CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Gitlab : Security Vulnerabilities Published In 2020 (Gain Information)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2020-26417 200 +Info 2020-12-11 2020-12-14
5.0
None Remote Low Not required Partial None None
Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to <13.6.2, >=13.5 to <13.5.5, and >=13.1 to <13.4.7.
2 CVE-2020-26416 200 +Info 2020-12-11 2021-07-21
2.1
None Local Low Not required Partial None None
Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.
3 CVE-2020-26415 200 +Info 2020-12-11 2021-07-21
4.0
None Remote Low ??? Partial None None
Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.
4 CVE-2020-26413 200 +Info 2020-12-11 2020-12-14
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.
5 CVE-2020-26412 200 +Info 2020-12-11 2021-07-21
4.0
None Remote Low ??? Partial None None
Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before 13.6.2.
6 CVE-2020-26408 200 +Info 2020-12-11 2021-07-21
5.0
None Remote Low Not required Partial None None
A limited information disclosure vulnerability exists in Gitlab CE/EE from >= 12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2 that allows an attacker to view limited information in user's private profile
7 CVE-2020-13359 200 Bypass +Info 2020-11-19 2021-07-21
5.5
None Remote Low ??? Partial Partial None
The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are >=12.10, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
8 CVE-2020-13346 200 +Info 2020-10-07 2021-07-21
4.0
None Remote Low ??? Partial None None
Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API.
9 CVE-2020-13344 200 +Info 2020-10-08 2021-07-21
2.1
None Local Low Not required Partial None None
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Sessions keys are stored in plain-text in Redis which allows attacker with Redis access to authenticate as any user that has a session stored in Redis
10 CVE-2020-13264 200 +Info 2020-06-19 2020-06-26
5.0
None Remote Low Not required Partial None None
Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1 allows other group maintainers to view Kubernetes cluster token
11 CVE-2020-11506 200 Bypass +Info 2020-04-22 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab 10.7.0 and later through 12.9.2. A Workhorse bypass could lead to job artifact uploads and file disclosure (Exposure of Sensitive Information) via request smuggling.
12 CVE-2020-11505 200 Bypass +Info 2020-04-22 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 12.7.9, 12.8.x before 12.8.9, and 12.9.x before 12.9.3. A Workhorse bypass could lead to NuGet package and file disclosure (Exposure of Sensitive Information) via request smuggling.
13 CVE-2020-10979 200 +Info 2020-04-08 2021-07-21
4.0
None Remote Low ??? Partial None None
GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pipelines metrics to unauthorized users.
14 CVE-2020-10978 200 +Info 2020-04-08 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public project and then moved to a private project through Web-UI and GraphQL API.
15 CVE-2020-10976 200 +Info 2020-04-08 2020-04-09
5.0
None Remote Low Not required Partial None None
GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when querying a merge request widget.
16 CVE-2020-10975 200 +Info 2020-04-08 2021-07-21
4.0
None Remote Low ??? Partial None None
GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page.
17 CVE-2020-10955 200 +Info 2020-03-27 2021-07-21
4.0
None Remote Low ??? Partial None None
GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders.
18 CVE-2020-10090 200 +Info 2020-03-13 2020-03-17
5.0
None Remote Low Not required Partial None None
GitLab 11.7 through 12.8.1 allows Information Disclosure. Under certain group conditions, group epic information was unintentionally being disclosed.
19 CVE-2020-10087 200 +Info 2020-03-13 2020-03-17
5.0
None Remote Low Not required Partial None None
GitLab before 12.8.2 allows Information Disclosure. Badge images were not being proxied, causing mixed content warnings as well as leaking the IP address of the user.
20 CVE-2020-10085 200 +Info 2020-03-13 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab 12.3.5 through 12.8.1 allows Information Disclosure. A particular view was exposing merge private merge request titles.
