CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab » Gitlab : Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
101 CVE-2020-13342 400 2020-10-07 2021-07-21
4.0
None Remote Low ??? None None Partial
An issue has been discovered in GitLab affecting versions prior to 13.2.10, 13.3.7 and 13.4.2: Lack of Rate Limiting at Re-Sending Confirmation Email
102 CVE-2020-13341 732 2020-10-12 2021-07-21
4.0
None Remote Low ??? None Partial None
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Insufficient permission check allows attacker with developer role to perform various deletions.
103 CVE-2020-13335 287 2020-10-07 2021-07-21
4.0
None Remote Low ??? None Partial None
Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group.
104 CVE-2020-13333 400 2020-10-06 2020-10-29
4.0
None Remote Low ??? None None Partial
A potential DOS vulnerability was discovered in GitLab versions 13.1, 13.2 and 13.3. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage.
105 CVE-2020-13323 863 2020-09-30 2021-07-21
4.3
None Remote Medium Not required Partial None None
A vulnerability was discovered in GitLab versions prior 13.1. Under certain conditions private merge requests could be read via Todos
106 CVE-2020-13320 863 2020-09-30 2021-07-21
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab before version 12.10.13 that allowed a project member with limited permissions to view the project security dashboard.
107 CVE-2020-13319 862 2020-09-30 2020-10-02
4.0
None Remote Low ??? None Partial None
An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. Missing permission check for adding time spent on an issue.
108 CVE-2020-13318 863 2020-09-14 2021-07-21
4.9
None Remote Medium ??? Partial Partial None
A vulnerability was discovered in GitLab versions before 13.0.12, 13.1.10, 13.2.8 and 13.3.4. GitLabs EKS integration was vulnerable to a cross-account assume role attack.
109 CVE-2020-13317 20 2020-09-14 2020-09-16
4.0
None Remote Low ??? None Partial None
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8, and 13.3.4. An insufficient check in the GraphQL api allowed a maintainer to delete a repository.
110 CVE-2020-13316 862 2020-09-14 2021-07-21
4.0
None Remote Low ??? Partial None None
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not validating a Deploy-Token and allowed a disabled repository be accessible via a git command line.
111 CVE-2020-13313 863 2020-09-14 2020-09-16
4.0
None Remote Low ??? None Partial None
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. An unauthorized project maintainer could edit the subgroup badges due to the lack of authorization control.
112 CVE-2020-13311 74 2020-09-14 2021-07-21
4.0
None Remote Low ??? None None Partial
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Wiki was vulnerable to a parser attack that prohibits anyone from accessing the Wiki functionality through the user interface.
113 CVE-2020-13310 DoS 2020-09-14 2020-09-16
4.0
None Remote Low ??? None None Partial
A vulnerability was discovered in GitLab runner versions before 13.1.3, 13.2.3 and 13.3.1. It was possible to make the gitlab-runner process crash by sending malformed queries, resulting in a denial of service.
114 CVE-2020-13308 281 2020-09-15 2020-09-18
4.0
None Remote Low ??? None None Partial
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. A user without 2 factor authentication enabled could be prohibited from accessing GitLab by being invited into a project that had 2 factor authentication inheritance.
115 CVE-2020-13305 613 2020-09-14 2020-09-17
4.0
None Remote Low ??? Partial None None
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not invalidating project invitation link upon removing a user from a project.
116 CVE-2020-13303 863 2020-09-15 2021-07-21
4.0
None Remote Low ??? Partial None None
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Due to improper verification of permissions, an unauthorized user can access a private repository within a public project.
117 CVE-2020-13297 287 Bypass 2020-09-14 2021-07-21
4.9
None Remote Medium ??? Partial Partial None
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. When 2 factor authentication was enabled for groups, a malicious user could bypass that restriction by sending a specific query to the API endpoint.
118 CVE-2020-13287 2020-09-14 2020-09-16
4.0
None Remote Low ??? Partial None None
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Project reporters and above could see confidential EPIC attached to confidential issues
119 CVE-2020-13286 918 2020-08-13 2020-08-14
4.0
None Remote Low ??? None Partial None
For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery.
120 CVE-2020-13282 281 2020-08-13 2020-08-19
4.9
None Remote Medium ??? Partial Partial None
For GitLab before 13.0.12, 13.1.6, 13.2.3 after a group transfer occurs, members from a parent group keep their access level on the subgroup leading to improper access.
121 CVE-2020-13281 20 DoS 2020-08-13 2021-07-21
4.0
None Remote Low ??? None None Partial
For GitLab before 13.0.12, 13.1.6, 13.2.3 a denial of service exists in the project import feature
122 CVE-2020-13280 400 2020-08-13 2020-08-19
4.0
None Remote Low ??? None None Partial
For GitLab before 13.0.12, 13.1.6, 13.2.3 a memory exhaustion flaw exists due to excessive logging of an invite email error message.
