CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab » Gitlab : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
151 CVE-2021-22184 200 +Info 2021-03-26 2021-03-30
2.1
None Local Low Not required Partial None None
An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted.
152 CVE-2021-22183 79 XSS 2021-03-04 2021-03-10
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions starting with 11.8. GitLab was vulnerable to a stored XSS in the epics page, which could be exploited with user interactions.
153 CVE-2021-22182 79 XSS 2021-03-03 2021-03-04
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions starting with 13.7. GitLab was vulnerable to a stored XSS in merge request.
154 CVE-2021-22181 400 DoS 2021-06-11 2021-06-21
4.0
None Remote Low ??? None None Partial
A denial of service vulnerability in GitLab CE/EE affecting all versions since 11.8 allows an attacker to create a recursive pipeline relationship and exhaust resources.
155 CVE-2021-22180 863 2021-03-26 2021-03-30
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages.
156 CVE-2021-22179 918 2021-03-24 2021-03-26
5.5
None Remote Low ??? None Partial Partial
A vulnerability was discovered in GitLab versions before 12.2. GitLab was vulnerable to a SSRF attack through the Outbound Requests feature.
157 CVE-2021-22178 918 2021-03-24 2021-03-26
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting from 13.2. Gitlab was vulnerable to SRRF attack through the Prometheus integration.
158 CVE-2021-22177 400 2021-04-01 2021-04-05
4.0
None Remote Low ??? None None Partial
Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command.
159 CVE-2021-22176 863 2021-03-24 2021-03-26
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting with 3.0.1. Improper access control allows demoted project members to access details on authored merge requests
160 CVE-2021-22175 918 2021-06-11 2021-06-21
6.8
None Remote Medium Not required Partial Partial Partial
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled
161 CVE-2021-22172 863 2021-03-26 2021-03-30
4.0
None Remote Low ??? Partial None None
Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page
162 CVE-2021-22171 287 2021-01-15 2021-01-22
4.3
None Remote Medium Not required Partial None None
Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link
163 CVE-2021-22170 326 2021-12-06 2021-12-07
5.0
None Remote Low Not required Partial None None
Assuming a database breach, nonce reuse issues in GitLab 11.6+ allows an attacker to decrypt some of the database's encrypted content
164 CVE-2021-22169 200 +Info 2021-03-24 2021-03-25
4.0
None Remote Low ??? Partial None None
An issue was identified in GitLab EE 13.4 or later which leaked internal IP address via error messages.
165 CVE-2021-22168 400 DoS 2021-01-15 2021-01-22
4.0
None Remote Low ??? None None Partial
A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8.
166 CVE-2021-22167 2021-01-15 2021-01-22
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers in specific project page allows attacker to have a temporary read access to the private repository
167 CVE-2021-22166 400 DoS 2021-01-15 2021-01-21
5.0
None Remote Low Not required None None Partial
An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method
168 CVE-2020-26417 200 +Info 2020-12-11 2020-12-14
5.0
None Remote Low Not required Partial None None
Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to <13.6.2, >=13.5 to <13.5.5, and >=13.1 to <13.4.7.
169 CVE-2020-26416 200 +Info 2020-12-11 2021-07-21
2.1
None Local Low Not required Partial None None
Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.
170 CVE-2020-26415 200 +Info 2020-12-11 2021-07-21
4.0
None Remote Low ??? Partial None None
Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.
171 CVE-2020-26414 2021-01-15 2021-01-21
4.0
None Remote Low ??? None None Partial
An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string.
172 CVE-2020-26413 200 +Info 2020-12-11 2020-12-14
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.
173 CVE-2020-26412 200 +Info 2020-12-11 2021-07-21
4.0
None Remote Low ??? Partial None None
Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before 13.6.2.
174 CVE-2020-26411 404 2020-12-11 2020-12-14
4.0
None Remote Low ??? None None Partial
A potential DOS vulnerability was discovered in all versions of Gitlab starting from 13.4.x (>=13.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2). Using a specific query name for a project search can cause statement timeouts that can lead to a potential DOS if abused.
175 CVE-2020-26409 20 Bypass 2020-12-11 2021-07-21
4.0
None Remote Low ??? None None Partial
A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.
