CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab » Gitlab : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
501 CVE-2019-6789 269 2019-09-09 2020-08-24
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 4 of 6). In some cases, users without project permissions will receive emails after a project move. For private projects, this will disclose the new project namespace to an unauthorized user.
502 CVE-2019-6788 +Info 2019-09-09 2020-08-24
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 3 of 6). For installations using GitHub or Bitbucket OAuth integrations, it is possible to use a covert redirect to obtain the user OAuth token for those services.
503 CVE-2019-6787 2019-05-17 2020-08-24
4.0
None Remote Low ??? Partial None None
An Incorrect Access Control issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. The GitLab API allowed project Maintainers and Owners to view the trigger tokens of other project users.
504 CVE-2019-6786 2019-09-09 2020-08-24
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control (issue 1 of 3). The contents of an LFS object can be accessed by an unauthorized user, if the file size and OID are known.
505 CVE-2019-6785 DoS 2019-09-09 2020-08-24
4.0
None Remote Low ??? None None Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Denial of Service. Inputting an overly long string into a Markdown field could cause a denial of service.
506 CVE-2019-6784 79 XSS 2019-09-09 2019-09-10
4.3
None Remote Medium Not required None Partial None
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows XSS (issue 1 of 2). Markdown fields contain a lack of input validation and output encoding when processing KaTeX that results in a persistent XSS.
507 CVE-2019-6783 22 Exec Code Dir. Trav. 2019-09-09 2019-09-10
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. GitLab Pages contains a directory traversal vulnerability that could lead to remote command execution.
508 CVE-2019-6782 2019-09-09 2020-08-24
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 1 of 6). An authorization issue allows the contributed project information of a private profile to be viewed.
509 CVE-2019-6781 601 2019-05-17 2020-08-24
5.0
None Remote Low Not required None Partial None
An Improper Input Validation issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It was possible to use the profile name to inject a potentially malicious link into notification emails.
510 CVE-2019-6240 22 Dir. Trav. 2019-03-25 2019-03-26
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition before 11.4. It allows Directory Traversal.
511 CVE-2019-5883 2019-05-17 2020-08-24
6.4
None Remote Low Not required Partial Partial None
An Incorrect Access Control issue was discovered in GitLab Community and Enterprise Edition 6.0 and later but before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. The issue comments feature could allow a user to comment on an issue which they shouldn't be allowed to.
512 CVE-2019-5487 2019-12-18 2020-10-22
5.0
None Remote Low Not required Partial None None
An improper access control vulnerability exists in Gitlab EE <v12.3.3, <v12.2.7, & <v12.1.13 that allowed the group search feature with Elasticsearch to return private code, merge requests and commits.
513 CVE-2019-5486 287 Bypass 2019-12-18 2019-12-30
6.5
None Remote Low ??? Partial Partial Partial
A authentication bypass vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.10 in the Salesforce login integration that could be used by an attacker to create an account that bypassed domain restrictions and email verification requirements.
514 CVE-2019-5474 863 2020-01-28 2020-10-19
4.0
None Remote Low ??? None Partial None
An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions.
515 CVE-2019-5473 287 Bypass 2019-09-09 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
An authentication issue was discovered in GitLab that allowed a bypass of email verification. This was addressed in GitLab 12.1.2 and 12.0.4.
516 CVE-2019-5472 2020-01-28 2020-01-31
5.0
None Remote Low Not required None Partial None
An authorization issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 that prevented owners and maintainer to delete epic comments.
517 CVE-2019-5471 79 XSS 2019-09-09 2019-10-09
3.5
None Remote Medium ??? None Partial None
An input validation and output encoding issue was discovered in the GitLab email notification feature which could result in a persistent XSS. This was addressed in GitLab 12.1.2, 12.0.4, and 11.11.6.
518 CVE-2019-5470 862 2020-01-28 2020-10-21
5.0
None Remote Low Not required Partial None None
An information disclosure issue was discovered GitLab versions < 12.1.2, < 12.0.4, and < 11.11.6 in the security dashboard which could result in disclosure of vulnerability feedback information.
519 CVE-2019-5469 639 2019-12-18 2019-12-27
5.5
None Remote Low ??? None Partial Partial
An IDOR vulnerability exists in GitLab <v12.1.2, <v12.0.4, and <v11.11.6 that allowed uploading files from project archive to replace other users files potentially allowing an attacker to replace project binaries or other uploaded assets.
520 CVE-2019-5468 269 2020-01-28 2020-02-05
6.5
None Remote Low ??? Partial Partial Partial
An privilege escalation issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 when Mattermost slash commands are used with a blocked account.
521 CVE-2019-5467 79 XSS 2019-09-09 2019-10-09
3.5
None Remote Medium ??? None Partial None
An input validation and output encoding issue was discovered in the GitLab CE/EE wiki pages feature which could result in a persistent XSS. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6.
522 CVE-2019-5466 639 2020-01-28 2020-10-20
4.0
None Remote Low ??? Partial None None
An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names.
