CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab : Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-22236 863 2021-08-25 2021-08-31
6.5
None Remote Low ??? Partial Partial Partial
Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1.
2 CVE-2021-22230 2021-07-07 2021-07-09
6.5
None Remote Low ??? Partial Partial Partial
Improper code rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later through 13.11.6, 13.12.6, and 14.0.2.
3 CVE-2021-22221 613 2021-06-08 2021-06-15
6.4
None Remote Low Not required Partial Partial None
An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2. Insufficient expired password validation in various operations allow user to maintain limited access after their password expired
4 CVE-2021-22195 77 Exec Code 2021-04-01 2021-04-07
6.8
None Remote Medium Not required Partial Partial Partial
Client side code execution in gitlab-vscode-extension v3.15.0 and earlier allows attacker to execute code on user system
5 CVE-2021-22192 Exec Code 2021-03-24 2021-03-26
6.5
None Remote Low ??? Partial Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.
6 CVE-2021-22189 295 2021-03-04 2021-03-10
6.5
None Remote Low ??? Partial Partial Partial
Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues.
7 CVE-2021-22175 918 2021-06-11 2021-06-21
6.8
None Remote Medium Not required Partial Partial Partial
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled
8 CVE-2020-13356 Bypass 2020-11-19 2020-12-01
6.4
None Remote Low Not required Partial Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9. A specially crafted request could bypass Multipart protection and read files in certain specific paths on the server. Affected versions are: >=8.8.9, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
9 CVE-2020-13339 79 XSS 2020-10-08 2020-10-08
6.0
None Remote Medium ??? Partial Partial Partial
An issue has been discovered in GitLab affecting all versions before 13.2.10, 13.3.7 and 13.4.2: XSS in SVG File Preview. Overall impact is limited due to the current user only being impacted.
10 CVE-2020-13327 2020-10-22 2020-11-02
6.0
None Remote Medium ??? Partial Partial Partial
An issue has been discovered in GitLab Runner affecting all versions starting from 13.4.0 before 13.4.2, all versions starting from 13.3.0 before 13.3.7, all versions starting from 13.2.0 before 13.2.10. Insecure Runner Configuration in Kubernetes Environments
11 CVE-2020-13322 863 2020-09-30 2020-10-02
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions after 12.9. Due to improper verification of permissions, an unauthorized user can create and delete deploy tokens.
12 CVE-2020-13321 Bypass 2020-09-30 2020-10-02
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions prior to 13.1. Username format restrictions could be bypassed allowing for html tags to be added.
13 CVE-2020-13309 918 2020-09-14 2020-09-21
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was vulnerable to a blind SSRF attack through the repository mirroring feature.
14 CVE-2020-13307 613 2020-09-15 2020-09-18
6.0
None Remote Medium ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not revoking current user sessions when 2 factor authentication was activated allowing a malicious user to maintain their access.
15 CVE-2020-13304 287 2020-09-14 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Same 2 factor Authentication secret code was generated which resulted an attacker to maintain access under certain conditions.
16 CVE-2020-13302 613 2020-09-14 2020-09-17
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password.
17 CVE-2020-13300 863 2020-09-14 2020-09-16
6.4
None Remote Low Not required Partial Partial None
GitLab before version 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow.
18 CVE-2020-13295 918 2020-08-10 2020-08-12
6.5
None Remote Low ??? Partial Partial Partial
For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd with a malicious server, the Shared Runner is susceptible to SSRF.
19 CVE-2020-13290 2020-08-12 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
In GitLab before 13.0.12, 13.1.6, and 13.2.3, improper access control was used on the Applications page
20 CVE-2020-13279 74 Exec Code 2020-06-22 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
Client side code execution in gitlab-vscode-extension v2.2.0 allows attacker to execute code on user system
21 CVE-2020-13272 863 2020-06-19 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow
22 CVE-2020-13270 276 2020-06-10 2020-06-17
6.5
None Remote Low ??? Partial Partial Partial
Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API
23 CVE-2020-13263 863 2020-06-19 2020-07-01
6.5
None Remote Low ??? Partial Partial Partial
An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions.
24 CVE-2020-10083 281 2020-03-13 2020-03-17
6.4
None Remote Low Not required Partial Partial None
GitLab 12.7 through 12.8.1 has Insecure Permissions. Under certain conditions involving groups, project authorization changes were not being applied.
25 CVE-2019-19261 918 2020-01-03 2020-01-09
6.8
None Remote Medium Not required Partial Partial Partial
GitLab Enterprise Edition (EE) 6.7 and later through 12.5 allows SSRF.
26 CVE-2019-18457 281 2019-11-26 2019-11-27
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 11.8 through 12.4 when handling Security tokens.. It has Insecure Permissions.
