CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab » Gitlab : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
251 CVE-2020-13287 2020-09-14 2020-09-16
4.0
None Remote Low ??? Partial None None
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Project reporters and above could see confidential EPIC attached to confidential issues
252 CVE-2020-13286 918 2020-08-13 2020-08-14
4.0
None Remote Low ??? None Partial None
For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery.
253 CVE-2020-13285 79 XSS 2020-08-13 2021-05-03
3.5
None Remote Medium ??? None Partial None
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting (XSS) vulnerability exists in the issue reference number tooltip.
254 CVE-2020-13284 863 2020-09-14 2020-09-16
5.5
None Remote Low ??? Partial Partial None
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token
255 CVE-2020-13283 79 XSS 2020-08-13 2020-08-14
3.5
None Remote Medium ??? None Partial None
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issues list via milestone title.
256 CVE-2020-13282 281 2020-08-13 2020-08-19
4.9
None Remote Medium ??? Partial Partial None
For GitLab before 13.0.12, 13.1.6, 13.2.3 after a group transfer occurs, members from a parent group keep their access level on the subgroup leading to improper access.
257 CVE-2020-13281 20 DoS 2020-08-13 2021-07-21
4.0
None Remote Low ??? None None Partial
For GitLab before 13.0.12, 13.1.6, 13.2.3 a denial of service exists in the project import feature
258 CVE-2020-13280 400 2020-08-13 2020-08-19
4.0
None Remote Low ??? None None Partial
For GitLab before 13.0.12, 13.1.6, 13.2.3 a memory exhaustion flaw exists due to excessive logging of an invite email error message.
259 CVE-2020-13277 863 2020-06-19 2020-06-29
4.0
None Remote Low ??? Partial None None
An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5
260 CVE-2020-13276 863 2020-06-19 2021-07-21
4.0
None Remote Low ??? None Partial None
User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1
261 CVE-2020-13275 863 2020-06-19 2021-07-21
5.5
None Remote Low ??? Partial Partial None
A user with an unverified email address could request an access to domain restricted groups in GitLab EE 12.2 and later through 13.0.1
262 CVE-2020-13274 400 DoS 2020-06-19 2021-07-21
5.0
None Remote Low Not required None None Partial
A security issue allowed achieving Denial of Service attacks through memory exhaustion by uploading malicious artifacts in all previous GitLab versions through 13.0.1
263 CVE-2020-13273 400 DoS 2020-06-19 2021-07-21
7.8
None Remote Low Not required None None Complete
A Denial of Service vulnerability allowed exhausting the system resources in GitLab CE/EE 12.0 and later through 13.0.1
264 CVE-2020-13272 863 2020-06-19 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow
265 CVE-2020-13271 79 Exec Code XSS 2020-06-10 2020-06-16
4.3
None Remote Medium Not required None Partial None
A Stored Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code in the blobs API in all previous GitLab CE/EE versions through 13.0.1
266 CVE-2020-13270 276 2020-06-10 2020-06-17
6.5
None Remote Low ??? Partial Partial Partial
Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API
267 CVE-2020-13269 79 Exec Code XSS 2020-06-10 2020-06-16
4.3
None Remote Medium Not required None Partial None
A Reflected Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code on the Static Site Editor in GitLab CE/EE 12.10 and later through 13.0.1
268 CVE-2020-13268 20 2020-06-10 2021-07-21
5.0
None Remote Low Not required Partial None None
A specially crafted request could be used to confirm the existence of files hosted on object storage services, without disclosing their contents. This vulnerability affects GitLab CE/EE 12.10 and later through 13.0.1
269 CVE-2020-13267 79 XSS 2020-06-10 2020-06-16
4.3
None Remote Medium Not required None Partial None
A Stored Cross-Site Scripting vulnerability allowed the execution on Javascript payloads on the Metrics Dashboard in GitLab CE/EE 12.8 and later through 13.0.1
270 CVE-2020-13266 862 2020-06-09 2020-06-15
4.0
None Remote Low ??? None Partial None
Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions
271 CVE-2020-13265 345 Bypass 2020-06-19 2020-06-26
5.0
None Remote Low Not required None Partial None
User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification
272 CVE-2020-13264 200 +Info 2020-06-19 2020-06-26
5.0
None Remote Low Not required Partial None None
Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1 allows other group maintainers to view Kubernetes cluster token
273 CVE-2020-13263 863 2020-06-19 2020-07-01
6.5
None Remote Low ??? Partial Partial Partial
An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions.
274 CVE-2020-13262 79 XSS 2020-06-19 2021-07-21
4.3
None Remote Medium Not required None Partial None
Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a link
275 CVE-2020-13261 522 2020-06-19 2021-07-21
4.0
None Remote Low ??? Partial None None
Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 allows other administrators to view Amazon EKS credentials via HTML source code
276 CVE-2020-12448 22 Dir. Trav. 2020-05-07 2020-05-11
5.0
None Remote Low Not required Partial None None
GitLab EE 12.8 and later allows Exposure of Sensitive Information to an Unauthorized Actor via NuGet.
