CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab » Gitlab : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2020-13347 77 2020-10-07 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable.
2 CVE-2020-13273 400 DoS 2020-06-19 2021-07-21
7.8
None Remote Low Not required None None Complete
A Denial of Service vulnerability allowed exhausting the system resources in GitLab CE/EE 12.0 and later through 13.0.1
3 CVE-2017-0915 20 Exec Code 2018-03-21 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
Gitlab Community Edition version 10.2.4 is vulnerable to a lack of input validation in the GitlabProjectsImportService resulting in remote code execution.
4 CVE-2017-0916 20 Exec Code 2018-03-21 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
Gitlab Community Edition version 10.3 is vulnerable to a lack of input validation in the system_hook_push queue through web hook component resulting in remote code execution.
5 CVE-2018-8971 20 2018-03-24 2019-03-05
7.5
None Remote Low Not required Partial Partial Partial
The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x before 10.5.6 has an incorrect omniauth-auth0 configuration, leading to signing in unintended users.
6 CVE-2018-14364 22 Exec Code Dir. Trav. 2018-07-18 2018-09-15
7.5
None Remote Low Not required Partial Partial Partial
GitLab Community and Enterprise Edition before 10.7.7, 10.8.x before 10.8.6, and 11.x before 11.0.4 allows Directory Traversal with write access and resultant remote code execution via the GitLab projects import component.
7 CVE-2018-18649 Exec Code 2018-11-29 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the wiki API in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for remote code execution.
8 CVE-2018-18843 918 2018-12-04 2019-02-05
7.5
None Remote Low Not required Partial Partial Partial
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4.4 has SSRF.
9 CVE-2019-5464 918 2020-01-28 2020-01-31
7.5
None Remote Low Not required Partial Partial Partial
A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized.
10 CVE-2019-6960 2019-09-09 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. Access to the internal wiki is permitted when an external wiki service is enabled.
11 CVE-2019-9174 918 2019-04-17 2019-04-17
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows SSRF.
12 CVE-2019-9217 2019-04-17 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. Its User Interface has a Misrepresentation of Critical Information.
13 CVE-2019-9218 2019-05-29 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 1 of 5).
14 CVE-2019-9485 2019-05-29 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Insecure Permissions.
15 CVE-2019-9732 2019-05-29 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control.
16 CVE-2019-9756 639 2019-04-17 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a different vulnerability than CVE-2019-9732.
17 CVE-2019-12428 Bypass 2020-03-10 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 6.8 through 11.11. Users could bypass the mandatory external authentication provider sign-in restrictions by sending a specially crafted request. It has Improper Authorization.
18 CVE-2019-12443 918 2020-03-10 2020-03-10
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 10.2 through 11.11. Multiple features contained Server-Side Request Forgery (SSRF) vulnerabilities caused by an insufficient validation to prevent DNS rebinding attacks.
19 CVE-2019-14943 798 2019-08-29 2019-09-04
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.1.4. It uses Hard-coded Credentials.
20 CVE-2019-15585 287 2020-01-28 2020-01-29
7.5
None Remote Low Not required Partial Partial Partial
Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user's account.
21 CVE-2019-19088 22 Dir. Trav. 2020-01-03 2020-01-06
7.5
None Remote Low Not required Partial Partial Partial
Gitlab Enterprise Edition (EE) 11.3 through 12.4.2 allows Directory Traversal.
22 CVE-2019-19628 22 Exec Code Dir. Trav. 2020-01-05 2020-01-10
7.5
None Remote Low Not required Partial Partial Partial
In GitLab EE 11.3 through 12.5.3, 12.4.5, and 12.3.8, insufficient parameter sanitization for the Maven package registry could lead to privilege escalation and remote code execution vulnerabilities under certain conditions.
23 CVE-2020-8113 269 2020-03-06 2020-03-18
7.5
None Remote Low Not required Partial Partial Partial
GitLab 10.7 and later through 12.7.2 has Incorrect Access Control.
24 CVE-2020-8114 276 2020-02-05 2020-02-07
7.5
None Remote Low Not required Partial Partial Partial
GitLab EE 8.9 and later through 12.7.2 has Insecure Permission
25 CVE-2020-10074 2020-03-13 2020-03-18
7.5
None Remote Low Not required Partial Partial Partial
GitLab 10.1 through 12.8.1 has Incorrect Access Control. A scenario was discovered in which a GitLab account could be taken over through an expired link.
26 CVE-2020-10077 918 2020-03-13 2020-03-18
7.5
None Remote Low Not required Partial Partial Partial
GitLab EE 3.0 through 12.8.1 allows SSRF. An internal investigation revealed that a particular deprecated service was creating a server side request forgery risk.
27 CVE-2020-10956 918 2020-03-27 2020-04-01
7.5
None Remote Low Not required Partial Partial Partial
GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature.
