CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab » Gitlab : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
101 CVE-2021-22241 79 XSS 2021-08-05 2021-08-12
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0. It was possible to exploit a stored cross-site-scripting via a specifically crafted default branch name.
102 CVE-2021-22240 863 2021-08-05 2021-08-12
4.0
None Remote Low ??? None Partial None
Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled
103 CVE-2021-22239 863 2021-09-09 2021-09-21
4.0
None Remote Low ??? None Partial None
An unauthorized user was able to insert metadata when creating new issue on GitLab CE/EE 14.0 and later.
104 CVE-2021-22238 79 XSS 2021-08-20 2021-08-26
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions starting with 13.3. GitLab was vulnerable to a stored XSS by using the design feature in issues.
105 CVE-2021-22237 384 2021-08-25 2021-08-31
4.0
None Remote Low ??? None Partial None
Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. This vulnerability is present in GitLab CE/EE versions before 13.12.9, 14.0.7, 14.1.2
106 CVE-2021-22236 863 2021-08-25 2021-08-31
6.5
None Remote Low ??? Partial Partial Partial
Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1.
107 CVE-2021-22234 2021-08-05 2021-08-12
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.11, 13.12 and 14.0. A specially crafted design image allowed attackers to read arbitrary files on the server.
108 CVE-2021-22233 200 +Info 2021-07-07 2021-07-09
4.0
None Remote Low ??? Partial None None
An information disclosure vulnerability in GitLab EE versions 13.10 and later allowed a user to read project details
109 CVE-2021-22232 74 2021-07-06 2021-07-08
3.5
None Remote Medium ??? None Partial None
HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE
110 CVE-2021-22231 DoS 2021-07-07 2021-07-09
4.0
None Remote Low ??? None None Partial
A denial of service in user's profile page is found starting with GitLab CE/EE 8.0 that allows attacker to reject access to their profile page via using a specially crafted username.
111 CVE-2021-22230 2021-07-07 2021-07-09
6.5
None Remote Low ??? Partial Partial Partial
Improper code rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later through 13.11.6, 13.12.6, and 14.0.2.
112 CVE-2021-22229 2021-07-06 2021-07-08
4.3
None Remote Medium Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8. Under a special condition it was possible to access data of an internal repository through project fork done by a project member.
113 CVE-2021-22228 287 2021-07-06 2021-07-08
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions. Improper access control allows unauthorised users to access project details using Graphql.
114 CVE-2021-22227 79 XSS 2021-07-07 2021-07-10
4.3
None Remote Medium Not required None Partial None
A reflected cross-site script vulnerability in GitLab before versions 13.11.6, 13.12.6 and 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf if they clicked it
115 CVE-2021-22226 2021-07-06 2021-07-09
4.9
None Remote Medium ??? Partial Partial None
Under certain conditions, some users were able to push to protected branches that were restricted to deploy keys in GitLab CE/EE since version 13.9
116 CVE-2021-22225 79 XSS 2021-07-07 2021-07-09
3.5
None Remote Medium ??? None Partial None
Insufficient input sanitization in markdown in GitLab version 13.11 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown
117 CVE-2021-22224 352 CSRF 2021-07-07 2021-07-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim
118 CVE-2021-22223 79 XSS 2021-07-06 2021-07-09
4.3
None Remote Medium Not required None Partial None
Client-Side code injection through Feature Flag name in GitLab CE/EE starting with 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link
119 CVE-2021-22221 613 2021-06-08 2021-06-15
6.4
None Remote Low Not required Partial Partial None
An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2. Insufficient expired password validation in various operations allow user to maintain limited access after their password expired
120 CVE-2021-22220 79 XSS 2021-06-08 2021-12-10
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions starting with 13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks.
121 CVE-2021-22219 532 +Info 2021-06-08 2021-06-15
4.0
None Remote Low ??? Partial None None
GitLab CE/EE since version 9.5 allows a high privilege user to obtain sensitive information from log files because the sensitive information was not correctly registered for log masking.
122 CVE-2021-22218 295 2021-06-08 2021-06-17
4.0
None Remote Low ??? None Partial None
All versions of GitLab CE/EE starting with 12.8 were affected by an issue in the handling of x509 certificates that could be used to spoof author of signed commits.
