Approved changes feed: RSS · Atom
cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Gitlab (57573e99-56e6-5fad-895e-0ce7fffc5b90) |
|---|---|
| Product | Gitlab (5414fcda-a172-5f72-b6e4-b415a19d21eb) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:gitlab/gitlab-org/gitlab |
purl2cpe | 2026-06-01 10:14:46.084382 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-9807 |
vulnerable | 2026-06-03 15:29:30.351608 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed a blocked Project Access Token to continue accessing private resources due to incorrect authorization enforcement.
Published: 2026-05-28T07:34:37.630Z
Updated: 2026-05-28T12:11:19.756Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-8716 |
vulnerable | 2026-06-03 15:29:29.620002 |
Use of Incorrectly-Resolved Name or Reference in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to access CI data from a different ref type than intended.
Published: 2026-05-27T17:54:59.110Z
Updated: 2026-05-27T19:36:40.034Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-8280 |
vulnerable | 2026-06-03 15:27:57.827377 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to cause denial of service through excessive memory consumption due to improper input validation.
Published: 2026-05-14T05:33:22.338Z
Updated: 2026-05-14T13:15:30.549Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-8144 |
vulnerable | 2026-06-03 15:27:57.699037 |
Missing Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with project membership to enumerate private group members due to missing authorization checks.
Published: 2026-05-14T05:33:17.465Z
Updated: 2026-05-14T13:49:09.445Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-7481 |
vulnerable | 2026-06-03 15:27:56.874941 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to execute arbitrary JavaScript in other users' browsers due to improper input sanitization.
Published: 2026-05-14T05:33:32.366Z
Updated: 2026-05-15T03:55:51.754Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-7471 |
vulnerable | 2026-06-03 15:27:56.869312 |
Server-Side Request Forgery (SSRF) in GitLab
LOW (3.5)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with control of a virtual registry upstream to make requests to internal hosts due to improper validation.
Published: 2026-05-14T05:33:37.334Z
Updated: 2026-05-14T13:17:54.408Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-7377 |
vulnerable | 2026-06-03 15:27:56.705461 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due to improper input sanitization.
Published: 2026-05-14T05:33:42.345Z
Updated: 2026-05-15T03:55:50.629Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-6883 |
vulnerable | 2026-06-03 15:27:55.841359 |
Missing Authorization in GitLab
LOW (2.6)
GitLab has remediated an issue in GitLab EE affecting all versions from 15.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to bypass merge request approval requirements due to improper cleanup of orphaned policy records.
Published: 2026-05-14T05:33:52.339Z
Updated: 2026-05-14T13:14:42.194Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-6713 |
vulnerable | 2026-06-03 15:27:55.626887 |
Incorrect Authorization in GitLab
MEDIUM (5.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an unauthorized user to enumerate private projects due to incorrect authorization checks.
Published: 2026-05-27T17:55:13.955Z
Updated: 2026-05-27T19:22:57.385Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-6515 |
vulnerable | 2026-06-03 15:27:55.414330 |
Insufficient Session Expiration in GitLab
MEDIUM (5.4)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed a user to use invalidated or incorrectly scoped credentials to access Virtual Registries under certain conditions.
Published: 2026-04-22T16:04:11.611Z
Updated: 2026-04-22T17:51:09.883Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-6335 |
vulnerable | 2026-06-03 15:27:55.138791 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (5.4)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user to execute arbitrary code in another user's browser session due to improper sanitization.
Published: 2026-05-14T05:33:57.334Z
Updated: 2026-05-15T09:58:59.492Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-6073 |
vulnerable | 2026-06-03 15:27:54.736173 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to execute arbitrary JavaScript in other users' browsers due to improper input sanitization.
Published: 2026-05-14T05:34:07.338Z
Updated: 2026-05-15T03:55:46.640Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-6063 |
vulnerable | 2026-06-03 15:27:54.726691 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user with developer-role permissions to remove code owner approval rules from merge requests due to improper access control.
Published: 2026-05-14T05:34:12.358Z
Updated: 2026-05-14T13:21:53.278Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-5816 |
vulnerable | 2026-06-03 15:27:54.256841 |
Improper Resolution of Path Equivalence in GitLab
HIGH (8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions.
Published: 2026-04-22T16:04:26.293Z
Updated: 2026-04-23T03:56:09.061Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-5377 |
vulnerable | 2026-06-03 15:26:27.091590 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in public projects due to improper access control in the issue description rendering process.
Published: 2026-04-22T16:04:31.304Z
Updated: 2026-04-22T17:52:14.162Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-5296 |
vulnerable | 2026-06-03 15:26:26.945253 |
Missing Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that when foundational flows were enabled at the group level, could have allowed an authenticated user with developer-role permissions to bypass flow restrictions under certain conditions.
Published: 2026-05-27T17:55:18.937Z
Updated: 2026-05-27T19:01:02.944Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-5262 |
vulnerable | 2026-06-03 15:26:26.909811 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an unauthenticated user to access tokens in the Storybook development environment due to improper input validation.
Published: 2026-04-22T16:04:36.550Z
Updated: 2026-04-22T18:08:34.142Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-5173 |
vulnerable | 2026-06-03 15:26:26.638790 |
Exposed Dangerous Method or Function in GitLab
HIGH (8.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper access control.
Published: 2026-04-08T22:25:12.946Z
Updated: 2026-04-09T13:16:53.628Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-4922 |
vulnerable | 2026-06-03 15:26:26.302953 |
Cross-Site Request Forgery (CSRF) in GitLab
HIGH (8.1)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.
Published: 2026-04-22T16:29:38.861Z
Updated: 2026-04-24T03:55:17.281Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-4916 |
vulnerable | 2026-06-03 15:26:26.290249 |
Missing Authorization in GitLab
LOW (2.7)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with custom role permissions to demote or remove higher-privileged group members due to improper authorization checks on member management operations.
Published: 2026-04-08T22:25:22.837Z
Updated: 2026-04-09T13:05:54.501Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-4868 |
vulnerable | 2026-06-03 15:26:26.230984 |
Authorization Bypass Through User-Controlled Key in GitLab
HIGH (8.2)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that, under certain conditions, could have allowed an authenticated user to cause specific Duo AI workflows to run under another user's identity due to improper user identity resolution when triggering Duo AI workflow runners.
Published: 2026-05-27T17:55:23.935Z
Updated: 2026-05-28T03:55:58.116Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-4527 |
vulnerable | 2026-06-03 15:26:25.623472 |
Cross-Site Request Forgery (CSRF) in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to create unauthorized Jira subscriptions for a targeted user's namespace via a specially crafted link due to missing CSRF protection.
Published: 2026-05-14T05:34:32.344Z
Updated: 2026-05-14T13:22:37.251Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-4524 |
vulnerable | 2026-06-03 15:26:25.617515 |
Authentication Bypass Using an Alternate Path or Channel in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to access confidential issue content in public projects without proper authorization due to improper authorization checks.
Published: 2026-05-14T05:34:52.339Z
Updated: 2026-05-14T13:23:21.379Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-4363 |
vulnerable | 2026-06-03 15:26:25.363810 |
Incorrect Authorization in GitLab
LOW (3.7)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.1 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that under certain conditions could have allowed an authenticated user to gain unauthorized access to resources due to improper caching of authorization decisions.
Published: 2026-03-25T15:04:46.503Z
Updated: 2026-03-25T19:57:37.853Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-4332 |
vulnerable | 2026-06-03 15:26:25.304975 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (5.4)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due to improper input sanitization.
Published: 2026-04-08T22:25:27.848Z
Updated: 2026-04-09T13:05:08.328Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3988 |
vulnerable | 2026-06-03 15:23:33.844122 |
Inefficient Algorithmic Complexity in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to cause a denial of service by making the GitLab instance unresponsive due to improper input validation in GraphQL request processing.
Published: 2026-03-25T16:33:43.952Z
Updated: 2026-03-25T17:21:53.191Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3857 |
vulnerable | 2026-06-03 15:23:33.628255 |
Cross-Site Request Forgery (CSRF) in GitLab
HIGH (8.1)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.
Published: 2026-03-25T16:33:53.854Z
Updated: 2026-03-26T13:20:03.781Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3848 |
vulnerable | 2026-06-03 15:23:33.615247 |
Improper Neutralization of CRLF Sequences ('CRLF Injection') in GitLab
MEDIUM (5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to improper input validation in import functionality.
Published: 2026-03-11T15:37:11.894Z
Updated: 2026-03-12T14:23:58.017Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3607 |
vulnerable | 2026-06-03 15:23:33.180123 |
Access Control Check Implemented After Asset is Accessed in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass package protection rules due to improper access control.
Published: 2026-05-14T05:35:42.338Z
Updated: 2026-05-14T13:06:45.555Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3254 |
vulnerable | 2026-06-03 15:23:31.909707 |
Improper Restriction of Rendered UI Layers or Frames in GitLab
LOW (3.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox.
Published: 2026-04-22T16:29:48.833Z
Updated: 2026-04-22T17:39:44.965Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3160 |
vulnerable | 2026-06-03 15:23:31.570145 |
Unintended Proxy or Intermediary ('Confused Deputy') in GitLab
MEDIUM (5.8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to view Jira issues outside the configured project scope due to an integration filter functioning only as a display control rather than enforcing access boundaries as specified.
Published: 2026-05-14T05:35:57.340Z
Updated: 2026-05-14T13:09:24.780Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3074 |
vulnerable | 2026-06-03 15:22:13.660064 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to download private debugging symbols from inaccessible projects due to improper access control.
Published: 2026-05-14T05:36:02.934Z
Updated: 2026-05-14T13:08:28.045Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3073 |
vulnerable | 2026-06-03 15:22:13.657974 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.6 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass PyPI package protection rules and upload restricted packages due to improper authorization checks.
Published: 2026-05-14T05:36:12.338Z
Updated: 2026-05-14T13:07:50.839Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2995 |
vulnerable | 2026-06-03 15:19:25.542593 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab
HIGH (7.7)
GitLab has remediated an issue in GitLab EE affecting all versions from 15.4 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to add email addresses to targeted user accounts due to improper sanitization of HTML content.
Published: 2026-03-25T16:33:58.853Z
Updated: 2026-03-26T13:20:13.378Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2973 |
vulnerable | 2026-06-03 15:19:25.515555 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (5.4)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to execute arbitrary JavaScript in a user's browser due to improper sanitization of entity-encoded content in Mermaid diagrams.
