CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab » Gitlab : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
401 CVE-2019-15578 200 +Info 2020-01-28 2020-01-29
5.0
None Remote Low Not required Partial None None
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge requests.
402 CVE-2019-15577 307 2019-12-18 2021-11-02
4.0
None Remote Low ??? Partial None None
An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed project milestones to be disclosed via groups browsing.
403 CVE-2019-15576 862 2019-12-18 2021-11-02
5.0
None Remote Low Not required Partial None None
An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to view private system notes from a GraphQL endpoint.
404 CVE-2019-15575 77 2019-12-18 2020-10-09
5.0
None Remote Low Not required Partial None None
A command injection exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to inject commands via the API through the blobs scope.
405 CVE-2019-14943 798 2019-08-29 2019-09-04
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.1.4. It uses Hard-coded Credentials.
406 CVE-2019-13121 918 2020-03-10 2020-03-11
5.0
None Remote Low Not required None Partial None
An issue was discovered in GitLab Enterprise Edition 10.6 through 12.0.2. The GitHub project integration was vulnerable to an SSRF vulnerability which allowed an attacker to make requests to local network resources. It has Incorrect Access Control.
407 CVE-2019-13011 400 2020-03-10 2020-08-24
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Enterprise Edition 8.11.0 through 12.0.2. By using brute-force a user with access to a project, but not it's repository could create a list of merge requests template names. It has excessive algorithmic complexity.
408 CVE-2019-13010 2020-03-10 2020-08-24
4.3
None Remote Medium Not required None None Partial
An issue was discovered in GitLab Enterprise Edition 8.3 through 12.0.2. The color codes decoder was vulnerable to a resource depletion attack if specific formats were used. It allows Uncontrolled Resource Consumption.
409 CVE-2019-13009 400 2020-03-10 2020-08-24
4.0
None Remote Low ??? None None Partial
An issue was discovered in GitLab Community and Enterprise Edition 9.2 through 12.0.2. Uploaded files associated with unsaved personal snippets were accessible to unauthorized users due to improper permission settings. It has Incorrect Access Control.
410 CVE-2019-13007 400 2020-03-10 2020-03-10
4.0
None Remote Low ??? None None Partial
An issue was discovered in GitLab Community and Enterprise Edition 11.11 through 12.0.2. When an admin enabled one of the service templates, it was triggering an action that leads to resource depletion. It allows Uncontrolled Resource Consumption.
411 CVE-2019-13006 200 +Info 2020-03-10 2021-07-21
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 9.0 and through 12.0.2. Users with access to issues, but not the repository were able to view the number of related merge requests on an issue. It has Incorrect Access Control.
412 CVE-2019-13005 2020-03-10 2020-08-24
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Enterprise Edition and Community Edition 1.10 through 12.0.2. The GitLab graphql service was vulnerable to multiple authorization issues that disclosed restricted user, group, and repository metadata to unauthorized users. It has Incorrect Access Control.
413 CVE-2019-13004 2020-03-10 2020-03-11
5.0
None Remote Low Not required None None Partial
An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.0.2. When specific encoded characters were added to comments, the comments section would become inaccessible. It has Incorrect Access Control (issue 1 of 2).
414 CVE-2019-13003 400 2020-03-10 2020-03-11
5.0
None Remote Low Not required None None Partial
An issue was discovered in GitLab Community and Enterprise Edition before 12.0.3. One of the parsers used by Gilab CI was vulnerable to a resource exhaustion attack. It allows Uncontrolled Resource Consumption.
415 CVE-2019-13002 200 +Info 2020-03-10 2021-07-21
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.0.2. Unauthorized users were able to read pipeline information of the last merge request. It has Incorrect Access Control.
416 CVE-2019-13001 863 Bypass 2020-03-10 2020-03-10
4.0
None Remote Low ??? None Partial None
An issue was discovered in GitLab Community and Enterprise Edition 11.9 and later through 12.0.2. GitLab Snippets were vulnerable to an authorization issue that allowed unauthorized users to add comments to a private snippet. It allows authentication bypass.
