CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab : Security Vulnerabilities (Gain Information)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-39941 200 +Info 2021-12-13 2021-12-15
5.0
None Remote Low Not required Partial None None
An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members
2 CVE-2021-39888 200 +Info 2021-10-05 2021-10-12
4.0
None Remote Low ??? Partial None None
In all versions of GitLab EE since version 13.10, a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates.
3 CVE-2021-39875 200 +Info 2021-10-05 2021-10-12
5.0
None Remote Low Not required Partial None None
In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint.
4 CVE-2021-39869 200 +Info 2021-10-05 2021-10-12
4.3
None Remote Medium Not required Partial None None
In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project.
5 CVE-2021-22233 200 +Info 2021-07-07 2021-07-09
4.0
None Remote Low ??? Partial None None
An information disclosure vulnerability in GitLab EE versions 13.10 and later allowed a user to read project details
6 CVE-2021-22219 532 +Info 2021-06-08 2021-06-15
4.0
None Remote Low ??? Partial None None
GitLab CE/EE since version 9.5 allows a high privilege user to obtain sensitive information from log files because the sensitive information was not correctly registered for log masking.
7 CVE-2021-22215 668 +Info 2021-06-08 2021-07-07
4.0
None Remote Low ??? Partial None None
An information disclosure vulnerability in GitLab EE versions 13.11 and later allowed a project owner to leak information about the members' on-call rotations in other projects
8 CVE-2021-22213 200 +Info 2021-06-08 2021-06-15
4.3
None Remote Medium Not required Partial None None
A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari
9 CVE-2021-22184 200 +Info 2021-03-26 2021-03-30
2.1
None Local Low Not required Partial None None
An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted.
10 CVE-2021-22169 200 +Info 2021-03-24 2021-03-25
4.0
None Remote Low ??? Partial None None
An issue was identified in GitLab EE 13.4 or later which leaked internal IP address via error messages.
11 CVE-2020-26417 200 +Info 2020-12-11 2020-12-14
5.0
None Remote Low Not required Partial None None
Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to <13.6.2, >=13.5 to <13.5.5, and >=13.1 to <13.4.7.
12 CVE-2020-26416 200 +Info 2020-12-11 2021-07-21
2.1
None Local Low Not required Partial None None
Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.
13 CVE-2020-26415 200 +Info 2020-12-11 2021-07-21
4.0
None Remote Low ??? Partial None None
Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.
14 CVE-2020-26413 200 +Info 2020-12-11 2020-12-14
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.
15 CVE-2020-26412 200 +Info 2020-12-11 2021-07-21
4.0
None Remote Low ??? Partial None None
Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before 13.6.2.
16 CVE-2020-26408 200 +Info 2020-12-11 2021-07-21
5.0
None Remote Low Not required Partial None None
A limited information disclosure vulnerability exists in Gitlab CE/EE from >= 12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2 that allows an attacker to view limited information in user's private profile
17 CVE-2020-13359 200 Bypass +Info 2020-11-19 2021-07-21
5.5
None Remote Low ??? Partial Partial None
The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are >=12.10, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
18 CVE-2020-13346 200 +Info 2020-10-07 2021-07-21
4.0
None Remote Low ??? Partial None None
Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API.
19 CVE-2020-13344 200 +Info 2020-10-08 2021-07-21
2.1
None Local Low Not required Partial None None
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Sessions keys are stored in plain-text in Redis which allows attacker with Redis access to authenticate as any user that has a session stored in Redis
20 CVE-2020-13264 200 +Info 2020-06-19 2020-06-26
5.0
None Remote Low Not required Partial None None
Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1 allows other group maintainers to view Kubernetes cluster token
21 CVE-2020-11506 200 Bypass +Info 2020-04-22 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab 10.7.0 and later through 12.9.2. A Workhorse bypass could lead to job artifact uploads and file disclosure (Exposure of Sensitive Information) via request smuggling.
22 CVE-2020-11505 200 Bypass +Info 2020-04-22 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 12.7.9, 12.8.x before 12.8.9, and 12.9.x before 12.9.3. A Workhorse bypass could lead to NuGet package and file disclosure (Exposure of Sensitive Information) via request smuggling.
23 CVE-2020-10979 200 +Info 2020-04-08 2021-07-21
4.0
None Remote Low ??? Partial None None
GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pipelines metrics to unauthorized users.
24 CVE-2020-10978 200 +Info 2020-04-08 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public project and then moved to a private project through Web-UI and GraphQL API.
25 CVE-2020-10976 200 +Info 2020-04-08 2020-04-09
5.0
None Remote Low Not required Partial None None
GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when querying a merge request widget.