Published: 2026-03-25T16:34:03.852Z
Updated: 2026-03-26T17:24:32.440Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2900 |
vulnerable | 2026-06-03 15:19:25.334204 |
Missing Authorization in GitLab
LOW (2.7)
GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that when instance-level approval rule editing prevention was enabled, could have allowed an authenticated user with Maintainer permissions to modify or delete project approval rules due to missing authorization checks.
Published: 2026-05-14T05:36:17.336Z
Updated: 2026-05-14T13:07:17.299Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2845 |
vulnerable | 2026-06-03 15:19:25.106300 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an authenticated user to cause denial of service by exploiting a Bitbucket Server import endpoint via repeatedly sending large responses.
Published: 2026-02-25T20:04:35.210Z
Updated: 2026-02-26T15:45:14.406Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2745 |
vulnerable | 2026-06-03 15:19:24.908417 |
Authentication Bypass Using an Alternate Path or Channel in GitLab
MEDIUM (6.8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to user accounts due to inconsistent input validation in the authentication process.
Published: 2026-03-25T16:34:18.860Z
Updated: 2026-03-26T03:55:31.559Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2726 |
vulnerable | 2026-06-03 15:19:24.868513 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to perform unauthorized actions on merge requests in other projects due to improper access control during cross-repository operations.
Published: 2026-03-25T16:34:13.838Z
Updated: 2026-03-25T17:14:34.612Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2619 |
vulnerable | 2026-06-03 15:19:24.616192 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user with auditor privileges to modify vulnerability flag data in private projects due to incorrect authorization.
Published: 2026-04-08T22:25:37.932Z
Updated: 2026-04-09T13:04:26.216Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2601 |
vulnerable | 2026-06-03 15:19:24.579743 |
Missing Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab EE affecting all versions from 11.5 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to access sensitive deployment data on projects due to improper authorization checks.
Published: 2026-05-27T17:55:38.935Z
Updated: 2026-05-27T19:04:49.153Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2370 |
vulnerable | 2026-06-03 15:19:24.122122 |
Improper Handling of Parameters in GitLab
HIGH (8.1)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks.
Published: 2026-03-29T23:33:44.410Z
Updated: 2026-03-30T15:02:06.576Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2104 |
vulnerable | 2026-06-03 15:19:23.504823 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient authorization checks.
Published: 2026-04-08T22:25:47.858Z
Updated: 2026-04-09T15:43:25.441Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1752 |
vulnerable | 2026-06-03 15:14:45.261604 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper authorization checks in the API.
Published: 2026-04-08T22:25:52.858Z
Updated: 2026-04-09T14:58:43.291Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1751 |
vulnerable | 2026-06-03 15:14:45.261275 |
Missing Authorization in GitLab
LOW (3.1)
A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain conditions.
Published: 2026-02-02T09:04:38.090Z
Updated: 2026-02-02T13:24:44.683Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1747 |
vulnerable | 2026-06-03 15:14:45.254328 |
Authentication Bypass Using an Alternate Path or Channel in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab EE affecting all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make unauthorized modifications to protected Conan packages.
Published: 2026-02-25T20:04:49.893Z
Updated: 2026-02-26T15:39:03.951Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1732 |
vulnerable | 2026-06-03 15:14:45.223575 |
Improper Removal of Sensitive Information Before Storage or Transfer in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose confidential issue titles due to improper filtering under certain circumstances.
Published: 2026-03-11T15:37:26.891Z
Updated: 2026-03-12T16:12:20.254Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1725 |
vulnerable | 2026-06-03 15:14:45.202667 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (5.3)
GitLab has remediated an issue in GitLab CE/EE affecting versions from 18.9 before 18.9.1 that could have under certain conditions, allowed an unauthenticated user to cause denial of service by sending specially crafted requests to a CI jobs API endpoint.
Published: 2026-02-25T20:04:44.830Z
Updated: 2026-02-26T15:42:29.688Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1724 |
vulnerable | 2026-06-03 15:14:45.200938 |
Missing Authentication for Critical Function in GitLab
MEDIUM (6.8)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to access API tokens of self-hosted AI models due to improper access control.
Published: 2026-03-25T16:34:28.860Z
Updated: 2026-03-27T14:59:15.608Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1663 |
vulnerable | 2026-06-03 15:14:44.892597 |
Missing Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.4 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user with group import permissions to create labels in private projects due to improper authorization validation in the group import process under certain circumstances.
Published: 2026-03-11T16:04:50.787Z
Updated: 2026-03-12T16:15:41.091Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1662 |
vulnerable | 2026-06-03 15:14:44.891713 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.4 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause Denial of Service by sending specially crafted requests to the Jira events endpoint.
Published: 2026-02-25T20:04:59.913Z
Updated: 2026-02-26T15:10:46.924Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1660 |
vulnerable | 2026-06-03 15:14:44.891004 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to cause denial of service when importing issues due to improper input validation.
Published: 2026-04-22T16:04:51.382Z
Updated: 2026-04-22T17:39:02.958Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1659 |
vulnerable | 2026-06-03 15:14:44.890346 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted requests due to insufficient input validation.
Published: 2026-05-14T05:36:32.362Z
Updated: 2026-05-14T13:00:59.317Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1516 |
vulnerable | 2026-06-03 15:14:44.561912 |
Improper Control of Generation of Code ('Code Injection') in GitLab
MEDIUM (5.7)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted content.
Published: 2026-04-08T22:25:57.848Z
Updated: 2026-04-09T15:42:34.893Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1458 |
vulnerable | 2026-06-03 15:14:44.444015 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service by uploading malicious files.
Published: 2026-02-11T11:04:05.401Z
Updated: 2026-02-11T15:42:58.333Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1456 |
vulnerable | 2026-06-03 15:14:44.438264 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through CPU exhaustion by submitting specially crafted markdown files that trigger exponential processing in markdown preview.
Published: 2026-02-11T11:04:15.246Z
Updated: 2026-02-11T15:40:00.821Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1402 |
vulnerable | 2026-06-03 15:14:44.327211 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to cause denial of service due to insufficient validation.
Published: 2026-05-27T17:55:48.942Z
Updated: 2026-05-27T18:53:49.218Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1388 |
vulnerable | 2026-06-03 15:14:44.287866 |
Inefficient Regular Expression Complexity in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge request endpoint under certain conditions.
Published: 2026-02-25T20:05:05.289Z
Updated: 2026-02-26T15:07:56.004Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1387 |
vulnerable | 2026-06-03 15:14:44.287282 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab EE affecting all versions from 15.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to cause Denial of Service by uploading a malicious file and repeatedly querying it through GraphQl.
Published: 2026-02-11T11:04:20.771Z
Updated: 2026-02-11T21:17:29.372Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1338 |
vulnerable | 2026-06-03 15:14:44.195886 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to delete protected container registry tags due to improper authorization checks.
Published: 2026-05-14T05:36:42.333Z
Updated: 2026-05-14T13:05:58.427Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1322 |
vulnerable | 2026-06-03 15:14:44.151804 |
Business Logic Errors in GitLab
MEDIUM (6.8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with a read_api scoped OAuth application to create issues and add comments to issues in private projects due to improper authorization.
Published: 2026-05-14T05:36:47.351Z
Updated: 2026-05-14T13:05:16.129Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1282 |
vulnerable | 2026-06-03 15:14:44.090347 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab
LOW (3.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to inject malicious content into project labels titles.
Published: 2026-02-11T11:04:25.235Z
Updated: 2026-02-11T21:18:14.189Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1230 |
vulnerable | 2026-06-03 15:14:43.968931 |
Use of Incorrectly-Resolved Name or Reference in GitLab
MEDIUM (4.1)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 1.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to cause repository downloads to contain different code than displayed in the web interface due to incorrect validation of branch references under certain circumstances.
Published: 2026-03-11T16:05:00.849Z
Updated: 2026-03-11T19:46:36.143Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1184 |
vulnerable | 2026-06-03 15:14:43.891551 |
Deserialization of Untrusted Data in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab EE affecting all versions from 11.9 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by uploading a specially crafted file due to improper validation.
Published: 2026-05-14T05:37:02.391Z
Updated: 2026-05-14T13:04:20.915Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1182 |
vulnerable | 2026-06-03 15:14:43.880062 |
Improper Removal of Sensitive Information Before Storage or Transfer in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.14 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to gain unauthorized access to confidential issue title created in public projects under certain circumstances.
Published: 2026-03-12T01:33:23.543Z
Updated: 2026-03-12T13:25:11.338Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1102 |
vulnerable | 2026-06-03 15:14:43.767084 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (5.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication requests.
Published: 2026-01-22T13:33:53.530Z
Updated: 2026-01-22T15:29:45.284Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1101 |
vulnerable | 2026-06-03 15:14:43.766745 |
Improper Validation of Specified Quantity in Input in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to cause denial of service to the GitLab instance due to improper input validation in GraphQL queries.
Published: 2026-04-08T22:26:07.834Z
Updated: 2026-04-09T15:41:03.766Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1092 |
vulnerable | 2026-06-03 15:14:43.747988 |
Improper Validation of Specified Quantity in Input in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service due to improper input validation of JSON payloads.
Published: 2026-04-08T22:26:12.837Z
Updated: 2026-04-09T15:09:51.969Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1090 |
vulnerable | 2026-06-03 15:14:43.747479 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `markdown_placeholders` feature flag was enabled, to inject JavaScript in a browser due to improper sanitization of placeholder content in markdown processing.
Published: 2026-03-11T16:05:05.863Z
Updated: 2026-03-12T13:32:23.694Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1080 |
vulnerable | 2026-06-03 15:14:43.728279 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab EE affecting all versions from 16.7 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to access iteration data from private descendant groups by querying the iterations API endpoint.
Published: 2026-02-11T11:33:41.565Z
Updated: 2026-02-11T15:35:58.862Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1069 |
vulnerable | 2026-06-03 15:14:43.707856 |
Uncontrolled Recursion in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances.
Published: 2026-03-11T16:05:10.674Z
Updated: 2026-03-11T19:39:56.098Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-0958 |
vulnerable | 2026-06-03 15:14:43.288391 |
Interpretation Conflict in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through memory or CPU exhaustion by bypassing JSON validation middleware limits.
