CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab » Gitlab : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
51 CVE-2021-39881 2021-10-05 2021-10-09
3.5
None Remote Medium ??? None Partial None
In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description.
52 CVE-2021-39880 DoS 2021-10-05 2021-10-09
4.0
None Remote Low ??? None None Partial
A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE version 11.11 and above allows an attacker to deny access to all users via specially crafted requests to the apollo_upload_server middleware.
53 CVE-2021-39879 306 2021-10-04 2021-10-12
4.0
None Remote Low ??? None Partial None
Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication
54 CVE-2021-39878 79 Exec Code XSS 2021-10-05 2021-10-12
3.5
None Remote Medium ??? None Partial None
A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code.
55 CVE-2021-39877 400 2021-10-04 2021-10-12
4.3
None Remote Medium Not required None None Partial
A vulnerability was discovered in GitLab starting with version 12.2 that allows an attacker to cause uncontrolled resource consumption with a specially crafted file.
56 CVE-2021-39875 200 +Info 2021-10-05 2021-10-12
5.0
None Remote Low Not required Partial None None
In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint.
57 CVE-2021-39874 2021-10-04 2021-10-12
4.0
None Remote Low ??? None Partial None
In all versions of GitLab CE/EE since version 11.0, the requirement to enforce 2FA is not honored when using git commands.
58 CVE-2021-39873 2021-10-04 2021-10-12
4.3
None Remote Medium Not required None Partial None
In all versions of GitLab CE/EE, there exists a content spoofing vulnerability which may be leveraged by attackers to trick users into visiting a malicious website by spoofing the content in an error response.
59 CVE-2021-39872 287 2021-10-05 2021-10-12
4.0
None Remote Low ??? Partial None None
In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.
60 CVE-2021-39871 Bypass 2021-10-04 2021-10-12
4.0
None Remote Low ??? None Partial None
In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker making a crafted API call.
61 CVE-2021-39870 Bypass 2021-10-05 2021-10-09
4.0
None Remote Low ??? None Partial None
In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted API call.
62 CVE-2021-39869 200 +Info 2021-10-05 2021-10-12
4.3
None Remote Medium Not required Partial None None
In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project.
63 CVE-2021-39868 732 2021-10-04 2021-10-12
4.0
None Remote Low ??? None Partial None
In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export.
64 CVE-2021-39867 918 2021-10-05 2021-10-12
5.5
None Remote Low ??? Partial Partial None
In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks.
65 CVE-2021-39866 668 2021-10-05 2021-10-12
5.5
None Remote Low ??? Partial Partial None
A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens.
66 CVE-2021-32823 400 2021-06-24 2021-06-30
4.3
None Remote Medium Not required None None Partial
In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with <user_input>.constantize there is a potential for a CPU-based DoS. In version 2.4.10 bindata improved the creation time of Bits and Integers.
67 CVE-2021-22264 2021-10-05 2021-10-09
4.3
None Remote Medium Not required Partial None None
An issue has been discovered in GitLab affecting all versions starting from 13.8 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. Under specialized conditions, an invited group member may continue to have access to a project even after the invited group, which the member was part of, is deleted.
68 CVE-2021-22263 269 2021-10-11 2021-10-18
5.5
None Remote Low ??? Partial Partial None
An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user account with 'external' status which is granted 'Maintainer' role on any project on the GitLab instance where 'project tokens' are allowed may elevate its privilege to 'Internal' and access Internal projects.
69 CVE-2021-22262 863 2021-10-05 2021-10-09
5.0
None Remote Low Not required None Partial None
Missing access control in GitLab version 13.10 and above with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page
70 CVE-2021-22261 79 Exec Code XSS 2021-10-05 2021-10-08
3.5
None Remote Medium ??? None Partial None
A stored Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.7 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses
71 CVE-2021-22260 79 Exec Code XSS 2021-11-05 2021-11-05
3.5
None Remote Medium ??? None Partial None
A stored Cross-Site Scripting vulnerability in the DataDog integration in GitLab CE/EE version 13.7 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf
72 CVE-2021-22259 2021-10-04 2021-10-08
4.0
None Remote Low ??? None None Partial
A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API.
73 CVE-2021-22258 2021-10-05 2021-10-09
4.0
None Remote Low ??? Partial None None
The project import/export feature in GitLab 8.9 and greater could be used to obtain otherwise private email addresses
74 CVE-2021-22257 2021-10-05 2021-10-09
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. The route for /user.keys is not restricted on instances with public visibility disabled. This allows user enumeration on such instances.
75 CVE-2021-22256 863 2021-08-25 2021-08-31
5.5
None Remote Low ??? Partial Partial None
Improper authorization in GitLab CE/EE affecting all versions since 12.6 allowed guest users to create issues for Sentry errors and track their status
76 CVE-2021-22254 116 2021-08-20 2021-08-26
3.5
None Remote Medium ??? Partial None None
Under very specific conditions a user could be impersonated using Gitlab shell. This vulnerability affects GitLab CE/EE 13.1 and later through 14.1.2, 14.0.7 and 13.12.9.
