CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab : Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-39911 863 2021-11-05 2021-11-08
4.0
None Remote Low ??? Partial None None
An improper access control flaw in GitLab CE/EE since version 13.9 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers
2 CVE-2021-39906 79 Exec Code XSS 2021-11-05 2021-11-08
4.3
None Remote Medium Not required None Partial None
Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf.
3 CVE-2021-39905 2021-11-05 2021-11-08
4.0
None Remote Low ??? Partial None None
An information disclosure vulnerability in the GitLab CE/EE API since version 8.9.6 allows a user to see basic information on private groups that a public project has been shared with
4 CVE-2021-39904 863 2021-11-05 2021-11-08
4.0
None Remote Low ??? None Partial None
An Improper Access Control vulnerability in the GraphQL API in GitLab CE/EE since version 13.1 allows a Merge Request creator to resolve discussions and apply suggestions after a project owner has locked the Merge Request
5 CVE-2021-39903 863 2021-11-04 2021-11-08
4.0
None Remote Low ??? None Partial None
In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings.
6 CVE-2021-39902 863 2021-11-04 2021-11-08
4.0
None Remote Low ??? None Partial None
Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident.
7 CVE-2021-39901 2021-11-05 2021-11-08
4.0
None Remote Low ??? Partial None None
In all versions of GitLab CE/EE since version 11.10, an admin of a group can see the SCIM token of that group by visiting a specific endpoint.
8 CVE-2021-39900 668 2021-10-04 2021-10-13
4.0
None Remote Low ??? Partial None None
Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs.
9 CVE-2021-39891 863 2021-10-05 2021-10-09
4.0
None Remote Low ??? Partial None None
In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure.
10 CVE-2021-39889 732 2021-10-05 2021-10-09
4.0
None Remote Low ??? Partial None None
In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch.
11 CVE-2021-39888 200 +Info 2021-10-05 2021-10-12
4.0
None Remote Low ??? Partial None None
In all versions of GitLab EE since version 13.10, a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates.
12 CVE-2021-39886 276 2021-10-05 2021-10-09
4.0
None Remote Low ??? Partial None None
Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic references.
13 CVE-2021-39884 668 2021-10-05 2021-10-12
4.0
None Remote Low ??? Partial None None
In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project.
14 CVE-2021-39883 863 2021-10-04 2021-10-12
4.0
None Remote Low ??? Partial None None
Improper authorization checks in GitLab EE > 13.11 allows subgroup members to see epics from all parent subgroups.
15 CVE-2021-39880 DoS 2021-10-05 2021-10-09
4.0
None Remote Low ??? None None Partial
A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE version 11.11 and above allows an attacker to deny access to all users via specially crafted requests to the apollo_upload_server middleware.
16 CVE-2021-39879 306 2021-10-04 2021-10-12
4.0
None Remote Low ??? None Partial None
Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication
17 CVE-2021-39877 400 2021-10-04 2021-10-12
4.3
None Remote Medium Not required None None Partial
A vulnerability was discovered in GitLab starting with version 12.2 that allows an attacker to cause uncontrolled resource consumption with a specially crafted file.
18 CVE-2021-39874 2021-10-04 2021-10-12
4.0
None Remote Low ??? None Partial None
In all versions of GitLab CE/EE since version 11.0, the requirement to enforce 2FA is not honored when using git commands.
19 CVE-2021-39873 2021-10-04 2021-10-12
4.3
None Remote Medium Not required None Partial None
In all versions of GitLab CE/EE, there exists a content spoofing vulnerability which may be leveraged by attackers to trick users into visiting a malicious website by spoofing the content in an error response.
20 CVE-2021-39872 287 2021-10-05 2021-10-12
4.0
None Remote Low ??? Partial None None
In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.
21 CVE-2021-39871 Bypass 2021-10-04 2021-10-12
4.0
None Remote Low ??? None Partial None
In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker making a crafted API call.
22 CVE-2021-39870 Bypass 2021-10-05 2021-10-09
4.0
None Remote Low ??? None Partial None
In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted API call.
23 CVE-2021-39869 200 +Info 2021-10-05 2021-10-12
4.3
None Remote Medium Not required Partial None None
In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project.
24 CVE-2021-39868 732 2021-10-04 2021-10-12
4.0
None Remote Low ??? None Partial None
In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export.
25 CVE-2021-32823 400 2021-06-24 2021-06-30
4.3
None Remote Medium Not required None None Partial
In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with <user_input>.constantize there is a potential for a CPU-based DoS. In version 2.4.10 bindata improved the creation time of Bits and Integers.
26 CVE-2021-22264 2021-10-05 2021-10-09
4.3
None Remote Medium Not required Partial None None
An issue has been discovered in GitLab affecting all versions starting from 13.8 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. Under specialized conditions, an invited group member may continue to have access to a project even after the invited group, which the member was part of, is deleted.
27 CVE-2021-22259 2021-10-04 2021-10-08
4.0
None Remote Low ??? None None Partial
A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API.