Published: 2026-02-11T11:33:46.426Z
Updated: 2026-02-11T15:19:41.414Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-0752 |
vulnerable | 2026-06-03 15:14:42.785104 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that under certain circumstances, could have allowed an unauthenticated user to inject arbitrary scripts into the Mermaid sandbox UI.
Published: 2026-02-25T20:05:19.818Z
Updated: 2026-02-26T14:44:05.136Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-0723 |
vulnerable | 2026-06-03 15:14:42.710802 |
Unchecked Return Value in GitLab
HIGH (7.4)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses.
Published: 2026-01-22T13:34:08.340Z
Updated: 2026-02-26T14:44:33.144Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-0602 |
vulnerable | 2026-06-03 15:14:42.291250 |
Authentication Bypass Using an Alternate Path or Channel in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose metadata from private issues, merge requests, epics, milestones, or commits due to improper filtering in the snippet rendering process under certain circumstances.
Published: 2026-03-11T16:05:20.680Z
Updated: 2026-03-11T19:36:50.673Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-0595 |
vulnerable | 2026-06-03 15:14:42.169003 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (7.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML injection in test case titles.
Published: 2026-02-11T11:33:56.425Z
Updated: 2026-02-26T14:44:28.036Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-9958 |
vulnerable | 2026-06-03 15:14:40.213979 |
Insertion of Sensitive Information Into Sent Data in GitLab
HIGH (7.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that could have allowed Guest users to access sensitive information stored in virtual registry configurations.
Published: 2025-09-26T09:04:41.537Z
Updated: 2025-11-06T17:30:27.285Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-9957 |
vulnerable | 2026-06-03 15:14:40.210548 |
Incorrect Authorization in GitLab
LOW (2.7)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user with project owner permissions to bypass group fork prevention settings due to improper authorization checks.
Published: 2026-04-22T16:05:16.304Z
Updated: 2026-04-22T17:34:06.772Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-9825 |
vulnerable | 2026-06-03 15:14:39.798337 |
Missing Authorization in GitLab
MEDIUM (5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2 that could have allowed authenticated users without project membership to view sensitive manual CI/CD variables by querying the GraphQL API.
Published: 2025-11-21T05:33:31.558Z
Updated: 2025-11-24T18:09:10.207Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-9642 |
vulnerable | 2026-06-03 15:13:46.946951 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could allow an attacker to inject malicious content that may lead to account takeover.
Published: 2025-09-26T09:04:51.532Z
Updated: 2025-09-26T13:15:17.950Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-9484 |
vulnerable | 2026-06-03 15:13:46.584680 |
Missing Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries.
Published: 2026-04-08T22:27:17.831Z
Updated: 2026-04-09T13:03:18.113Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-9222 |
vulnerable | 2026-06-03 15:13:45.720713 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.
Published: 2026-01-09T10:04:36.272Z
Updated: 2026-02-26T15:04:51.985Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-8770 |
vulnerable | 2026-06-03 15:13:44.697277 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab EE affecting all versions from 18.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that could have allowed authenticated users with specific access to bypass merge request approval policies by manipulating approval rule identifiers.
Published: 2025-08-13T17:26:10.817Z
Updated: 2025-08-13T20:05:23.927Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-8405 |
vulnerable | 2026-06-03 15:13:43.544561 |
Improper Encoding or Escaping of Output in GitLab
HIGH (7.7)
GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML into vulnerability code flow displays.
Published: 2025-12-11T04:05:07.234Z
Updated: 2026-02-26T16:21:04.264Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-8099 |
vulnerable | 2026-06-03 15:13:42.724301 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.8 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions, could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries.
Published: 2026-02-11T11:35:11.456Z
Updated: 2026-02-11T15:14:09.487Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-8014 |
vulnerable | 2026-06-03 15:13:42.030877 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
Denial of Service issue in GraphQL endpoints in Gitlab EE/CE affecting all versions from 11.10 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 allows unauthenticated users to potentially bypass query complexity limits leading to resource exhaustion and service disruption.
Published: 2025-09-27T16:33:32.601Z
Updated: 2025-09-30T17:27:13.696Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7739 |
vulnerable | 2026-06-03 15:13:41.355305 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 18.2 before 18.2.2 that, under certain conditions, could have allowed authenticated users to achieve stored cross-site scripting by injecting malicious HTML content in scoped label descriptions.
Published: 2025-08-13T17:26:25.490Z
Updated: 2025-08-13T20:36:20.769Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7736 |
vulnerable | 2026-06-03 15:13:41.349955 |
Incorrect Authorization in GitLab
LOW (3.1)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to bypass access control restrictions and view GitLab Pages content intended only for project members by authenticating through OAuth providers.
Published: 2025-11-15T08:04:14.734Z
Updated: 2025-11-17T20:13:18.378Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7734 |
vulnerable | 2026-06-03 15:13:41.344486 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 14.2 before 18.0.6, 18.1 before 18.1.4 and 18.2 before 18.2.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.
Published: 2025-08-13T17:26:20.482Z
Updated: 2025-08-13T20:35:29.997Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7691 |
vulnerable | 2026-06-03 15:13:41.122367 |
Privilege Defined With Unsafe Actions in GitLab
MEDIUM (6.5)
A privilege escalation issue has been discovered in GitLab EE affecting all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 that could have allowed a developer with specific group management permissions to escalate their privileges and obtain unauthorized access to additional system capabilities.
Published: 2025-09-26T09:05:06.532Z
Updated: 2026-02-26T17:47:53.973Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7659 |
vulnerable | 2026-06-03 15:13:40.972275 |
Origin Validation Error in GitLab
HIGH (8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to steal tokens and access private repositories by abusing incomplete validation in the Web IDE.
Published: 2026-02-11T11:35:16.441Z
Updated: 2026-02-26T14:44:27.435Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7449 |
vulnerable | 2026-06-03 15:12:31.286606 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with specific permissions to cause a denial of service condition through HTTP response processing.
Published: 2025-11-26T19:46:32.641Z
Updated: 2025-12-10T23:01:24.555Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7337 |
vulnerable | 2026-06-03 15:12:30.950495 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 7.8 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed an authenticated user with Developer-level access to cause a persistent denial of service affecting all users on a GitLab instance by uploading large files.
Published: 2025-09-12T06:05:35.035Z
Updated: 2025-09-12T16:07:00.708Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7001 |
vulnerable | 2026-06-03 15:12:30.324475 |
Insufficient Granularity of Access Control in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed priviledged users to access certain resource_group information through the API which should have been unavailable.
Published: 2025-07-24T06:05:22.870Z
Updated: 2025-07-24T13:36:37.546Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7000 |
vulnerable | 2026-06-03 15:12:30.323866 |
Insertion of Sensitive Information Into Sent Data in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.6 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that, under specific conditions, could have allowed unauthorized users to view confidential branch names by accessing project issues with related merge requests.
Published: 2025-11-15T08:04:19.745Z
Updated: 2025-11-17T20:14:12.187Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6948 |
vulnerable | 2026-06-03 15:12:29.398103 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.
Published: 2025-07-10T08:30:39.878Z
Updated: 2026-02-26T17:50:48.879Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6945 |
vulnerable | 2026-06-03 15:12:29.368143 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') in GitLab
LOW (3.5)
GitLab has remediated an issue in GitLab EE affecting all versions from 17.8 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to leak sensitive information from confidential issues by injecting hidden prompts into merge request comments.
Published: 2025-11-15T08:04:29.739Z
Updated: 2025-11-17T20:16:05.892Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6769 |
vulnerable | 2026-06-03 15:12:28.891831 |
Exposure of Sensitive System Information to an Unauthorized Control Sphere in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.1 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to view administrator-only maintenance notes by accessing runner details through specific interfaces.
Published: 2025-09-12T06:05:44.797Z
Updated: 2025-09-12T17:18:18.621Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6601 |
vulnerable | 2026-06-03 15:12:28.283395 |
Business Logic Errors in GitLab
LOW (2.7)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.3, and 18.5 before 18.5.1 that under certain conditions could have allowed authenticated users to gain unauthorized project access by exploiting the access request approval workflow.
Published: 2025-10-27T00:06:04.304Z
Updated: 2025-11-24T07:26:31.684Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6454 |
vulnerable | 2026-06-03 15:12:27.635680 |
Server-Side Request Forgery (SSRF) in GitLab
HIGH (8.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to make unintended internal requests through proxy environments by injecting crafted sequences.
Published: 2025-09-12T06:05:49.792Z
Updated: 2025-09-12T17:18:59.590Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6195 |
vulnerable | 2026-06-03 15:12:26.953549 |
Direct Request ('Forced Browsing') in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab EE affecting all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user to view information from security reports under certain configuration conditions.
Published: 2025-11-26T19:46:42.649Z
Updated: 2025-12-10T23:01:24.471Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6186 |
vulnerable | 2026-06-03 15:12:26.938868 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to achieve account takeover by injecting malicious HTML into work item names.
Published: 2025-08-13T17:26:35.507Z
Updated: 2025-08-13T20:36:52.358Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6171 |
vulnerable | 2026-06-03 15:12:26.907816 |
Missing Authorization in GitLab
MEDIUM (5.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even when repository access was disabled.
Published: 2025-11-15T08:04:24.736Z
Updated: 2025-11-17T20:15:16.095Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6168 |
vulnerable | 2026-06-03 15:12:26.899138 |
Incorrect Authorization in GitLab
LOW (2.7)
An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated maintainers to bypass group-level user invitation restrictions by sending crafted API requests.
Published: 2025-07-10T08:30:54.721Z
Updated: 2025-07-10T20:08:14.880Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6016 |
vulnerable | 2026-06-03 15:12:26.318753 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service due to insufficient resource allocation limits when retrieving notes under certain conditions.
Published: 2026-04-22T16:05:26.340Z
Updated: 2026-04-22T17:32:08.602Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-5996 |
vulnerable | 2026-06-03 15:07:55.231568 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 2.1.0 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. A lack of input validation in HTTP responses could allow an authenticated user to cause denial of service.
Published: 2025-06-12T10:02:15.206Z
Updated: 2025-08-01T17:15:41.215Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-5982 |
vulnerable | 2026-06-03 15:07:55.201850 |
Insufficient Granularity of Access Control in GitLab
LOW (3.7)
An issue has been discovered in GitLab EE affecting all versions from 12.0 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Under certain conditions users could bypass IP access restrictions and view sensitive information.