176 CVE-2020-26408 200 +Info 2020-12-11 2021-07-21
5.0
None Remote Low Not required Partial None None
A limited information disclosure vulnerability exists in Gitlab CE/EE from >= 12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2 that allows an attacker to view limited information in user's private profile
177 CVE-2020-26407 79 XSS 2020-12-10 2020-12-11
3.5
None Remote Medium ??? None Partial None
A XSS vulnerability exists in Gitlab CE/EE from 12.4 before 13.4.7, 13.5 before 13.5.5, and 13.6 before 13.6.2 that allows an attacker to perform cross-site scripting to other users via importing a malicious project
178 CVE-2020-26406 2020-11-17 2020-12-01
5.0
None Remote Low Not required Partial None None
Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
179 CVE-2020-26405 22 Dir. Trav. 2020-11-17 2020-12-01
5.5
None Remote Low ??? None Partial Partial
Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are >=12.8, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
180 CVE-2020-15525 269 2020-07-07 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE 11.3 through 13.1.2 has Incorrect Access Control because of the Maven package upload endpoint.
181 CVE-2020-14155 190 Overflow 2020-06-15 2021-09-22
5.0
None Remote Low Not required None None Partial
libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.
182 CVE-2020-13359 200 Bypass +Info 2020-11-19 2021-07-21
5.5
None Remote Low ??? Partial Partial None
The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are >=12.10, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
183 CVE-2020-13358 863 2020-11-17 2021-07-21
2.1
None Local Low Not required Partial None None
A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: >=13.4, <13.4.5,>=13.3, <13.3.9,>=13.5, <13.5.2.
184 CVE-2020-13357 639 2020-12-11 2020-12-14
4.0
None Remote Low ??? Partial None None
An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.
185 CVE-2020-13356 Bypass 2020-11-19 2020-12-01
6.4
None Remote Low Not required Partial Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9. A specially crafted request could bypass Multipart protection and read files in certain specific paths on the server. Affected versions are: >=8.8.9, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
186 CVE-2020-13355 22 Dir. Trav. 2020-11-19 2020-12-01
5.5
None Remote Low ??? None Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: >=8.14, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
187 CVE-2020-13354 400 2020-11-17 2020-11-30
4.0
None Remote Low ??? None None Partial
A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage. Affected versions are: >=12.6, <13.3.9.
188 CVE-2020-13352 2020-11-17 2020-11-27
5.0
None Remote Low Not required Partial None None
Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group. Affected versions are: >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
189 CVE-2020-13351 276 2020-11-17 2020-11-27
5.0
None Remote Low Not required Partial None None
Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are >=13.0, <13.3.9,>=13.4.0, <13.4.5,>=13.5.0, <13.5.2.
190 CVE-2020-13350 352 CSRF 2020-11-17 2020-11-27
4.3
None Remote Medium Not required None None Partial
CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners. Affected versions are >=13.5.0, <13.5.2,>=13.4.0, <13.4.5,<13.3.9.
191 CVE-2020-13349 2020-11-17 2021-07-21
4.0
None Remote Low ??? None None Partial
An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
192 CVE-2020-13348 Bypass 2020-11-17 2020-11-27
4.0
None Remote Low ??? None Partial None
An issue has been discovered in GitLab EE affecting all versions starting from 10.2. Required CODEOWNERS approval could be bypassed by targeting a branch without the CODEOWNERS file. Affected versions are >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
193 CVE-2020-13347 77 2020-10-07 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable.
194 CVE-2020-13346 200 +Info 2020-10-07 2021-07-21
4.0
None Remote Low ??? Partial None None
Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API.
195 CVE-2020-13345 79 XSS 2020-10-06 2020-10-15
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions starting from 10.8. Reflected XSS on Multiple Routes
196 CVE-2020-13344 200 +Info 2020-10-08 2021-07-21
2.1
None Local Low Not required Partial None None
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Sessions keys are stored in plain-text in Redis which allows attacker with Redis access to authenticate as any user that has a session stored in Redis
197 CVE-2020-13343 668 2020-10-06 2020-10-14
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions starting from 11.2. Unauthorized Users Can View Custom Project Template
198 CVE-2020-13342 400 2020-10-07 2021-07-21
4.0
None Remote Low ??? None None Partial
An issue has been discovered in GitLab affecting versions prior to 13.2.10, 13.3.7 and 13.4.2: Lack of Rate Limiting at Re-Sending Confirmation Email
199 CVE-2020-13341 732 2020-10-12 2021-07-21
4.0
None Remote Low ??? None Partial None
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Insufficient permission check allows attacker with developer role to perform various deletions.
200 CVE-2020-13340 79 XSS 2020-10-08 2020-10-14
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2: Stored XSS in CI Job Log
Total number of vulnerabilities : 599   Page : 1 2 3 4 (This Page)5 6 7 8 9 10 11 12
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.