417 CVE-2019-12825 922 2020-02-17 2020-02-28
4.0
None Remote Low ??? Partial None None
Unauthorized Access to the Container Registry of other groups was discovered in GitLab Enterprise 12.0.0-pre. In other words, authenticated remote attackers can read Docker registries of other groups. When a legitimate user changes the path of a group, Docker registries are not adapted, leaving them in the old namespace. They are not protected and are available to all other users with no previous access to the repo.
418 CVE-2019-12446 209 2020-03-10 2020-03-10
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 8.3 through 11.11. It allows Information Exposure through an Error Message.
419 CVE-2019-12445 79 Exec Code XSS 2020-03-10 2020-03-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in GitLab Community and Enterprise Edition 8.4 through 11.11. A malicious user could execute JavaScript code on notes by importing a specially crafted project file. It allows XSS.
420 CVE-2019-12444 79 XSS 2020-03-10 2020-03-10
4.3
None Remote Medium Not required None Partial None
An issue was discovered in GitLab Community and Enterprise Edition 8.9 through 11.11. Wiki Pages contained a lack of input validation which resulted in a persistent XSS vulnerability.
421 CVE-2019-12443 918 2020-03-10 2020-03-10
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 10.2 through 11.11. Multiple features contained Server-Side Request Forgery (SSRF) vulnerabilities caused by an insufficient validation to prevent DNS rebinding attacks.
422 CVE-2019-12442 79 XSS 2020-03-10 2020-03-10
4.3
None Remote Medium Not required None Partial None
An issue was discovered in GitLab Enterprise Edition 11.7 through 11.11. The epic details page contained a lack of input validation and output encoding issue which resulted in a persistent XSS vulnerability on child epics.
423 CVE-2019-12441 732 Bypass 2020-03-10 2020-03-10
5.0
None Remote Low Not required None Partial None
An issue was discovered in GitLab Community and Enterprise Edition 8.4 through 11.11. The protected branches feature contained a access control issue which resulted in a bypass of the protected branches restriction rules. It has Incorrect Access Control.
424 CVE-2019-12434 330 2020-03-10 2020-08-24
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 10.6 through 11.11. Users could guess the URL slug of private projects through the contrast of the destination URLs of issues linked in comments. It allows Information Disclosure.
425 CVE-2019-12433 20 2020-03-10 2020-03-10
5.0
None Remote Low Not required None Partial None
An issue was discovered in GitLab Community and Enterprise Edition 11.7 through 11.11. It has Improper Input Validation. Restricted visibility settings allow creating internal projects in private groups, leading to multiple permission issues.
426 CVE-2019-12432 200 +Info 2020-03-10 2020-03-10
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 8.13 through 11.11. Non-member users who subscribed to issue notifications could access the title of confidential issues through the unsubscription page. It allows Information Disclosure.
427 CVE-2019-12431 2020-03-10 2020-08-24
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 8.13 through 11.11. Restricted users could access the metadata of private milestones through the Search API. It has Improper Access Control.
428 CVE-2019-12430 78 Exec Code 2020-03-10 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 11.11. A specially crafted payload would allow an authenticated malicious user to execute commands remotely through the repository download feature. It allows Command Injection.
429 CVE-2019-12429 269 2020-03-10 2021-07-21
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 11.9 through 11.11. Unprivileged users were able to access labels, status and merge request counts of confidential issues via the milestone details page. It has Improper Access Control.
430 CVE-2019-12428 Bypass 2020-03-10 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 6.8 through 11.11. Users could bypass the mandatory external authentication provider sign-in restrictions by sending a specially crafted request. It has Improper Authorization.
431 CVE-2019-11605 200 +Info 2019-09-09 2019-09-10
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 11.8.x before 11.8.10, 11.9.x before 11.9.11, and 11.10.x before 11.10.3. It allows Information Disclosure. A small number of GitLab API endpoints would disclose project information when using a read_user scoped token.
432 CVE-2019-11549 532 2019-09-09 2020-08-24
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. Gitaly has allows an information disclosure issue where HTTP/GIT credentials are included in logs on connection errors.
433 CVE-2019-11548 79 XSS 2019-09-09 2019-09-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9. It has Incorrect Access Control. Unprivileged members of a project are able to post comments on confidential issues through an authorization issue in the note endpoint.