Published: 2025-06-12T16:27:56.700Z
Updated: 2025-06-12T17:29:27.471Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-5846 |
vulnerable | 2026-06-03 15:07:54.826463 |
Missing Authorization in GitLab
LOW (2.7)
An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks.
Published: 2025-06-26T05:31:05.956Z
Updated: 2025-06-26T13:22:59.788Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-5819 |
vulnerable | 2026-06-03 15:07:54.689750 |
Incorrect Permission Assignment for Critical Resource in GitLab
MEDIUM (5)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances.
Published: 2025-08-13T17:26:45.482Z
Updated: 2025-08-29T16:23:04.943Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-5315 |
vulnerable | 2026-06-03 15:06:27.511963 |
Missing Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions.
Published: 2025-06-26T05:31:15.850Z
Updated: 2025-06-26T13:22:43.572Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-5195 |
vulnerable | 2026-06-03 15:06:27.220585 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. It was possible for authenticated users to access arbitrary compliance frameworks, leading to unauthorized data disclosure.
Published: 2025-06-12T10:31:00.372Z
Updated: 2025-06-12T13:25:45.847Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-5121 |
vulnerable | 2026-06-03 15:06:27.044466 |
Missing Authorization in GitLab
HIGH (8.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.4 and 18.0 before 18.0.2. A missing authorization check may have allowed compliance frameworks to be applied to projects outside the compliance framework's group.
Published: 2025-06-20T17:12:39.860Z
Updated: 2025-06-20T17:29:37.340Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-5101 |
vulnerable | 2026-06-03 15:06:26.989737 |
Improper Control of Generation of Code ('Code Injection') in GitLab
MEDIUM (5)
An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appears harmless in the web interface by taking advantage of ambiguity between branches and tags during repository imports.
Published: 2025-08-27T19:33:36.040Z
Updated: 2025-08-27T19:53:36.682Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-5069 |
vulnerable | 2026-06-03 15:06:26.916162 |
Incorrect Ownership Assignment in GitLab
LOW (3.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to gain unauthorized access to confidential issues by creating a project with an identical name to the victim's project.
Published: 2025-09-26T09:11:09.636Z
Updated: 2025-09-26T13:12:27.389Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-4979 |
vulnerable | 2026-06-03 15:01:49.116010 |
Insufficient Granularity of Access Control in GitLab
MEDIUM (4.9)
An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.
Published: 2025-05-22T13:30:28.496Z
Updated: 2025-05-22T14:21:32.253Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-4976 |
vulnerable | 2026-06-03 15:01:49.111239 |
Exposure of Sensitive Information Due to Incompatible Policies in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE affecting all versions from 17.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that, under certain circumstances, could have allowed an attacker to access internal notes in GitLab Duo responses.
Published: 2025-07-24T06:05:37.730Z
Updated: 2025-07-24T13:36:32.546Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-4972 |
vulnerable | 2026-06-03 15:01:49.107020 |
Incorrect Authorization in GitLab
LOW (2.7)
An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated users with invitation privileges to bypass group-level user invitation restrictions by manipulating group invitation functionality.
Published: 2025-07-10T08:30:59.709Z
Updated: 2025-07-10T20:11:10.748Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-4700 |
vulnerable | 2026-06-03 15:01:48.580526 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that, under specific circumstances, could have potentially allowed a successful attacker to trigger unintended content rendering leading to XSS.
Published: 2025-07-23T17:33:13.646Z
Updated: 2026-02-26T17:50:16.041Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-4439 |
vulnerable | 2026-06-03 15:01:47.673134 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (7.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an authenticated user to perform cross-site scripting attacks when the instance is served through certain content delivery networks.
Published: 2025-07-23T18:09:17.968Z
Updated: 2026-02-26T17:50:15.821Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-4278 |
vulnerable | 2026-06-03 15:01:47.353135 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html injection in new search page could lead to account takeover.
Published: 2025-06-12T10:02:25.006Z
Updated: 2025-06-12T13:43:54.714Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-4225 |
vulnerable | 2026-06-03 15:01:46.981756 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 14.1 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that that under certain conditions could have allowed an unauthenticated attacker to cause a denial-of-service condition affecting all users by sending specially crafted GraphQL requests.
Published: 2025-08-27T19:33:45.928Z
Updated: 2025-08-27T19:52:40.877Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-4097 |
vulnerable | 2026-06-03 15:01:46.737888 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images.
Published: 2025-12-11T04:05:22.190Z
Updated: 2025-12-11T15:00:16.738Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3950 |
vulnerable | 2026-06-03 15:01:06.027601 |
Exposure of Private Personal Information to an Unauthorized Actor in GitLab
LOW (3.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection.
Published: 2026-01-09T10:04:51.264Z
Updated: 2026-01-09T14:42:21.828Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3922 |
vulnerable | 2026-06-03 15:01:05.943286 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.4 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service by overwhelming system resources under certain conditions due to insufficient resource allocation limits in the GraphQL API.
Published: 2026-04-22T16:05:31.304Z
Updated: 2026-04-22T17:28:16.879Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3601 |
vulnerable | 2026-06-03 15:01:05.032565 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 8.15 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have could have allowed an authenticated user to cause a Denial of Service (DoS) condition by submitting URLs that generate excessively large responses.
Published: 2025-08-27T19:33:50.920Z
Updated: 2025-08-27T19:54:21.123Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3525 |
vulnerable | 2026-06-03 15:01:04.792960 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have, under certain circumstances, allowed an authenticated user with certain access to cause Denial of Service by creating specially crafted CI triggers via the API.
Published: 2026-02-25T19:33:56.609Z
Updated: 2026-02-25T20:51:14.590Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3396 |
vulnerable | 2026-06-03 15:01:04.322658 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE affecting all versions from 13.3 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that could have allowed authenticated project owners to bypass group-level forking restrictions by manipulating API requests.
Published: 2025-07-10T08:31:04.703Z
Updated: 2025-07-10T20:12:01.609Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3279 |
vulnerable | 2026-06-03 15:01:04.138434 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests.
Published: 2025-06-26T05:31:25.858Z
Updated: 2025-06-26T13:22:27.886Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3111 |
vulnerable | 2026-06-03 15:01:03.674769 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 10.2 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in the Kubernetes integration could allow an authenticated user to cause denial of service..
Published: 2025-05-22T13:30:43.544Z
Updated: 2025-05-22T14:51:11.125Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2938 |
vulnerable | 2026-06-03 15:00:26.887194 |
Business Logic Errors in GitLab
LOW (3.1)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to gain elevated project privileges by requesting access to projects where role modifications during the approval process resulted in unintended permission grants.
Published: 2025-06-26T05:31:30.851Z
Updated: 2026-02-26T17:50:22.974Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2937 |
vulnerable | 2026-06-03 15:00:26.886802 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 13.2 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to create a denial of service condition by sending specially crafted markdown payloads to the Wiki feature.
Published: 2025-08-13T17:26:55.506Z
Updated: 2025-08-13T20:03:48.370Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2934 |
vulnerable | 2026-06-03 15:00:26.884657 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 5.2 prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior to 18.4.2 that could have allowed an authenticated attacker to create a denial of service condition by configuring malicious webhook endpoints that send crafted HTTP responses.
Published: 2025-10-09T11:33:43.956Z
Updated: 2025-10-09T13:48:56.561Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2867 |
vulnerable | 2026-06-03 15:00:26.722854 |
Improper Control of Generation of Code ('Code Injection') in GitLab
MEDIUM (4.4)
An issue has been discovered in the GitLab Duo with Amazon Q affecting all versions from 17.8 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A specifically crafted issue could manipulate AI-assisted development features to potentially expose sensitive project data to unauthorized users.
Published: 2025-03-27T14:02:18.359Z
Updated: 2025-03-27T14:18:32.168Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2853 |
vulnerable | 2026-06-03 15:00:26.676587 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of proper validation in GitLab could allow an authenticated user to cause a denial of service condition.
Published: 2025-05-22T13:30:48.335Z
Updated: 2025-05-22T14:50:36.079Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2615 |
vulnerable | 2026-06-03 15:00:26.101791 |
Insertion of Sensitive Information Into Sent Data in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that could have allowed a blocked user to access sensitive information by establishing GraphQL subscriptions through WebSocket connections.
Published: 2025-11-15T08:04:44.743Z
Updated: 2025-11-17T20:16:30.455Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2614 |
vulnerable | 2026-06-03 15:00:26.101137 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an authenticated user to cause a denial of service condition by creating specially crafted content that consumes excessive server resources when processed.
Published: 2025-08-13T17:27:00.485Z
Updated: 2025-08-13T18:31:35.236Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2498 |
vulnerable | 2026-06-03 15:00:25.606127 |
Insufficient Granularity of Access Control in GitLab
LOW (3.1)
An improper access control in Gitlab EE affecting all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that under certain conditions could have allowed users to view assigned issues from restricted groups by bypassing IP restrictions.
Published: 2025-08-13T17:27:10.511Z
Updated: 2025-08-13T20:02:26.796Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2469 |
vulnerable | 2026-06-03 15:00:25.515226 |
Debug Messages Revealing Unnecessary Information in GitLab
LOW (3.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.9.6, and 17.10 before 17.10.4. The runtime profiling data of a specific service was accessible to unauthenticated users.
Published: 2025-04-10T13:30:43.136Z
Updated: 2025-04-10T14:13:00.917Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2443 |
vulnerable | 2026-06-03 15:00:25.508595 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab EE that allows for cross-site-scripting attack and content security policy bypass in a user's browser under specific conditions, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.
Published: 2025-06-20T17:12:54.738Z
Updated: 2025-06-20T17:27:26.650Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2408 |
vulnerable | 2026-06-03 15:00:25.459231 |
Insufficient Granularity of Access Control in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 13.12 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions users could bypass IP access restrictions and view sensitive information.
Published: 2025-04-10T12:30:48.931Z
Updated: 2025-04-10T13:03:28.479Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2256 |
vulnerable | 2026-06-03 15:00:25.043763 |
Improper Validation of Specified Quantity in Input in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 7.12 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed unauthorized users to render the GitLab instance unresponsive to legitimate users by sending multiple concurrent large SAML responses.
Published: 2025-09-12T06:06:04.796Z
Updated: 2025-09-12T17:19:32.801Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2255 |
vulnerable | 2026-06-03 15:00:25.043077 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in Gitlab EE/CE for AppSec affecting all versions from 13.5.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Certain error messages could allow Cross-Site Scripting attacks (XSS). for AppSec.
