 MEDIUM |
| In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates. | |||||
| CVE-2021-39885 | 1 Gitlab | 1 Gitlab | 2022-10-06 | 3.5 LOW | 5.4 MEDIUM |
| A Stored XSS in merge request creation page in all versions of Gitlab EE starting from 13.7 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious approval rule names | |||||
| CVE-2021-39883 | 1 Gitlab | 1 Gitlab | 2022-10-06 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper authorization checks in all versions of GitLab EE starting from 13.11 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows subgroup members to see epics from all parent subgroups. | |||||
| CVE-2021-39909 | 1 Gitlab | 1 Gitlab | 2022-10-06 | 3.5 LOW | 5.3 MEDIUM |
| Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE starting from 11.3 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker to bypass CODEOWNERS Merge Request approval requirement under rare circumstances | |||||
| CVE-2022-0283 | 1 Gitlab | 1 Gitlab | 2022-10-05 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue has been discovered affecting GitLab versions prior to 13.5. An open redirect vulnerability was fixed in GitLab integration with Jira that a could cause the web application to redirect the request to the attacker specified URL. | |||||
| CVE-2022-1193 | 1 Gitlab | 1 Gitlab | 2022-09-30 | 3.5 LOW | 4.3 MEDIUM |
| Improper access control in GitLab CE/EE versions 10.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows a malicious actor to obtain details of the latest commit in a private project via Merge Requests under certain circumstances | |||||
| CVE-2021-39908 | 1 Gitlab | 1 Gitlab | 2022-09-30 | 5.0 MEDIUM | 7.5 HIGH |
| In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 certain Unicode characters can be abused to commit malicious code into projects without being noticed in merge request or source code viewer UI. | |||||
| CVE-2021-22260 | 1 Gitlab | 1 Gitlab | 2022-09-29 | 3.5 LOW | 5.4 MEDIUM |
| A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf | |||||
| CVE-2021-22262 | 1 Gitlab | 1 Gitlab | 2022-09-29 | 4.0 MEDIUM | 4.3 MEDIUM |
| Missing access control in all GitLab versions starting from 13.12 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page | |||||
| CVE-2021-22200 | 1 Gitlab | 1 Gitlab | 2022-09-23 | 4.3 MEDIUM | 7.5 HIGH |
| An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user. | |||||