27 CVE-2019-15737 2019-09-16 2020-08-24
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in GitLab Community and Enterprise Edition through 12.2.1. Certain account actions needed improved authentication and session management.
28 CVE-2019-15589 2019-12-18 2019-12-27
6.5
None Remote Low ??? Partial Partial Partial
An improper access control vulnerability exists in Gitlab <v12.3.2, <v12.2.6, <v12.1.12 which would allow a blocked user would be able to use GIT clone and pull if he had obtained a CI/CD token before.
29 CVE-2019-12430 78 Exec Code 2020-03-10 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 11.11. A specially crafted payload would allow an authenticated malicious user to execute commands remotely through the repository download feature. It allows Command Injection.
30 CVE-2019-9890 2019-04-17 2020-08-24
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in GitLab Community and Enterprise Edition 10.x and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Insecure Permissions.
31 CVE-2019-7353 200 +Info 2019-05-17 2020-08-24
6.4
None Remote Low Not required Partial Partial None
An Incorrect Access Control issue was discovered in GitLab Community and Enterprise Edition 11.7.x before 11.7.4. GitLab Releases were vulnerable to an authorization issue that allowed users to view confidential issue and merge request titles of other projects.
32 CVE-2019-6793 918 2019-09-09 2019-09-10
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in GitLab Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. The Jira integration feature is vulnerable to an unauthenticated blind SSRF issue.
33 CVE-2019-6783 22 Exec Code Dir. Trav. 2019-09-09 2019-09-10
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. GitLab Pages contains a directory traversal vulnerability that could lead to remote command execution.
34 CVE-2019-5883 2019-05-17 2020-08-24
6.4
None Remote Low Not required Partial Partial None
An Incorrect Access Control issue was discovered in GitLab Community and Enterprise Edition 6.0 and later but before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. The issue comments feature could allow a user to comment on an issue which they shouldn't be allowed to.
35 CVE-2019-5486 287 Bypass 2019-12-18 2019-12-30
6.5
None Remote Low ??? Partial Partial Partial
A authentication bypass vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.10 in the Salesforce login integration that could be used by an attacker to create an account that bypassed domain restrictions and email verification requirements.
36 CVE-2019-5473 287 Bypass 2019-09-09 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
An authentication issue was discovered in GitLab that allowed a bypass of email verification. This was addressed in GitLab 12.1.2 and 12.0.4.
37 CVE-2019-5468 269 2020-01-28 2020-02-05
6.5
None Remote Low ??? Partial Partial Partial
An privilege escalation issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 when Mattermost slash commands are used with a blocked account.
38 CVE-2019-5462 613 2020-01-28 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed.
39 CVE-2018-20501 862 2019-12-30 2020-01-08
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
40 CVE-2018-20499 918 2019-12-30 2020-01-07
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in GitLab Community and Enterprise Edition before 11.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF.
41 CVE-2018-19576 284 2019-07-10 2019-07-11
6.4
None Remote Low Not required None Partial Partial
GitLab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an access control issue that allows a Guest user to make changes to or delete their own comments on an issue, after the issue was made Confidential.
42 CVE-2018-19569 285 2019-07-10 2019-07-11
6.5
None Remote Low ??? Partial Partial Partial
GitLab CE/EE, versions 8.8 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an authorization vulnerability that allows access to the web-UI as a user using a Personal Access Token of any scope.
43 CVE-2018-19359 2019-04-25 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
GitLab Community and Enterprise Edition 8.9 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 has Incorrect Access Control.
44 CVE-2018-18646 918 2018-12-04 2018-12-27
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows SSRF.
45 CVE-2018-14603 352 CSRF 2018-07-27 2018-09-18
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. CSRF can occur in the Test feature of the System Hooks component.
46 CVE-2018-3710 22 Exec Code Dir. Trav. 2018-03-21 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Gitlab Community and Enterprise Editions version 10.3.3 is vulnerable to an Insecure Temporary File in the project import component resulting remote code execution.
47 CVE-2017-12426 20 Exec Code 2017-08-14 2017-08-25
6.8
None Remote Medium Not required Partial Partial Partial
GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote attackers to execute arbitrary code via a crafted SSH URL in a project import.
48 CVE-2017-11438 269 2017-08-02 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
GitLab Community Edition (CE) and Enterprise Edition (EE) before 9.0.11, 9.1.8, 9.2.8 allow an authenticated user with the ability to create a group to add themselves to any project that is inside a subgroup.
49 CVE-2017-0926 863 2018-03-21 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login.
50 CVE-2017-0921 640 2018-07-03 2018-09-04
6.8
None Remote Medium Not required Partial Partial Partial
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account takeover if a victim's session is compromised.
Total number of vulnerabilities : 58   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.