Published: 2025-03-27T12:30:47.592Z
Updated: 2025-03-27T13:13:21.218Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2254 |
vulnerable | 2026-06-03 15:00:25.042711 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Improper output encoding in the snipper viewer functionality lead to Cross-Site scripting attacks.
Published: 2025-06-12T10:02:40.003Z
Updated: 2025-06-12T13:42:30.110Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2246 |
vulnerable | 2026-06-03 15:00:25.016081 |
Missing Authorization in GitLab
MEDIUM (5.8)
An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have allowed unauthenticated users to access sensitive manual CI/CD variables by querying the GraphQL API.
Published: 2025-08-27T19:34:00.919Z
Updated: 2025-08-27T19:49:56.554Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2242 |
vulnerable | 2026-06-03 15:00:25.004339 |
Incorrect Authorization in GitLab
HIGH (7.5)
An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to groups and projects.
Published: 2025-03-27T12:30:57.479Z
Updated: 2025-03-27T13:11:00.331Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2045 |
vulnerable | 2026-06-03 15:00:15.708677 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
Improper authorization in GitLab EE affecting all versions from 17.7 prior to 17.7.6, 17.8 prior to 17.8.4, 17.9 prior to 17.9.1 allow users with limited permissions to access to potentially sensitive project analytics data.
Published: 2025-03-06T13:04:16.661Z
Updated: 2025-03-06T16:07:19.120Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1908 |
vulnerable | 2026-06-03 14:59:06.798710 |
Business Logic Errors in GitLab
HIGH (7.7)
An issue has been discovered in GitLab EE/CE that could allow an attacker to track users' browsing activities, potentially leading to full account take-over, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.
Published: 2025-04-24T07:30:51.255Z
Updated: 2025-04-24T15:23:23.164Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1763 |
vulnerable | 2026-06-03 14:59:06.447117 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab EE that allows for cross-site-scripting attack and content security policy bypass in a user's browser under specific conditions, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.
Published: 2025-05-30T11:02:36.384Z
Updated: 2025-05-30T12:50:13.554Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1754 |
vulnerable | 2026-06-03 14:59:06.357599 |
Missing Authentication for Critical Function in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed unauthenticated attackers to upload arbitrary files to public projects by sending crafted API requests, potentially leading to resource abuse and unauthorized content storage.
Published: 2025-06-26T05:31:40.856Z
Updated: 2025-06-26T13:19:41.870Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1677 |
vulnerable | 2026-06-03 14:59:06.022851 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all up to 17.8.7, 17.9 prior to 17.9.6 and 17.10 prior to 17.10.4 A denial of service could occur upon injecting oversized payloads into CI pipeline exports.
Published: 2025-04-10T12:30:58.715Z
Updated: 2025-04-10T13:02:54.300Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1540 |
vulnerable | 2026-06-03 14:59:05.729826 |
Incorrect Authorization in GitLab
LOW (3.1)
An issue has been discovered in GitLab CE/EE for Self-Managed and Dedicated instances affecting all versions from 17.5 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. It was possible for a user added as an External to read and clone internal projects under certain circumstances."
Published: 2025-03-06T08:31:07.791Z
Updated: 2025-03-06T16:29:08.261Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1516 |
vulnerable | 2026-06-03 14:59:05.669390 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 8.7 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Improper input validation in Tokens Names could be used to trigger a denial of service.
Published: 2025-06-12T10:02:45.134Z
Updated: 2025-06-12T13:38:08.165Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1478 |
vulnerable | 2026-06-03 14:59:05.560561 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in Board Names could be used to trigger a denial of service.
Published: 2025-06-12T10:02:49.998Z
Updated: 2025-06-12T13:30:42.186Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1477 |
vulnerable | 2026-06-03 14:59:05.560176 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 8.14 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an unauthenticated user to create a denial of service condition by sending specially crafted payloads to specific integration API endpoints.
Published: 2025-08-13T17:27:25.496Z
Updated: 2025-08-13T20:01:32.448Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1299 |
vulnerable | 2026-06-03 14:59:04.988249 |
Missing Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 18.0.5, all versions starting from 18.1 before 18.1.3, all versions starting from 18.2 before 18.2.1 that, under circumstances, could have allowed an unauthorized user to read deployment job logs by sending a crafted request.
Published: 2025-07-24T06:33:28.184Z
Updated: 2025-07-24T13:36:27.415Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1278 |
vulnerable | 2026-06-03 14:58:58.208333 |
Insufficient Granularity of Access Control in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 12.0 before 17.9.8, 17.10 before 17.10.6, and 17.11 before 17.11.2. Under certain conditions users could bypass IP access restrictions and view sensitive information.
Published: 2025-05-09T16:13:14.048Z
Updated: 2025-05-09T20:03:19.786Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1257 |
vulnerable | 2026-06-03 14:58:58.096828 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue was discovered in GitLab EE affecting all versions starting with 12.3 before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. A vulnerability in certain GitLab instances could allow an attacker to cause a denial of service condition by manipulating specific API inputs.
Published: 2025-03-13T06:00:36.063Z
Updated: 2025-03-14T13:44:11.141Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1250 |
vulnerable | 2026-06-03 14:58:58.094592 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed an authenticated user to stall background job processing by sending specially crafted commit messages, merge request descriptions, or notes.
Published: 2025-09-12T06:06:14.804Z
Updated: 2025-09-12T17:20:05.685Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1212 |
vulnerable | 2026-06-03 14:58:58.010830 |
Exposure of Sensitive System Information to an Unauthorized Control Sphere in GitLab
MEDIUM (4.3)
An information disclosure vulnerability in GitLab CE/EE affecting all versions from 8.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send a crafted request to a backend server to reveal sensitive information.
Published: 2025-02-12T15:02:07.113Z
Updated: 2025-02-12T21:07:44.561Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1198 |
vulnerable | 2026-06-03 14:58:57.994801 |
Insufficient Session Expiration in GitLab
MEDIUM (4.2)
An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results.
Published: 2025-02-13T00:55:50.295Z
Updated: 2025-02-13T14:57:28.962Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1110 |
vulnerable | 2026-06-03 14:58:57.830072 |
Insufficient Granularity of Access Control in GitLab
LOW (2.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query.
Published: 2025-05-22T14:02:31.385Z
Updated: 2025-05-22T14:17:44.379Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1072 |
vulnerable | 2026-06-03 14:58:57.677719 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14.1 prior to 17.3.7, 17.4 prior to 17.4.4, and 17.5 prior to 17.5.2. A denial of service could occur upon importing maliciously crafted content using the Fogbugz importer.
Published: 2025-02-07T04:05:20.188Z
Updated: 2025-02-07T15:58:01.767Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1042 |
vulnerable | 2026-06-03 14:58:57.618828 |
Files or Directories Accessible to External Parties in GitLab
MEDIUM (4.9)
An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way.
Published: 2025-02-12T15:02:02.171Z
Updated: 2025-02-12T15:12:26.513Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14870 |
vulnerable | 2026-06-03 14:58:56.070726 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted JSON payloads due to insufficient input validation.
Published: 2026-05-14T05:37:32.535Z
Updated: 2026-05-14T13:03:02.406Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14869 |
vulnerable | 2026-06-03 14:58:56.070395 |
Improper Validation of Specified Quantity in Input in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted payloads on certain API endpoints.
Published: 2026-05-14T05:38:02.894Z
Updated: 2026-05-14T17:44:06.082Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14595 |
vulnerable | 2026-06-03 14:58:55.644987 |
Missing Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that under certain conditions could have allowed an authenticated user with Planner role to view security category metadata and attributes in group security configuration due to improper access control
Published: 2026-03-25T16:34:43.856Z
Updated: 2026-03-27T14:58:40.717Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14594 |
vulnerable | 2026-06-03 14:58:55.644363 |
Authorization Bypass Through User-Controlled Key in GitLab
LOW (3.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to view certain pipeline values by querying the API.
Published: 2026-02-11T11:34:06.815Z
Updated: 2026-02-11T15:17:25.802Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14592 |
vulnerable | 2026-06-03 14:58:55.632535 |
Missing Authorization in GitLab
LOW (3.7)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API endpoint.
Published: 2026-02-11T11:34:01.432Z
Updated: 2026-02-11T15:18:04.995Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14560 |
vulnerable | 2026-06-03 14:58:55.563619 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (7.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by injecting malicious content into vulnerability code flow.
Published: 2026-02-11T11:34:16.431Z
Updated: 2026-02-26T14:44:27.727Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14513 |
vulnerable | 2026-06-03 14:58:55.466933 |
Improper Validation of Specified Quantity in Input in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service condition due to improper input validation when processing specially crafted JSON payloads in the protected branches API.
Published: 2026-03-11T16:05:30.683Z
Updated: 2026-03-11T19:32:33.904Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14511 |
vulnerable | 2026-06-03 14:58:55.462774 |
Improper Validation of Specified Quantity in Input in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted files to the container registry event endpoint under certain conditions.
Published: 2026-02-25T20:05:24.799Z
Updated: 2026-02-26T15:57:25.416Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14157 |
vulnerable | 2026-06-03 14:58:54.670542 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with large content parameters.
Published: 2025-12-11T03:33:18.048Z
Updated: 2025-12-11T15:33:50.064Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14103 |
vulnerable | 2026-06-03 14:58:54.526121 |
Missing Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthorized user with Developer-role permissions to set pipeline variables for manually triggered jobs under certain conditions.
Published: 2026-02-25T19:33:35.698Z
Updated: 2026-02-25T20:52:22.958Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13978 |
vulnerable | 2026-06-03 14:58:54.225597 |
Generation of Error Message Containing Sensitive Information in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests.
Published: 2025-12-11T03:33:22.925Z
Updated: 2025-12-11T15:23:44.385Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13929 |
vulnerable | 2026-06-03 14:58:54.003050 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by issuing specially crafted requests to repository archive endpoints under certain conditions.
Published: 2026-03-11T16:05:35.672Z
Updated: 2026-03-12T16:20:28.038Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13928 |
vulnerable | 2026-06-03 14:58:54.002371 |
Incorrect Authorization in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints.
Published: 2026-01-22T13:34:18.349Z
Updated: 2026-01-22T15:26:44.128Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13927 |
vulnerable | 2026-06-03 14:58:54.001852 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted requests with malformed authentication data.