277 CVE-2020-12277 276 2020-04-29 2020-05-04
5.0
None Remote Low Not required None Partial None
GitLab 10.8 through 12.9 has a vulnerability that allows someone to mirror a repository even if the feature is not activated.
278 CVE-2020-12276 79 XSS 2020-04-29 2020-05-04
3.5
None Remote Medium ??? None Partial None
GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin notification feature.
279 CVE-2020-12275 269 2020-04-29 2021-07-21
5.0
None Remote Low Not required None Partial None
GitLab 12.6 through 12.9 is vulnerable to a privilege escalation that allows an external user to create a personal snippet through the API.
280 CVE-2020-11649 306 2020-04-22 2020-04-28
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Members of a group could still have access after the group is deleted.
281 CVE-2020-11506 200 Bypass +Info 2020-04-22 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab 10.7.0 and later through 12.9.2. A Workhorse bypass could lead to job artifact uploads and file disclosure (Exposure of Sensitive Information) via request smuggling.
282 CVE-2020-11505 200 Bypass +Info 2020-04-22 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 12.7.9, 12.8.x before 12.8.9, and 12.9.x before 12.9.3. A Workhorse bypass could lead to NuGet package and file disclosure (Exposure of Sensitive Information) via request smuggling.
283 CVE-2020-10981 20 2020-04-08 2021-07-21
4.0
None Remote Low ??? None Partial None
GitLab EE/CE 9.0 to 12.9 allows a maintainer to modify other maintainers' pipeline trigger descriptions within the same project.
284 CVE-2020-10980 918 2020-04-08 2020-04-09
7.5
None Remote Low Not required Partial Partial Partial
GitLab EE/CE 8.0.rc1 to 12.9 is vulnerable to a blind SSRF in the FogBugz integration.
285 CVE-2020-10979 200 +Info 2020-04-08 2021-07-21
4.0
None Remote Low ??? Partial None None
GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pipelines metrics to unauthorized users.
286 CVE-2020-10978 200 +Info 2020-04-08 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public project and then moved to a private project through Web-UI and GraphQL API.
287 CVE-2020-10977 22 Dir. Trav. 2020-04-08 2020-12-11
2.1
None Local Low Not required Partial None None
GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects.
288 CVE-2020-10976 200 +Info 2020-04-08 2020-04-09
5.0
None Remote Low Not required Partial None None
GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when querying a merge request widget.
289 CVE-2020-10975 200 +Info 2020-04-08 2021-07-21
4.0
None Remote Low ??? Partial None None
GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page.
290 CVE-2020-10956 918 2020-03-27 2020-04-01
7.5
None Remote Low Not required Partial Partial Partial
GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature.
291 CVE-2020-10955 200 +Info 2020-03-27 2021-07-21
4.0
None Remote Low ??? Partial None None
GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders.
292 CVE-2020-10954 400 2020-03-27 2020-03-31
5.0
None Remote Low Not required None None Partial
GitLab through 12.9 is affected by a potential DoS in repository archive download.
293 CVE-2020-10953 22 Dir. Trav. 2020-03-27 2020-03-31
5.0
None Remote Low Not required Partial None None
In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a path traversal issue.
294 CVE-2020-10952 863 2020-03-27 2021-07-21
5.8
None Remote Medium Not required Partial Partial None
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.
295 CVE-2020-10535 Bypass 2020-03-12 2020-03-17
4.3
None Remote Medium Not required None Partial None
GitLab 12.8.x before 12.8.6, when sign-up is enabled, allows remote attackers to bypass email domain restrictions within the two-day grace period for an unconfirmed email address.
296 CVE-2020-10092 79 XSS 2020-03-13 2020-03-16
4.3
None Remote Medium Not required None Partial None
GitLab 12.1 through 12.8.1 allows XSS. A cross-site scripting vulnerability was present in a particular view relating to the Grafana integration.
297 CVE-2020-10091 79 XSS 2020-03-13 2020-03-16
4.3
None Remote Medium Not required None Partial None
GitLab 9.3 through 12.8.1 allows XSS. A cross-site scripting vulnerability was found when viewing particular file types.
298 CVE-2020-10090 200 +Info 2020-03-13 2020-03-17
5.0
None Remote Low Not required Partial None None
GitLab 11.7 through 12.8.1 allows Information Disclosure. Under certain group conditions, group epic information was unintentionally being disclosed.
299 CVE-2020-10089 674 DoS 2020-03-13 2020-03-17
5.0
None Remote Low Not required None None Partial
GitLab 8.11 through 12.8.1 allows a Denial of Service when using several features to recursively request eachother,
300 CVE-2020-10088 732 2020-03-13 2021-07-21
5.5
None Remote Low ??? Partial Partial None
GitLab 12.5 through 12.8.1 has Insecure Permissions. Depending on particular group settings, it was possible for invited groups to be given the incorrect permission level.
Total number of vulnerabilities : 599   Page : 1 2 3 4 5 6 (This Page)7 8 9 10 11 12
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.