28 CVE-2020-10980 918 2020-04-08 2020-04-09
7.5
None Remote Low Not required Partial Partial Partial
GitLab EE/CE 8.0.rc1 to 12.9 is vulnerable to a blind SSRF in the FogBugz integration.
29 CVE-2020-13296 862 2020-09-30 2020-10-02
7.5
None Remote Low Not required Partial Partial Partial
An issue has been discovered in GitLab affecting versions >=10.7 <13.0.14, >=13.1.0 <13.1.8, >=13.2.0 <13.2.6. Improper Access Control for Deploy Tokens
30 CVE-2021-22205 20 Exec Code 2021-04-23 2021-11-30
7.5
None Remote Low Not required Partial Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
31 CVE-2021-39890 287 Bypass 2021-12-06 2021-12-07
7.5
None Remote Low Not required Partial Partial Partial
It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above.
32 CVE-2021-39913 269 2021-11-05 2021-11-08
7.2
None Local Low Not required Complete Complete Complete
Accidental logging of system root password in the migration log in all versions of GitLab CE/EE allows an attacker with local file system access to obtain system root-level privileges
33 CVE-2013-4580 287 Bypass 2014-05-12 2016-05-18
6.8
None Remote Medium Not required Partial Partial Partial
GitLab before 5.4.2, Community Edition before 6.2.4, and Enterprise Edition before 6.2.1, when using a MySQL backend, allows remote attackers to impersonate arbitrary users and bypass authentication via unspecified API calls.
34 CVE-2013-4581 94 Exec Code 2014-05-12 2014-05-12
6.8
None Remote Medium Not required Partial Partial Partial
GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote attackers to execute arbitrary code via a crafted change using SSH.
35 CVE-2017-0921 640 2018-07-03 2018-09-04
6.8
None Remote Medium Not required Partial Partial Partial
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account takeover if a victim's session is compromised.
36 CVE-2017-12426 20 Exec Code 2017-08-14 2017-08-25
6.8
None Remote Medium Not required Partial Partial Partial
GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote attackers to execute arbitrary code via a crafted SSH URL in a project import.
37 CVE-2018-3710 22 Exec Code Dir. Trav. 2018-03-21 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Gitlab Community and Enterprise Editions version 10.3.3 is vulnerable to an Insecure Temporary File in the project import component resulting remote code execution.
38 CVE-2018-14603 352 CSRF 2018-07-27 2018-09-18
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. CSRF can occur in the Test feature of the System Hooks component.
39 CVE-2019-5462 613 2020-01-28 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed.
40 CVE-2019-6793 918 2019-09-09 2019-09-10
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in GitLab Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. The Jira integration feature is vulnerable to an unauthenticated blind SSRF issue.
41 CVE-2019-19261 918 2020-01-03 2020-01-09
6.8
None Remote Medium Not required Partial Partial Partial
GitLab Enterprise Edition (EE) 6.7 and later through 12.5 allows SSRF.
42 CVE-2021-22175 918 2021-06-11 2021-06-21
6.8
None Remote Medium Not required Partial Partial Partial
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled
43 CVE-2013-4489 Exec Code 2014-05-17 2014-05-19
6.5
None Remote Low ??? Partial Partial Partial
The Grit gem for Ruby, as used in GitLab 5.2 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands, as demonstrated by the search box for the GitLab code search feature.
44 CVE-2013-4490 Exec Code 2014-05-13 2014-05-14
6.5
None Remote Low ??? Partial Partial Partial
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands via shell metacharacters in the public key.
45 CVE-2013-4546 Exec Code 2014-05-13 2014-05-14
6.5
None Remote Low ??? Partial Partial Partial
The repository import feature in gitlab-shell before 1.7.4, as used in GitLab, allows remote authenticated users to execute arbitrary commands via the import URL.
46 CVE-2013-4583 269 +Priv 2020-01-28 2020-02-03
6.5
None Remote Low ??? Partial Partial Partial
The parse_cmd function in lib/gitlab_shell.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, and Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote authenticated users to gain privileges and clone arbitrary repositories.
47 CVE-2016-4340 264 2017-01-23 2017-01-25
6.5
None Remote Low ??? Partial Partial Partial
The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to "log in" as any other user via unspecified vectors.
48 CVE-2017-0918 22 Exec Code Dir. Trav. 2018-03-21 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
Gitlab Community Edition version 10.3 is vulnerable to a path traversal issue in the GitLab CI runner component resulting in remote code execution.
49 CVE-2017-0926 863 2018-03-21 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login.
50 CVE-2017-11438 269 2017-08-02 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
GitLab Community Edition (CE) and Enterprise Edition (EE) before 9.0.11, 9.1.8, 9.2.8 allow an authenticated user with the ability to create a group to add themselves to any project that is inside a subgroup.
Total number of vulnerabilities : 599   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.