Published: 2026-01-22T13:34:13.359Z
Updated: 2026-01-22T15:27:56.204Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13874 |
vulnerable | 2026-06-03 14:58:53.869926 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with Guest permissions to view issues in projects they were not authorized to access.
Published: 2026-05-14T05:38:27.341Z
Updated: 2026-05-14T17:45:08.662Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13781 |
vulnerable | 2026-06-03 14:58:53.654490 |
Missing Authorization in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations.
Published: 2026-01-09T10:03:51.554Z
Updated: 2026-01-09T19:14:05.513Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13772 |
vulnerable | 2026-06-03 14:58:53.617817 |
Missing Authorization in GitLab
HIGH (7.1)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests.
Published: 2026-01-09T10:04:06.293Z
Updated: 2026-01-09T19:13:28.846Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13761 |
vulnerable | 2026-06-03 14:58:53.599199 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage.
Published: 2026-01-09T10:04:01.331Z
Updated: 2026-02-26T15:04:52.291Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13690 |
vulnerable | 2026-06-03 14:58:53.425554 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to cause a denial of service condition due to improper input validation on webhook custom header names under certain conditions.
Published: 2026-03-11T16:05:45.741Z
Updated: 2026-03-12T16:20:22.100Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13611 |
vulnerable | 2026-06-03 14:58:46.577719 |
Insertion of Sensitive Information into Log File in GitLab
LOW (2)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.5.5 and 18.6 before 18.6.3 that could have allowed an authenticated user with access to certain logs to obtain sensitive tokens under specific conditions.
Published: 2025-11-26T19:45:57.778Z
Updated: 2026-03-31T11:46:48.585Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13436 |
vulnerable | 2026-06-03 14:58:46.064741 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when handling certain CI-related inputs.
Published: 2026-03-25T16:34:53.851Z
Updated: 2026-03-25T17:03:54.631Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13335 |
vulnerable | 2026-06-03 14:58:45.913138 |
Loop with Unreachable Exit Condition ('Infinite Loop') in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that under certain circumstances could have allowed an authenticated user to create a denial of service condition by configuring malformed Wiki documents that bypass cycle detection.
Published: 2026-01-22T10:04:27.602Z
Updated: 2026-01-22T14:12:36.778Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13078 |
vulnerable | 2026-06-03 14:58:45.484835 |
Improper Validation of Specified Quantity in Input in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when processing certain webhook configuration inputs.
Published: 2026-03-25T16:35:03.858Z
Updated: 2026-03-25T17:02:57.718Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12983 |
vulnerable | 2026-06-03 14:58:45.375639 |
Memory Allocation with Excessive Size Value in GitLab
LOW (3.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to cause a denial of service condition by submitting specially crafted markdown content with nested formatting patterns.
Published: 2025-11-15T08:13:32.098Z
Updated: 2025-11-17T20:17:39.698Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12734 |
vulnerable | 2026-06-03 14:58:44.786535 |
Improper Encoding or Escaping of Output in GitLab
LOW (3.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to, under certain conditions, render content in dialogs to other users by injecting malicious HTML content into merge request titles.
Published: 2025-12-11T07:32:01.735Z
Updated: 2025-12-16T23:44:05.510Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12716 |
vulnerable | 2026-06-03 14:58:44.773292 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by creating wiki pages with malicious content.
Published: 2025-12-11T03:33:37.916Z
Updated: 2026-02-26T16:21:05.064Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12704 |
vulnerable | 2026-06-03 14:58:44.754000 |
Missing Authorization in GitLab
LOW (3.5)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions.
Published: 2026-03-11T16:05:55.759Z
Updated: 2026-03-12T16:20:13.909Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12697 |
vulnerable | 2026-06-03 14:58:44.750515 |
Improper Encoding or Escaping of Output in GitLab
LOW (2.2)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.5 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user with maintainer-role permissions to reveal Datadog API credentials under certain conditions.
Published: 2026-03-11T16:06:00.688Z
Updated: 2026-03-11T17:23:04.370Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12669 |
vulnerable | 2026-06-03 14:58:44.701950 |
Improper Control of Generation of Code ('Code Injection') in GitLab
MEDIUM (5.4)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to inject HTML and JavaScript into email notifications sent to other users due to improper input sanitization.
Published: 2026-05-14T05:38:37.338Z
Updated: 2026-05-14T17:47:03.748Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12664 |
vulnerable | 2026-06-03 14:58:44.693550 |
Improper Validation of Specified Quantity in Input in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries.
Published: 2026-04-08T22:26:42.854Z
Updated: 2026-04-09T13:03:53.739Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12653 |
vulnerable | 2026-06-03 14:58:44.676340 |
Authentication Bypass by Spoofing in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that under specific conditions could have allowed an unauthenticated user to join arbitrary organizations by changing headers on some requests.
Published: 2025-11-26T19:46:12.641Z
Updated: 2025-12-10T23:01:24.241Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12576 |
vulnerable | 2026-06-03 14:58:44.551180 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that under certain conditions could have allowed an authenticated user to cause a denial of service due to improper handling of webhook response data.
Published: 2026-03-11T16:06:15.686Z
Updated: 2026-03-11T19:36:36.682Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12575 |
vulnerable | 2026-06-03 14:58:44.550843 |
Server-Side Request Forgery (SSRF) in GitLab
MEDIUM (5.4)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user with certain permissions to make unauthorized requests to internal network services through the GitLab server.
Published: 2026-02-11T11:34:36.432Z
Updated: 2026-02-11T15:15:26.432Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12571 |
vulnerable | 2026-06-03 14:58:44.545440 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing malicious JSON payloads.
Published: 2025-11-26T19:46:17.647Z
Updated: 2025-12-10T23:01:24.090Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12562 |
vulnerable | 2026-06-03 14:58:44.541289 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted GraphQL queries that bypass query complexity limits.
Published: 2025-12-11T03:33:47.966Z
Updated: 2025-12-11T15:17:34.128Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12555 |
vulnerable | 2026-06-03 14:58:44.534126 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that, under certain conditions, could have allowed an authenticated user to access previous pipeline job information on projects with repository and CI/CD disabled due to improper authorization checks.
Published: 2026-03-11T16:07:15.673Z
Updated: 2026-03-12T16:20:07.813Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12073 |
vulnerable | 2026-06-03 14:58:43.748484 |
Server-Side Request Forgery (SSRF) in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions, could have allowed an authenticated user to perform server-side request forgery against internal services by bypassing protections in the Git repository import functionality.
Published: 2026-02-11T11:34:46.437Z
Updated: 2026-02-11T15:14:53.506Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12029 |
vulnerable | 2026-06-03 14:58:43.674526 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by injecting malicious external scripts into the Swagger UI."
Published: 2025-12-11T07:32:16.477Z
Updated: 2026-02-26T16:21:04.107Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11990 |
vulnerable | 2026-06-03 14:58:43.596704 |
Improper Handling of URL Encoding (Hex Encoding) in GitLab
LOW (3.1)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses.
Published: 2025-11-15T08:03:49.850Z
Updated: 2025-11-17T20:11:14.935Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11989 |
vulnerable | 2026-06-03 14:58:43.596290 |
Missing Authorization in GitLab
LOW (3.7)
GitLab has remediated an issue in GitLab EE affecting all versions from 17.6.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker to execute unauthorized quick actions by including malicious commands in specific descriptions.
Published: 2025-10-26T23:33:50.230Z
Updated: 2025-10-28T14:44:46.810Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11984 |
vulnerable | 2026-06-03 14:58:43.589465 |
Authentication Bypass Using an Alternate Path or Channel in GitLab
MEDIUM (6.8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions.
Published: 2025-12-11T04:04:47.302Z
Updated: 2026-02-26T16:21:04.830Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11974 |
vulnerable | 2026-06-03 14:58:43.577184 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.7 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to create a denial of service condition by uploading large files to specific API endpoints.
Published: 2025-10-27T00:05:24.332Z
Updated: 2025-10-28T14:59:56.029Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11971 |
vulnerable | 2026-06-03 14:58:43.573800 |
Incorrect Authorization in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab EE affecting all versions from 10.6 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker to trigger unauthorized pipeline executions by manipulating commits.
Published: 2025-10-27T00:05:34.305Z
Updated: 2025-10-28T15:00:45.588Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11865 |
vulnerable | 2026-06-03 14:58:43.387410 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE affecting all versions from 18.1 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that, under certain circumstances, could have allowed an attacker to remove Duo flows of another user.
Published: 2025-11-15T08:03:59.731Z
Updated: 2025-11-17T20:12:20.808Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11702 |
vulnerable | 2026-06-03 14:58:42.925038 |
Missing Authorization in GitLab
HIGH (8.5)
GitLab has remediated an issue in EE affecting all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker with specific permissions to hijack project runners from other projects.
Published: 2025-10-29T07:04:52.286Z
Updated: 2026-02-26T16:57:01.903Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11447 |
vulnerable | 2026-06-03 14:58:36.071788 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to cause a denial of service condition by sending GraphQL requests with crafted JSON payloads.
Published: 2025-10-27T00:05:19.810Z
Updated: 2025-10-28T14:58:37.798Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11340 |
vulnerable | 2026-06-03 14:58:35.935084 |
Incorrect Authorization in GitLab
HIGH (7.7)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations.
Published: 2025-10-09T12:04:20.127Z
Updated: 2025-10-09T13:43:00.365Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11247 |
vulnerable | 2026-06-03 14:58:35.798182 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab EE affecting all versions from 13.2 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to disclose sensitive information from private projects by executing specifically crafted GraphQL queries.
Published: 2025-12-11T04:04:57.190Z
Updated: 2025-12-11T15:12:43.664Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11246 |
vulnerable | 2026-06-03 14:58:35.797642 |
Insufficient Granularity of Access Control in GitLab
MEDIUM (5.4)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations.
Published: 2026-01-09T10:04:21.283Z
Updated: 2026-01-09T19:13:17.900Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11224 |
vulnerable | 2026-06-03 14:58:35.652371 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (7.7)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality.
Published: 2026-01-14T18:58:03.982Z
Updated: 2026-02-26T15:04:08.322Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11042 |
vulnerable | 2026-06-03 14:58:35.292647 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while using specific GraphQL queries.