123 CVE-2020-13277 863 2020-06-19 2020-06-29
4.0
None Remote Low ??? Partial None None
An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5
124 CVE-2020-13276 863 2020-06-19 2021-07-21
4.0
None Remote Low ??? None Partial None
User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1
125 CVE-2020-13271 79 Exec Code XSS 2020-06-10 2020-06-16
4.3
None Remote Medium Not required None Partial None
A Stored Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code in the blobs API in all previous GitLab CE/EE versions through 13.0.1
126 CVE-2020-13269 79 Exec Code XSS 2020-06-10 2020-06-16
4.3
None Remote Medium Not required None Partial None
A Reflected Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code on the Static Site Editor in GitLab CE/EE 12.10 and later through 13.0.1
127 CVE-2020-13267 79 XSS 2020-06-10 2020-06-16
4.3
None Remote Medium Not required None Partial None
A Stored Cross-Site Scripting vulnerability allowed the execution on Javascript payloads on the Metrics Dashboard in GitLab CE/EE 12.8 and later through 13.0.1
128 CVE-2020-13266 862 2020-06-09 2020-06-15
4.0
None Remote Low ??? None Partial None
Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions
129 CVE-2020-13262 79 XSS 2020-06-19 2021-07-21
4.3
None Remote Medium Not required None Partial None
Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a link
130 CVE-2020-13261 522 2020-06-19 2021-07-21
4.0
None Remote Low ??? Partial None None
Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 allows other administrators to view Amazon EKS credentials via HTML source code
131 CVE-2020-11649 306 2020-04-22 2020-04-28
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Members of a group could still have access after the group is deleted.
132 CVE-2020-10981 20 2020-04-08 2021-07-21
4.0
None Remote Low ??? None Partial None
GitLab EE/CE 9.0 to 12.9 allows a maintainer to modify other maintainers' pipeline trigger descriptions within the same project.
133 CVE-2020-10979 200 +Info 2020-04-08 2021-07-21
4.0
None Remote Low ??? Partial None None
GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pipelines metrics to unauthorized users.
134 CVE-2020-10975 200 +Info 2020-04-08 2021-07-21
4.0
None Remote Low ??? Partial None None
GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page.
135 CVE-2020-10955 200 +Info 2020-03-27 2021-07-21
4.0
None Remote Low ??? Partial None None
GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders.
136 CVE-2020-10535 Bypass 2020-03-12 2020-03-17
4.3
None Remote Medium Not required None Partial None
GitLab 12.8.x before 12.8.6, when sign-up is enabled, allows remote attackers to bypass email domain restrictions within the two-day grace period for an unconfirmed email address.
137 CVE-2020-10092 79 XSS 2020-03-13 2020-03-16
4.3
None Remote Medium Not required None Partial None
GitLab 12.1 through 12.8.1 allows XSS. A cross-site scripting vulnerability was present in a particular view relating to the Grafana integration.
138 CVE-2020-10091 79 XSS 2020-03-13 2020-03-16
4.3
None Remote Medium Not required None Partial None
GitLab 9.3 through 12.8.1 allows XSS. A cross-site scripting vulnerability was found when viewing particular file types.
139 CVE-2020-10081 863 2020-03-13 2021-07-21
4.0
None Remote Low ??? Partial None None
GitLab before 12.8.2 has Incorrect Access Control. It was internally discovered that the LFS import process could potentially be used to incorrectly access LFS objects not owned by the user.
140 CVE-2020-10078 79 XSS 2020-03-13 2020-03-17
4.3
None Remote Medium Not required None Partial None
GitLab 12.1 through 12.8.1 allows XSS. The merge request submission form was determined to have a stored cross-site scripting vulnerability.
141 CVE-2020-10076 79 XSS 2020-03-13 2020-03-17
4.3
None Remote Medium Not required None Partial None
GitLab 12.1 through 12.8.1 allows XSS. A stored cross-site scripting vulnerability was discovered when displaying merge requests.
142 CVE-2020-7979 276 2020-02-05 2020-02-07
4.3
None Remote Medium Not required Partial None None
GitLab EE 8.9 and later through 12.7.2 has Insecure Permission
143 CVE-2020-7977 276 2020-02-05 2020-02-06
4.3
None Remote Medium Not required None Partial None
GitLab EE 8.8 and later through 12.7.2 has Insecure Permissions.
144 CVE-2020-7973 79 XSS 2020-02-05 2020-02-06
4.3
None Remote Medium Not required None Partial None
GitLab through 12.7.2 allows XSS.
145 CVE-2020-7971 79 XSS 2020-02-05 2020-02-06
4.3
None Remote Medium Not required None Partial None
GitLab EE 11.0 and later through 12.7.2 allows XSS.
146 CVE-2020-7967 276 2020-02-05 2020-02-06
4.0
None Remote Low ??? Partial None None
GitLab EE 8.0 through 12.7.2 has Insecure Permissions (issue 1 of 2).
147 CVE-2019-20148 200 +Info 2020-01-13 2021-07-21
4.3
None Remote Medium Not required Partial None None
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 8.13 through 12.6.1. It has Incorrect Access Control.
148 CVE-2019-20145 2020-01-13 2020-08-24
4.0
None Remote Low ??? None Partial None
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.4 through 12.6.1. It has Incorrect Access Control.
149 CVE-2019-20144 2020-01-13 2020-08-24
4.0
None Remote Low ??? None Partial None
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 10.8 through 12.6.1. It has Incorrect Access Control.
150 CVE-2019-20142 DoS 2020-01-13 2020-08-24
4.0
None Remote Low ??? None None Partial
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 12.3 through 12.6.1. It allows Denial of Service.
Total number of vulnerabilities : 258   Page : 1 2 3 (This Page)4 5 6
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.