26 CVE-2020-10975 200 +Info 2020-04-08 2021-07-21
4.0
None Remote Low ??? Partial None None
GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page.
27 CVE-2020-10955 200 +Info 2020-03-27 2021-07-21
4.0
None Remote Low ??? Partial None None
GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders.
28 CVE-2020-10090 200 +Info 2020-03-13 2020-03-17
5.0
None Remote Low Not required Partial None None
GitLab 11.7 through 12.8.1 allows Information Disclosure. Under certain group conditions, group epic information was unintentionally being disclosed.
29 CVE-2020-10087 200 +Info 2020-03-13 2020-03-17
5.0
None Remote Low Not required Partial None None
GitLab before 12.8.2 allows Information Disclosure. Badge images were not being proxied, causing mixed content warnings as well as leaking the IP address of the user.
30 CVE-2020-10085 200 +Info 2020-03-13 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab 12.3.5 through 12.8.1 allows Information Disclosure. A particular view was exposing merge private merge request titles.
31 CVE-2020-10084 200 +Info 2020-03-13 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE 11.6 through 12.8.1 allows Information Disclosure. Sending a specially crafted request to the vulnerability_feedback endpoint could result in the exposure of a private project namespace
32 CVE-2020-10080 200 +Info 2020-03-13 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab 8.3 through 12.8.1 allows Information Disclosure. It was possible for certain non-members to access the Contribution Analytics page of a private group.
33 CVE-2020-7976 200 +Info 2020-02-05 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE 12.4 and later through 12.7.2 has Incorrect Access Control.
34 CVE-2020-7974 200 +Info 2020-02-05 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE 10.1 through 12.7.2 allows Information Disclosure.
35 CVE-2020-7969 200 +Info 2020-02-05 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE 8.0 and later through 12.7.2 allows Information Disclosure.
36 CVE-2020-6833 200 Bypass +Info 2020-02-05 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab EE 11.3 and later. A GitLab Workhorse bypass could lead to package and file disclosure via request smuggling.
37 CVE-2020-6832 200 +Info 2020-01-13 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Enterprise Edition (EE) 8.9.0 through 12.6.1. Using the project import feature, it was possible for someone to obtain issues from private projects.
38 CVE-2019-20148 200 +Info 2020-01-13 2021-07-21
4.3
None Remote Medium Not required Partial None None
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 8.13 through 12.6.1. It has Incorrect Access Control.
39 CVE-2019-20147 200 +Info 2020-01-13 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 9.1 through 12.6.1. It has Incorrect Access Control.
40 CVE-2019-19629 200 +Info 2020-01-05 2021-07-21
5.0
None Remote Low Not required Partial None None
In GitLab EE 10.5 through 12.5.3, 12.4.5, and 12.3.8, when transferring a public project to a private group, private code would be disclosed via the Group Search API provided by the Elasticsearch integration.
41 CVE-2019-19312 200 +Info 2020-01-05 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access Control. After a project changed to private, previously forked repositories were still able to get information about the private project through the API.
42 CVE-2019-19309 200 +Info 2020-01-03 2021-07-21
4.0
None Remote Low ??? Partial None None
GitLab Enterprise Edition (EE) 8.90 and later through 12.5 has Incorrect Access Control.
43 CVE-2019-19258 200 +Info 2020-01-03 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab Enterprise Edition (EE) 10.8 and later through 12.5 has Incorrect Access Control.
44 CVE-2019-19257 200 +Info 2020-01-03 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 1 of 2).
45 CVE-2019-19256 200 +Info 2020-01-03 2020-01-06
5.0
None Remote Low Not required Partial None None
GitLab Enterprise Edition (EE) 12.2 and later through 12.5 has Incorrect Access Control.
46 CVE-2019-19254 200 +Info 2020-01-03 2020-01-06
5.0
None Remote Low Not required Partial None None
GitLab Community Edition (CE) and Enterprise Edition (EE). 9.6 and later through 12.5 has Incorrect Access Control.
47 CVE-2019-18461 200 +Info 2019-11-26 2019-12-03
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.3 when a sub group epic is added to a public group. It has Incorrect Access Control.
48 CVE-2019-18460 200 +Info 2019-11-26 2019-11-27
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.4 in the Comments Search feature provided by the Elasticsearch integration. It has Incorrect Access Control.
49 CVE-2019-18448 200 +Info 2019-11-26 2021-07-21
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Incorrect Access Control.
50 CVE-2019-15740 200 +Info 2019-09-16 2019-09-17
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 7.9 through 12.2.1. EXIF Geolocation data was not being removed from certain image uploads.
Total number of vulnerabilities : 90   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.