Published: 2025-09-26T09:18:31.712Z
Updated: 2025-09-26T13:10:33.841Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-10871 |
vulnerable | 2026-06-03 14:58:34.934596 |
Missing Authorization in GitLab
LOW (3.8)
An issue has been discovered in GitLab EE affecting all versions from 16.6 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1. Project Maintainers can exploit a vulnerability where they can assign custom roles to users with permissions exceeding their own, effectively granting themselves elevated privileges.
Published: 2025-09-26T09:04:21.687Z
Updated: 2026-02-26T17:47:54.446Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-10868 |
vulnerable | 2026-06-03 14:58:34.927718 |
Business Logic Errors in GitLab
LOW (3.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.4 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 where certain string conversion methods exhibit performance degradation with large inputs.
Published: 2025-09-26T09:10:49.812Z
Updated: 2025-09-26T13:13:02.624Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-10867 |
vulnerable | 2026-06-03 14:58:34.927133 |
Allocation of Resources Without Limits or Throttling in GitLab
LOW (3.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to create a denial-of-service condition by exploiting an unprotected GraphQL API through repeated requests.
Published: 2025-09-26T09:04:26.530Z
Updated: 2025-09-26T15:33:34.488Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-10858 |
vulnerable | 2026-06-03 14:58:34.920431 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
An issue was discovered in GitLab CE/EE affecting all versions before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that allows unauthenticated users to cause a Denial of Service (DoS) condition while uploading specifically crafted large JSON files.
Published: 2025-09-26T09:04:31.555Z
Updated: 2025-09-26T15:32:55.310Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-10569 |
vulnerable | 2026-06-03 14:58:34.339332 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls.
Published: 2026-01-09T10:04:26.275Z
Updated: 2026-01-09T19:12:12.768Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-10497 |
vulnerable | 2026-06-03 14:58:34.241527 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to cause a denial of service condition by sending specially crafted payloads.
Published: 2025-10-27T00:05:39.306Z
Updated: 2025-10-28T15:02:48.809Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-10094 |
vulnerable | 2026-06-03 14:58:33.534215 |
Improper Validation of Specified Quantity in Input in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to disrupt access to token listings and related administrative operations by creating tokens with excessively large names.
Published: 2025-09-12T04:57:11.650Z
Updated: 2025-09-12T13:05:11.654Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-10004 |
vulnerable | 2026-06-03 14:58:33.389554 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 that could make the GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs.
Published: 2025-10-09T12:04:30.109Z
Updated: 2025-10-09T13:16:38.980Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0993 |
vulnerable | 2026-06-03 14:58:33.374637 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. This could allow an authenticated attacker to cause a denial of service condition by exhausting server resources.
Published: 2025-05-22T14:31:34.239Z
Updated: 2025-05-22T14:46:54.356Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0811 |
vulnerable | 2026-06-03 14:58:32.982374 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Improper rendering of certain file types leads to cross-site scripting.
Published: 2025-03-27T12:31:07.487Z
Updated: 2025-03-27T13:08:11.807Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0765 |
vulnerable | 2026-06-03 14:58:32.927516 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an unauthorized user to access custom service desk email addresses.
Published: 2025-07-24T06:33:38.009Z
Updated: 2025-07-24T13:36:22.397Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0679 |
vulnerable | 2026-06-03 14:58:32.646903 |
Exposure of Private Personal Information to an Unauthorized Actor in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Under certain conditions un-authorised users can view full email addresses that should be partially obscured.
Published: 2025-05-22T14:31:44.104Z
Updated: 2025-05-22T14:46:00.223Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0673 |
vulnerable | 2026-06-03 14:58:32.628434 |
Loop with Unreachable Exit Condition ('Infinite Loop') in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2, allow an attacker to trigger an infinite redirect loop, potentially leading to a denial of service condition.
Published: 2025-06-12T11:03:28.366Z
Updated: 2025-06-12T13:16:12.190Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0652 |
vulnerable | 2026-06-03 14:58:32.580794 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access confidential information intended for internal use only.
Published: 2025-03-13T05:55:59.744Z
Updated: 2025-03-14T18:04:47.874Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0639 |
vulnerable | 2026-06-03 14:58:32.536074 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered affecting service availability via issue preview in GitLab CE/EE affecting all versions from 16.7 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.
Published: 2025-04-24T07:31:06.117Z
Updated: 2025-04-24T15:23:17.586Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0605 |
vulnerable | 2026-06-03 14:58:32.483444 |
Weak Authentication in GitLab
MEDIUM (4.6)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Group access controls could allow certain users to bypass two-factor authentication requirements.
Published: 2025-05-22T14:31:54.105Z
Updated: 2025-05-22T14:45:03.172Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0555 |
vulnerable | 2026-06-03 14:58:32.415810 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (7.7)
A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows an attacker to bypass security controls and execute arbitrary scripts in a users browser under specific conditions.
Published: 2025-03-03T16:02:28.441Z
Updated: 2025-03-04T16:50:43.845Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0549 |
vulnerable | 2026-06-03 14:58:32.412895 |
Authentication Bypass Using an Alternate Path or Channel in GitLab
MEDIUM (6.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.3 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. A security vulnerability allows attackers to bypass Device OAuth flow protections, enabling authorization form submission through minimal user interaction.
Published: 2025-05-09T16:13:23.860Z
Updated: 2025-05-09T19:58:30.277Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0516 |
vulnerable | 2026-06-03 14:58:32.358829 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
Improper Authorization in GitLab CE/EE affecting all versions from 17.7 prior to 17.7.4, 17.8 prior to 17.8.2 allow users with limited permissions to perform unauthorized actions on critical project data.
Published: 2025-02-12T15:30:47.995Z
Updated: 2025-02-12T16:00:10.811Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0475 |
vulnerable | 2026-06-03 14:58:32.284109 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. A proxy feature could potentially allow unintended content rendering leading to XSS under specific circumstances.
Published: 2025-03-03T10:30:47.570Z
Updated: 2025-03-03T12:07:55.921Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0376 |
vulnerable | 2026-06-03 14:58:32.152082 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via a change page.
Published: 2025-02-12T15:02:22.215Z
Updated: 2025-02-13T14:14:09.377Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0362 |
vulnerable | 2026-06-03 14:58:32.131192 |
Improper Restriction of Rendered UI Layers or Frames in GitLab
MEDIUM (6.4)
An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions, an attacker could potentially trick users into unintentionally authorizing sensitive actions on their behalf.
Published: 2025-04-10T14:31:17.009Z
Updated: 2025-04-10T14:56:33.843Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0314 |
vulnerable | 2026-06-03 14:58:32.036381 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. Improper rendering of certain file types lead to cross-site scripting.
Published: 2025-01-24T02:30:44.273Z
Updated: 2025-02-12T20:41:30.754Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0290 |
vulnerable | 2026-06-03 14:58:31.999673 |
Loop with Unreachable Exit Condition ('Infinite Loop') in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.0 prior to 17.5.5, from 17.6 prior to 17.6.3, and from 17.7 prior to 17.7.1. Under certain conditions, processing of CI artifacts metadata could cause background jobs to become unresponsive.
Published: 2025-01-28T08:45:09.560Z
Updated: 2025-01-28T14:41:52.667Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0194 |
vulnerable | 2026-06-03 14:58:23.982807 |
Insertion of Sensitive Information into Externally-Accessible File or Directory in GitLab
MEDIUM (6.5)
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. Under certain conditions, access tokens may have been logged when API requests were made in a specific manner.
Published: 2025-01-08T20:02:01.498Z
Updated: 2025-01-09T06:35:12.315Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0186 |
vulnerable | 2026-06-03 14:58:23.969175 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service under certain conditions by exhausting server resources by making crafted requests to a discussions endpoint.
Published: 2026-04-22T16:05:41.343Z
Updated: 2026-04-22T17:25:02.340Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9870 |
vulnerable | 2026-06-03 14:58:22.773746 |
Unintended Proxy or Intermediary ('Confused Deputy') in GitLab
MEDIUM (4.3)
An external service interaction vulnerability in GitLab EE affecting all versions from 15.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send requests from the GitLab server to unintended services.
Published: 2025-02-12T15:31:02.886Z
Updated: 2025-02-12T15:59:49.272Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9773 |
vulnerable | 2026-06-03 14:58:22.567176 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') in GitLab
LOW (3.7)
An issue was discovered in GitLab EE affecting all versions starting from 14.9 before 17.8.6, all versions starting from 17.9 before 17.8.3, all versions starting from 17.10 before 17.10.1. An input validation issue in the Harbor registry integration could have allowed a maintainer to add malicious code to the CLI commands shown in the UI.
Published: 2025-03-27T12:31:27.475Z
Updated: 2025-03-27T13:07:40.267Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9693 |
vulnerable | 2026-06-03 14:58:22.460955 |
Incorrect Authorization in GitLab
HIGH (8.5)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations.
Published: 2024-11-14T11:02:01.506Z
Updated: 2024-11-15T04:55:40.277Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9633 |
vulnerable | 2026-06-03 14:58:22.274630 |
Incorrect Ownership Assignment in GitLab
LOW (3.1)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.3 before 17.4.2, all versions starting from 17.5 before 17.5.4, all versions starting from 17.6 before 17.6.2. This issue allows an attacker to create a group with a name matching an existing unique Pages domain, potentially leading to domain confusion attacks.
Published: 2024-11-14T13:30:57.385Z
Updated: 2024-12-06T10:34:30.828Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9631 |
vulnerable | 2026-06-03 14:58:22.272332 |
Inefficient Algorithmic Complexity in GitLab
HIGH (7.5)
An issue was discovered in GitLab CE/EE affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, where viewing diffs of MR with conflicts can be slow.
Published: 2025-02-05T10:30:51.252Z
Updated: 2025-02-05T19:26:24.166Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9623 |
vulnerable | 2026-06-03 14:58:22.256746 |
Incorrect Authorization in GitLab
MEDIUM (4.9)
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository.
Published: 2024-10-10T09:30:38.315Z
Updated: 2024-10-10T12:52:37.951Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9596 |
vulnerable | 2026-06-03 14:58:22.216877 |
Inclusion of Sensitive Information in Source Code in GitLab
LOW (3.7)
An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance.
Published: 2024-10-10T10:02:01.165Z
Updated: 2024-10-10T13:55:09.715Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9512 |
vulnerable | 2026-06-03 14:58:22.030252 |
Time-of-check Time-of-use (TOCTOU) Race Condition in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab EE affecting all versions prior to 17.10.8, 17.11 prior to 17.11.4, and 18.0 prior to 18.0.2. It may have been possible for private repository to be cloned in case of race condition when a secondary node is out of sync.