523 CVE-2019-5465 2020-01-28 2020-10-20
4.0
None Remote Low ??? Partial None None
An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID.
524 CVE-2019-5464 918 2020-01-28 2020-01-31
7.5
None Remote Low Not required Partial Partial Partial
A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized.
525 CVE-2019-5463 862 2019-09-09 2019-10-09
5.0
None Remote Low Not required Partial None None
An authorization issue was discovered in the GitLab CE/EE CI badge images endpoint which could result in disclosure of the build status. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6.
526 CVE-2019-5462 613 2020-01-28 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed.
527 CVE-2019-5461 20 2019-09-09 2021-11-03
4.0
None Remote Low ??? None Partial None
An input validation problem was discovered in the GitHub service integration which could result in an attacker being able to make arbitrary POST requests in a GitLab instance's internal network. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6.
528 CVE-2018-20507 306 2019-12-30 2020-01-09
5.0
None Remote Low Not required None Partial None
An issue was discovered in GitLab Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
529 CVE-2018-20501 862 2019-12-30 2020-01-08
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
530 CVE-2018-20500 732 2019-05-17 2020-08-24
5.0
None Remote Low Not required Partial None None
An insecure permissions issue was discovered in GitLab Community and Enterprise Edition 9.4 and later but before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. The runner registration token in the CI/CD settings could not be reset. This was a security risk if one of the maintainers leaves the group and they know the token.
531 CVE-2018-20499 918 2019-12-30 2020-01-07
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in GitLab Community and Enterprise Edition before 11.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF.
532 CVE-2018-20498 863 2019-12-30 2020-01-08
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
533 CVE-2018-20497 918 2019-12-30 2020-01-08
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF.
534 CVE-2018-20496 79 XSS 2019-12-30 2020-01-07
3.5
None Remote Medium ??? None Partial None
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
535 CVE-2018-20495 200 +Info 2019-12-30 2020-01-07
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure.
536 CVE-2018-20494 863 2019-12-30 2020-01-07
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
537 CVE-2018-20493 863 2019-12-30 2020-01-07
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
538 CVE-2018-20492 863 2019-12-26 2020-01-07
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control (issue 2 of 6).
539 CVE-2018-20491 79 XSS 2019-12-30 2020-01-08
3.5
None Remote Medium ??? None Partial None
An issue was discovered in GitLab Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
540 CVE-2018-20490 79 XSS 2019-12-30 2020-01-08
3.5
None Remote Medium ??? None Partial None
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
541 CVE-2018-20489 287 2019-12-30 2020-01-08
5.0
None Remote Low Not required None Partial None
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
542 CVE-2018-20488 200 +Info 2019-12-30 2020-01-08
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure.
543 CVE-2018-20229 22 Dir. Trav. 2019-04-04 2019-04-08
5.0
None Remote Low Not required Partial None None
GitLab Community and Enterprise Edition before 11.3.14, 11.4.x before 11.4.12, and 11.5.x before 11.5.5 allows Directory Traversal.
544 CVE-2018-20144 22 Dir. Trav. 2019-03-28 2019-10-03
5.0
None Remote Low Not required Partial None None
GitLab Community and Enterprise Edition 11.x before 11.3.13, 11.4.x before 11.4.11, and 11.5.x before 11.5.4 has Incorrect Access Control.
545 CVE-2018-19856 22 Dir. Trav. 2019-03-26 2019-03-28
5.0
None Remote Low Not required Partial None None
GitLab CE/EE before 11.3.12, 11.4.x before 11.4.10, and 11.5.x before 11.5.3 allows Directory Traversal in Templates API.
546 CVE-2018-19585 93 2019-05-17 2020-12-24
5.0
None Remote Low Not required None Partial None
GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 have CRLF Injection in Project Mirroring when using the Git protocol.
547 CVE-2018-19584 639 2019-07-10 2020-08-24
5.0
None Remote Low Not required Partial None None
GitLab EE, versions 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure direct object reference vulnerability that allows authenticated, but unauthorized, users to view members and milestone details of private groups.
548 CVE-2018-19583 532 2019-07-10 2019-07-16
4.0
None Remote Low ??? Partial None None
GitLab CE/EE, versions 8.0 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, would log access tokens in the Workhorse logs, permitting administrators with access to the logs to see another user's token.
549 CVE-2018-19582 639 2019-07-10 2020-08-24
4.0
None Remote Low ??? Partial None None
GitLab EE, versions 11.4 before 11.4.8 and 11.5 before 11.5.1, is affected by an insecure direct object reference vulnerability that permits an unauthorized user to publish the draft merge request comments of another user.
550 CVE-2018-19581 285 2019-07-10 2019-07-11
5.0
None Remote Low Not required None Partial None
GitLab EE, versions 8.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure object reference vulnerability that allows a Guest user to set the weight of an issue they create.
Total number of vulnerabilities : 599   Page : 1 2 3 4 5 6 7 8 9 10 11 (This Page)12
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.