123 CVE-2021-22217 400 DoS 2021-06-08 2021-06-15
4.0
None Remote Low ??? None None Partial
A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a specially crafted issue or merge request
124 CVE-2021-22216 400 DoS 2021-06-08 2021-06-15
4.0
None Remote Low ??? None None Partial
A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a very long issue or merge request description
125 CVE-2021-22215 668 +Info 2021-06-08 2021-07-07
4.0
None Remote Low ??? Partial None None
An information disclosure vulnerability in GitLab EE versions 13.11 and later allowed a project owner to leak information about the members' on-call rotations in other projects
126 CVE-2021-22214 918 2021-06-08 2021-06-16
4.3
None Remote Medium Not required Partial None None
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited
127 CVE-2021-22213 200 +Info 2021-06-08 2021-06-15
4.3
None Remote Medium Not required Partial None None
A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari
128 CVE-2021-22211 863 2021-05-06 2021-05-13
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling.
129 CVE-2021-22210 770 2021-05-06 2021-05-13
5.0
None Remote Low Not required None None Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. When querying the repository branches through API, GitLab was ignoring a query parameter and returning a considerable amount of results.
130 CVE-2021-22209 863 2021-05-06 2021-05-13
5.0
None Remote Low Not required None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.
131 CVE-2021-22208 862 2021-05-06 2021-05-13
4.0
None Remote Low ??? None Partial None
An issue has been discovered in GitLab affecting versions starting with 13.5 up to 13.9.7. Improper permission check could allow the change of timestamp for issue creation or update.
132 CVE-2021-22206 312 2021-05-06 2021-05-13
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text,
133 CVE-2021-22205 20 Exec Code 2021-04-23 2021-11-30
7.5
None Remote Low Not required Partial Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
134 CVE-2021-22203 2021-04-02 2021-04-07
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.7.9. A specially crafted Wiki page allowed attackers to read arbitrary files on the server.
135 CVE-2021-22202 352 CSRF 2021-04-02 2021-04-07
4.3
None Remote Medium Not required None Partial None
An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API.
136 CVE-2021-22201 2021-04-02 2021-04-07
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server.
137 CVE-2021-22200 2021-04-02 2021-04-07
4.3
None Remote Medium Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user.
138 CVE-2021-22199 79 XSS 2021-04-22 2021-04-30
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used.
139 CVE-2021-22198 2021-04-02 2021-04-07
4.0
None Remote Low ??? None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects.
140 CVE-2021-22197 835 2021-04-02 2021-04-07
4.0
None Remote Low ??? None None Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other
141 CVE-2021-22196 79 XSS 2021-04-02 2021-04-07
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name.
142 CVE-2021-22194 312 2021-03-26 2021-09-14
2.1
None Local Low Not required Partial None None
In all versions of GitLab, marshalled session keys were being stored in Redis.
143 CVE-2021-22193 209 2021-03-24 2021-03-26
3.5
None Remote Medium ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting with 7.1. A member of a private group was able to validate the use of a specific name for private project.
144 CVE-2021-22192 Exec Code 2021-03-24 2021-03-26
6.5
None Remote Low ??? Partial Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.
145 CVE-2021-22190 22 Dir. Trav. 2021-04-12 2021-04-20
4.0
None Remote Low ??? Partial None None
A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token
146 CVE-2021-22189 295 2021-03-04 2021-03-10
6.5
None Remote Low ??? Partial Partial Partial
Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues.
147 CVE-2021-22188 2021-03-03 2021-03-10
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab affecting all versions starting with 13.0. Confidential issue titles in Gitlab were readable by an unauthorised user via branch logs.
148 CVE-2021-22187 400 2021-03-02 2021-05-04
4.0
None Remote Low ??? None None Partial
An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 13.6.7. A potential resource exhaustion issue that allowed running or pending jobs to continue even after project was deleted.
149 CVE-2021-22186 863 2021-03-24 2021-03-26
4.0
None Remote Low ??? None Partial None
An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners
150 CVE-2021-22185 79 XSS 2021-03-24 2021-03-26
3.5
None Remote Medium ??? None Partial None
Insufficient input sanitization in wikis in GitLab version 13.8 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted commit to a wiki
Total number of vulnerabilities : 599   Page : 1 2 3 (This Page)4 5 6 7 8 9 10 11 12
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.