28 CVE-2021-22258 2021-10-05 2021-10-09
4.0
None Remote Low ??? Partial None None
The project import/export feature in GitLab 8.9 and greater could be used to obtain otherwise private email addresses
29 CVE-2021-22253 863 2021-08-23 2021-08-30
4.9
None Remote Medium ??? None Partial Partial
Improper authorization in GitLab EE affecting all versions since 13.4 allowed a user who previously had the necessary access to trigger deployments to protected environments under specific conditions after the access has been removed
30 CVE-2021-22252 668 2021-08-23 2021-08-30
4.0
None Remote Low ??? Partial None None
A confusion between tag and branch names in GitLab CE/EE affecting all versions since 13.7 allowed a Developer to access protected CI variables which should only be accessible to Maintainers
31 CVE-2021-22251 863 2021-08-23 2021-08-28
4.0
None Remote Low ??? None Partial None
Improper validation of invited users' email address in GitLab EE affecting all versions since 12.2 allowed projects to add members with email address domain that should be blocked by group settings
32 CVE-2021-22249 209 2021-08-23 2021-08-28
4.0
None Remote Low ??? Partial None None
A verbose error message in GitLab EE affecting all versions since 12.2 could disclose the private email address of a user invited to a group
33 CVE-2021-22247 863 2021-08-25 2021-08-31
4.0
None Remote Low ??? Partial None None
Improper authorization in GitLab CE/EE affecting all versions since 13.0 allows guests in private projects to view CI/CD analytics
34 CVE-2021-22246 770 DoS 2021-08-20 2021-08-26
4.0
None Remote Low ??? None None Partial
A vulnerability was discovered in GitLab versions before 14.0.2, 13.12.6, 13.11.6. GitLab Webhook feature could be abused to perform denial of service attacks.
35 CVE-2021-22245 20 2021-08-25 2021-08-31
4.0
None Remote Low ??? None None Partial
Improper validation of commit author in GitLab CE/EE affecting all versions allowed an attacker to make several pages in a project impossible to view
36 CVE-2021-22244 863 2021-08-25 2021-08-31
4.0
None Remote Low ??? Partial None None
Improper authorization in the vulnerability report feature in GitLab EE affecting all versions since 13.1 allowed a reporter to access vulnerability data
37 CVE-2021-22243 863 2021-08-25 2021-08-31
4.0
None Remote Low ??? Partial None None
Under specialized conditions, GitLab CE/EE versions starting 7.10 may allow existing GitLab users to use an invite URL meant for another email address to gain access into a group.
38 CVE-2021-22240 863 2021-08-05 2021-08-12
4.0
None Remote Low ??? None Partial None
Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled
39 CVE-2021-22239 863 2021-09-09 2021-09-21
4.0
None Remote Low ??? None Partial None
An unauthorized user was able to insert metadata when creating new issue on GitLab CE/EE 14.0 and later.
40 CVE-2021-22237 384 2021-08-25 2021-08-31
4.0
None Remote Low ??? None Partial None
Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. This vulnerability is present in GitLab CE/EE versions before 13.12.9, 14.0.7, 14.1.2
41 CVE-2021-22234 2021-08-05 2021-08-12
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.11, 13.12 and 14.0. A specially crafted design image allowed attackers to read arbitrary files on the server.
42 CVE-2021-22233 200 +Info 2021-07-07 2021-07-09
4.0
None Remote Low ??? Partial None None
An information disclosure vulnerability in GitLab EE versions 13.10 and later allowed a user to read project details
43 CVE-2021-22231 DoS 2021-07-07 2021-07-09
4.0
None Remote Low ??? None None Partial
A denial of service in user's profile page is found starting with GitLab CE/EE 8.0 that allows attacker to reject access to their profile page via using a specially crafted username.
44 CVE-2021-22229 2021-07-06 2021-07-08
4.3
None Remote Medium Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8. Under a special condition it was possible to access data of an internal repository through project fork done by a project member.
45 CVE-2021-22228 287 2021-07-06 2021-07-08
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab affecting all versions. Improper access control allows unauthorised users to access project details using Graphql.
46 CVE-2021-22227 79 XSS 2021-07-07 2021-07-10
4.3
None Remote Medium Not required None Partial None
A reflected cross-site script vulnerability in GitLab before versions 13.11.6, 13.12.6 and 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf if they clicked it
47 CVE-2021-22226 2021-07-06 2021-07-09
4.9
None Remote Medium ??? Partial Partial None
Under certain conditions, some users were able to push to protected branches that were restricted to deploy keys in GitLab CE/EE since version 13.9
48 CVE-2021-22224 352 CSRF 2021-07-07 2021-07-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim
49 CVE-2021-22223 79 XSS 2021-07-06 2021-07-09
4.3
None Remote Medium Not required None Partial None
Client-Side code injection through Feature Flag name in GitLab CE/EE starting with 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link
50 CVE-2021-22220 79 XSS 2021-06-08 2021-06-10
4.3
None Remote Medium Not required None Partial None
An issue has been discovered in GitLab affecting all versions starting with 13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks.
Total number of vulnerabilities : 258   Page : 1 (This Page)2 3 4 5 6
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.