21 CVE-2020-10084 200 +Info 2020-03-13 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE 11.6 through 12.8.1 allows Information Disclosure. Sending a specially crafted request to the vulnerability_feedback endpoint could result in the exposure of a private project namespace
22 CVE-2020-10080 200 +Info 2020-03-13 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab 8.3 through 12.8.1 allows Information Disclosure. It was possible for certain non-members to access the Contribution Analytics page of a private group.
23 CVE-2020-7976 200 +Info 2020-02-05 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE 12.4 and later through 12.7.2 has Incorrect Access Control.
24 CVE-2020-7974 200 +Info 2020-02-05 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE 10.1 through 12.7.2 allows Information Disclosure.
25 CVE-2020-7969 200 +Info 2020-02-05 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE 8.0 and later through 12.7.2 allows Information Disclosure.
26 CVE-2020-6833 200 Bypass +Info 2020-02-05 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab EE 11.3 and later. A GitLab Workhorse bypass could lead to package and file disclosure via request smuggling.
27 CVE-2020-6832 200 +Info 2020-01-13 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Enterprise Edition (EE) 8.9.0 through 12.6.1. Using the project import feature, it was possible for someone to obtain issues from private projects.
28 CVE-2019-20148 200 +Info 2020-01-13 2021-07-21
4.3
None Remote Medium Not required Partial None None
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 8.13 through 12.6.1. It has Incorrect Access Control.
29 CVE-2019-20147 200 +Info 2020-01-13 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 9.1 through 12.6.1. It has Incorrect Access Control.
30 CVE-2019-19629 200 +Info 2020-01-05 2021-07-21
5.0
None Remote Low Not required Partial None None
In GitLab EE 10.5 through 12.5.3, 12.4.5, and 12.3.8, when transferring a public project to a private group, private code would be disclosed via the Group Search API provided by the Elasticsearch integration.
31 CVE-2019-19312 200 +Info 2020-01-05 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access Control. After a project changed to private, previously forked repositories were still able to get information about the private project through the API.
32 CVE-2019-19309 200 +Info 2020-01-03 2021-07-21
4.0
None Remote Low ??? Partial None None
GitLab Enterprise Edition (EE) 8.90 and later through 12.5 has Incorrect Access Control.
33 CVE-2019-19258 200 +Info 2020-01-03 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab Enterprise Edition (EE) 10.8 and later through 12.5 has Incorrect Access Control.
34 CVE-2019-19257 200 +Info 2020-01-03 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 1 of 2).
35 CVE-2019-19256 200 +Info 2020-01-03 2020-01-06
5.0
None Remote Low Not required Partial None None
GitLab Enterprise Edition (EE) 12.2 and later through 12.5 has Incorrect Access Control.
36 CVE-2019-19254 200 +Info 2020-01-03 2020-01-06
5.0
None Remote Low Not required Partial None None
GitLab Community Edition (CE) and Enterprise Edition (EE). 9.6 and later through 12.5 has Incorrect Access Control.
37 CVE-2019-15583 200 +Info 2020-01-28 2020-01-29
5.0
None Remote Low Not required Partial None None
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). When an issue was moved to a public project from a private one, the associated private labels and the private project namespace would be disclosed through the GitLab API.
38 CVE-2019-15578 200 +Info 2020-01-28 2020-01-29
5.0
None Remote Low Not required Partial None None
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge requests.
39 CVE-2019-13006 200 +Info 2020-03-10 2021-07-21
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 9.0 and through 12.0.2. Users with access to issues, but not the repository were able to view the number of related merge requests on an issue. It has Incorrect Access Control.
40 CVE-2019-13002 200 +Info 2020-03-10 2021-07-21
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.0.2. Unauthorized users were able to read pipeline information of the last merge request. It has Incorrect Access Control.
41 CVE-2019-12432 200 +Info 2020-03-10 2020-03-10
4.0
None Remote Low ??? Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 8.13 through 11.11. Non-member users who subscribed to issue notifications could access the title of confidential issues through the unsubscription page. It allows Information Disclosure.
Total number of vulnerabilities : 41   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.