434 CVE-2019-11547 79 XSS 2019-09-09 2021-07-21
4.3
None Remote Medium Not required None Partial None
An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has Improper Encoding or Escaping of Output. The branch name on new merge request notification emails isn't escaped, which could potentially lead to XSS issues.
435 CVE-2019-11546 362 2019-09-09 2019-09-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has a Race Condition which could allow users to approve a merge request multiple times and potentially reach the approval count required to merge.
436 CVE-2019-11545 200 +Info 2019-09-09 2019-09-10
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community Edition 11.9.x before 11.9.10 and 11.10.x before 11.10.2. It allows Information Disclosure. When an issue is moved to a private project, the private project namespace is leaked to unauthorized users with access to the original issue.
437 CVE-2019-11544 2019-09-09 2020-08-24
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 8.x, 9.x, 10.x, and 11.x before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It allows Information Disclosure. Non-member users who subscribe to notifications of an internal project with issue and repository restrictions will receive emails about restricted events.
438 CVE-2019-11000 2019-05-10 2020-08-24
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Enterprise Edition before 11.7.11, 11.8.x before 11.8.7, and 11.9.x before 11.9.7. It allows Information Disclosure.
439 CVE-2019-10640 77 2019-05-15 2020-08-24
5.0
None Remote Low Not required None None Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.10, 11.8.x before 11.8.6, and 11.9.x before 11.9.4. A regex input validation issue for the .gitlab-ci.yml refs value allows Uncontrolled Resource Consumption.
440 CVE-2019-10117 601 2019-05-16 2019-05-16
5.8
None Remote Medium Not required Partial Partial None
An Open Redirect issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. A redirect is triggered after successful authentication within the Oauth/:GeoAuthController for the secondary Geo node.
441 CVE-2019-10116 732 2019-05-16 2020-08-24
4.0
None Remote Low ??? Partial None None
An Insecure Permissions issue (issue 3 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. Guests of a project were allowed to see Related Branches created for an issue.
442 CVE-2019-10115 732 2019-05-16 2020-08-24
4.0
None Remote Low ??? Partial None None
An Insecure Permissions issue (issue 2 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The GitLab Releases feature could allow guest users access to private information like release details and code information.
443 CVE-2019-10114 203 2019-05-16 2020-08-24
5.0
None Remote Low Not required Partial None None
An Information Exposure issue (issue 2 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. During the OAuth authentication process, the application attempts to validate a parameter in an insecure way, potentially exposing data.
444 CVE-2019-10113 400 2019-05-16 2019-05-16
5.0
None Remote Low Not required None None Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. Making concurrent GET /api/v4/projects/<id>/languages requests may allow Uncontrolled Resource Consumption.
445 CVE-2019-10112 320 2019-05-16 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The construction of the HMAC key was insecurely derived.
446 CVE-2019-10111 79 XSS 2019-05-15 2019-05-16
3.5
None Remote Medium ??? None Partial None
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allows persistent XSS in the merge request "resolve conflicts" page.
447 CVE-2019-10110 732 2019-05-15 2020-08-24
4.0
None Remote Low ??? None Partial None
An Insecure Permissions issue (issue 1 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The "move issue" feature may allow a user to create projects under any namespace on any GitLab instance on which they hold credentials.
448 CVE-2019-10109 200 +Info 2019-05-15 2019-05-16
5.0
None Remote Low Not required Partial None None
An Information Exposure issue (issue 1 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. EXIF geolocation data were not removed from images when uploaded to GitLab. As a result, anyone with access to the uploaded image could obtain its geolocation, device, and software version data (if present).
449 CVE-2019-10108 639 2019-05-15 2020-08-24
5.5
None Remote Low ??? Partial Partial None
An Incorrect Access Control (issue 1 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allowed non-members of a private project/group to add and read labels.
450 CVE-2019-9890 2019-04-17 2020-08-24
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in GitLab Community and Enterprise Edition 10.x and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Insecure Permissions.
Total number of vulnerabilities : 599   Page : 1 2 3 4 5 6 7 8 9 (This Page)10 11 12
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.