77 CVE-2021-22253 863 2021-08-23 2021-08-30
4.9
None Remote Medium ??? None Partial Partial
Improper authorization in GitLab EE affecting all versions since 13.4 allowed a user who previously had the necessary access to trigger deployments to protected environments under specific conditions after the access has been removed
78 CVE-2021-22252 668 2021-08-23 2021-08-30
4.0
None Remote Low ??? Partial None None
A confusion between tag and branch names in GitLab CE/EE affecting all versions since 13.7 allowed a Developer to access protected CI variables which should only be accessible to Maintainers
79 CVE-2021-22251 863 2021-08-23 2021-08-28
4.0
None Remote Low ??? None Partial None
Improper validation of invited users' email address in GitLab EE affecting all versions since 12.2 allowed projects to add members with email address domain that should be blocked by group settings
80 CVE-2021-22250 863 2021-08-25 2021-08-31
5.5
None Remote Low ??? Partial Partial None
Improper authorization in GitLab CE/EE affecting all versions since 13.3 allowed users to view and delete impersonation tokens that administrators created for their account
81 CVE-2021-22249 209 2021-08-23 2021-08-28
4.0
None Remote Low ??? Partial None None
A verbose error message in GitLab EE affecting all versions since 12.2 could disclose the private email address of a user invited to a group
82 CVE-2021-22248 863 2021-08-23 2021-08-28
5.0
None Remote Low Not required Partial None None
Improper authorization on the pipelines page in GitLab CE/EE affecting all versions since 13.12 allowed unauthorized users to view some pipeline information for public projects that have access to pipelines restricted to members only
83 CVE-2021-22247 863 2021-08-25 2021-08-31
4.0
None Remote Low ??? Partial None None
Improper authorization in GitLab CE/EE affecting all versions since 13.0 allows guests in private projects to view CI/CD analytics
84 CVE-2021-22246 770 DoS 2021-08-20 2021-08-26
4.0
None Remote Low ??? None None Partial
A vulnerability was discovered in GitLab versions before 14.0.2, 13.12.6, 13.11.6. GitLab Webhook feature could be abused to perform denial of service attacks.
85 CVE-2021-22245 20 2021-08-25 2021-08-31
4.0
None Remote Low ??? None None Partial
Improper validation of commit author in GitLab CE/EE affecting all versions allowed an attacker to make several pages in a project impossible to view
86 CVE-2021-22244 863 2021-08-25 2021-08-31
4.0
None Remote Low ??? Partial None None
Improper authorization in the vulnerability report feature in GitLab EE affecting all versions since 13.1 allowed a reporter to access vulnerability data
87 CVE-2021-22243 863 2021-08-25 2021-08-31
4.0
None Remote Low ??? Partial None None
Under specialized conditions, GitLab CE/EE versions starting 7.10 may allow existing GitLab users to use an invite URL meant for another email address to gain access into a group.
88 CVE-2021-22242 79 XSS 2021-08-25 2021-08-31
3.5
None Remote Medium ??? None Partial None
Insufficient input sanitization in Mermaid markdown in GitLab CE/EE version 11.4 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown
89 CVE-2021-22241 79 XSS 2021-08-05 2021-08-12
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0. It was possible to exploit a stored cross-site-scripting via a specifically crafted default branch name.
90 CVE-2021-22240 863 2021-08-05 2021-08-12
4.0
None Remote Low ??? None Partial None
Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled
91 CVE-2021-22239 863 2021-09-09 2021-09-21
4.0
None Remote Low ??? None Partial None
An unauthorized user was able to insert metadata when creating new issue on GitLab CE/EE 14.0 and later.
92 CVE-2021-22238 79 XSS 2021-08-20 2021-08-26
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions starting with 13.3. GitLab was vulnerable to a stored XSS by using the design feature in issues.
93 CVE-2021-22237 384 2021-08-25 2021-08-31
4.0
None Remote Low ??? None Partial None
Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. This vulnerability is present in GitLab CE/EE versions before 13.12.9, 14.0.7, 14.1.2
94 CVE-2021-22236 863 2021-08-25 2021-08-31
6.5
None Remote Low ??? Partial Partial Partial
Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1.
95 CVE-2021-22234 2021-08-05 2021-08-12
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.11, 13.12 and 14.0. A specially crafted design image allowed attackers to read arbitrary files on the server.
96 CVE-2021-22233 200 +Info 2021-07-07 2021-07-09
4.0
None Remote Low ??? Partial None None
An information disclosure vulnerability in GitLab EE versions 13.10 and later allowed a user to read project details
97 CVE-2021-22232 74 2021-07-06 2021-07-08
3.5
None Remote Medium ??? None Partial None
HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE
98 CVE-2021-22231 DoS 2021-07-07 2021-07-09
4.0
None Remote Low ??? None None Partial
A denial of service in user's profile page is found starting with GitLab CE/EE 8.0 that allows attacker to reject access to their profile page via using a specially crafted username.
99 CVE-2021-22230 2021-07-07 2021-07-09
6.5
None Remote Low ??? Partial Partial Partial
Improper code rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later through 13.11.6, 13.12.6, and 14.0.2.
100 CVE-2021-22229 2021-07-06 2021-07-08
4.3
None Remote Medium Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8. Under a special condition it was possible to access data of an internal repository through project fork done by a project member.
Total number of vulnerabilities : 599   Page : 1 2 (This Page)3 4 5 6 7 8 9 10 11 12
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.