Published: 2025-06-12T14:02:55.123Z
Updated: 2025-06-12T14:13:37.117Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9387 |
vulnerable | 2026-06-03 14:58:21.134645 |
URL Redirection to Untrusted Site ('Open Redirect') in GitLab
MEDIUM (6.4)
An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint.
Published: 2024-12-12T12:02:39.825Z
Updated: 2024-12-17T04:56:10.278Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9367 |
vulnerable | 2026-06-03 14:58:21.091548 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while parsing templates to generate changelogs.
Published: 2024-12-12T12:02:44.837Z
Updated: 2024-12-12T15:44:25.438Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9183 |
vulnerable | 2026-06-03 14:58:20.688802 |
Time-of-check Time-of-use (TOCTOU) Race Condition in GitLab
HIGH (7.7)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 prior to 18.4.5, 18.5 prior to 18.5.3, and 18.6 prior to 18.6.1 that could have allowed an authenticated user to obtain credentials from higher-privileged users and perform actions in their context under specific conditions.
Published: 2025-12-05T16:34:00.971Z
Updated: 2026-02-26T16:57:29.574Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9164 |
vulnerable | 2026-06-03 14:58:20.657373 |
Missing Authentication for Critical Function in GitLab
CRITICAL (9.6)
An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches.
Published: 2024-10-11T11:30:42.233Z
Updated: 2024-10-11T13:42:39.983Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9163 |
vulnerable | 2026-06-03 14:58:20.654458 |
User Interface (UI) Misrepresentation of Critical Information in GitLab
LOW (3.5)
A business logic error in GitLab CE/EE affecting all versions starting from 12.1 prior to 17.10.7, 17.11 prior to 17.11.3 and 18.0 prior to 18.0.1 where an attacker can cause a branch name confusion in confidential MRs.
Published: 2025-05-23T12:31:11.192Z
Updated: 2025-05-27T14:40:36.623Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8977 |
vulnerable | 2026-06-03 14:58:20.142691 |
Server-Side Request Forgery (SSRF) in GitLab
HIGH (8.2)
An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks.
Published: 2024-10-10T10:02:10.914Z
Updated: 2024-10-10T13:53:37.484Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8974 |
vulnerable | 2026-06-03 14:58:20.136205 |
Incorrect Provision of Specified Functionality in GitLab
LOW (2.6)
Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project."
Published: 2024-09-26T23:02:00.153Z
Updated: 2024-09-27T15:46:48.041Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8973 |
vulnerable | 2026-06-03 14:58:20.135660 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. It was possible to cause a DoS condition via GitHub import requests using a malicious crafted payload.
Published: 2025-05-09T16:14:45.564Z
Updated: 2025-05-09T19:54:29.190Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8970 |
vulnerable | 2026-06-03 14:58:20.132555 |
Incorrect Authorization in GitLab
HIGH (8.2)
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.
Published: 2024-10-11T12:30:37.109Z
Updated: 2024-10-11T13:37:54.711Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8754 |
vulnerable | 2026-06-03 14:58:19.452489 |
External Control of Critical State Data in GitLab
MEDIUM (6.4)
An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured.
Published: 2024-09-12T17:02:00.988Z
Updated: 2024-09-17T19:36:51.833Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8650 |
vulnerable | 2026-06-03 14:58:19.050726 |
Incorrect Authorization in GitLab
MEDIUM (5.3)
An issue was discovered in GitLab CE/EE affecting all versions from 15.0 prior to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2 that allowed non-member users to view unresolved threads marked as internal notes in public projects merge requests.
Published: 2024-12-16T04:30:58.662Z
Updated: 2024-12-16T16:45:13.671Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8648 |
vulnerable | 2026-06-03 14:58:19.048613 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (6.1)
An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL.
Published: 2024-11-14T13:02:08.724Z
Updated: 2024-11-14T19:29:00.227Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8647 |
vulnerable | 2026-06-03 14:58:19.048195 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in GitLab
MEDIUM (5.4)
An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted installs, it was possible to leak the anti-CSRF-token to an external site while the Harbor integration was enabled.
Published: 2024-12-12T12:02:54.888Z
Updated: 2024-12-12T15:44:19.905Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8641 |
vulnerable | 2026-06-03 14:58:19.036111 |
Privilege Context Switching Error in GitLab
MEDIUM (6.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It may have been possible for an attacker with a victim's CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim.
Published: 2024-09-12T18:26:18.243Z
Updated: 2024-09-13T14:10:32.415Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8640 |
vulnerable | 2026-06-03 14:58:19.035587 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') in GitLab
HIGH (8.5)
An issue has been discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. Due to incomplete input filtering, it was possible to inject commands into a connected Cube server.
Published: 2024-09-12T16:56:23.356Z
Updated: 2024-09-13T14:13:28.966Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8635 |
vulnerable | 2026-06-03 14:58:19.033377 |
Server-Side Request Forgery (SSRF) in GitLab
HIGH (7.7)
A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL
Published: 2024-09-12T17:01:51.084Z
Updated: 2024-09-13T14:17:39.564Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8631 |
vulnerable | 2026-06-03 14:58:19.029116 |
Privilege Defined With Unsafe Actions in GitLab
MEDIUM (5.5)
A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include other custom roles.
Published: 2024-09-12T17:11:03.832Z
Updated: 2024-09-13T14:17:39.020Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8402 |
vulnerable | 2026-06-03 14:58:18.353641 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') in GitLab
LOW (3.7)
An issue was discovered in GitLab EE affecting all versions starting from 17.2 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. An input validation issue in the Google Cloud IAM integration feature could have enabled a Maintainer to introduce malicious code.
Published: 2025-03-13T05:56:29.590Z
Updated: 2025-03-13T19:38:58.363Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8312 |
vulnerable | 2026-06-03 14:58:18.112630 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. An attacker could inject HTML into the Global Search field on a diff view leading to XSS.
Published: 2024-10-24T09:30:43.270Z
Updated: 2024-10-24T12:57:20.551Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8311 |
vulnerable | 2026-06-03 14:58:18.112019 |
Improper Protection of Alternate Path in GitLab
MEDIUM (6.5)
An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 which allows authenticated users to bypass variable overwrite protection via inclusion of a CI/CD template.
Published: 2024-09-12T18:27:24.446Z
Updated: 2024-09-13T14:17:38.422Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8266 |
vulnerable | 2026-06-03 14:58:17.634165 |
Execution with Unnecessary Privileges in GitLab
MEDIUM (4.4)
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.6.0, which allows an attacker with maintainer role to trigger a pipeline as project owner under certain circumstances.
Published: 2025-02-13T00:54:15.748Z
Updated: 2025-02-13T15:06:49.385Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8237 |
vulnerable | 2026-06-03 14:58:17.552514 |
Inefficient Algorithmic Complexity in GitLab
MEDIUM (6.5)
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 12.6 prior to 17.4.5, 17.5 prior to 17.5.3, and 17.6 prior to 17.6.1. An attacker could cause a denial of service with a crafted cargo.toml file.
Published: 2024-11-26T18:31:00.676Z
Updated: 2024-11-26T18:42:11.715Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8233 |
vulnerable | 2026-06-03 14:58:17.541909 |
Inefficient Algorithmic Complexity in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could cause a denial of service with requests for diff files on a commit or merge request.
Published: 2024-12-12T12:02:59.800Z
Updated: 2024-12-12T15:44:14.399Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8186 |
vulnerable | 2026-06-03 14:58:17.367487 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (5.4)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 before 17.7.6, 17.8 before 17.8.4, and 17.9 before 17.9.1. An attacker could inject HMTL into the child item search potentially leading to XSS in certain situations.
Published: 2025-03-03T10:02:44.912Z
Updated: 2025-03-03T12:32:03.051Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8180 |
vulnerable | 2026-06-03 14:58:17.353378 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (5.4)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. Improper output encoding could lead to XSS if CSP is not enabled.
Published: 2024-11-14T11:02:16.331Z
Updated: 2024-11-14T19:33:35.064Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8179 |
vulnerable | 2026-06-03 14:58:17.352720 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (5.4)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. Improper output encoding could lead to XSS if CSP is not enabled.
Published: 2024-12-12T12:03:04.799Z
Updated: 2024-12-12T15:44:09.211Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8177 |
vulnerable | 2026-06-03 14:58:17.335295 |
Inefficient Algorithmic Complexity in GitLab
MEDIUM (5.3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.4.5, starting from 17.5 prior to 17.5.3, starting from 17.6 prior to 17.6.1 which could cause Denial of Service via integrating a malicious harbor registry.
Published: 2024-11-26T18:31:05.665Z
Updated: 2024-11-26T18:41:50.602Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8124 |
vulnerable | 2026-06-03 14:58:16.995938 |
Inefficient Regular Expression Complexity in GitLab
HIGH (7.5)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service via sending a specific POST request.
Published: 2024-09-12T16:56:33.253Z
Updated: 2024-09-17T11:26:33.391Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8116 |
vulnerable | 2026-06-03 14:58:16.988971 |
Incorrect Authorization in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. By using a specific GraphQL query, under specific conditions an unauthorized user can retrieve branch names.
Published: 2024-12-16T04:31:08.730Z
Updated: 2024-12-16T16:44:50.250Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8114 |
vulnerable | 2026-06-03 14:58:16.985759 |
Missing Authorization in GitLab
HIGH (8.2)
An issue has been discovered in GitLab CE/EE affecting all versions from 8.12 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. This issue allows an attacker with access to a victim's Personal Access Token (PAT) to escalate privileges.
Published: 2024-11-26T18:31:10.674Z
Updated: 2024-11-30T04:55:53.512Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8041 |
vulnerable | 2026-06-03 14:58:08.009675 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1. A denial of service could occur upon importing a maliciously crafted repository using the GitHub importer.
Published: 2024-08-22T15:30:37.643Z
Updated: 2024-08-29T15:05:01.304Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7803 |
vulnerable | 2026-06-03 14:58:07.198597 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A Discord webhook integration may cause DoS.
Published: 2025-05-23T12:31:21.008Z
Updated: 2025-05-27T14:40:07.374Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7610 |
vulnerable | 2026-06-03 14:58:06.523858 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (4.3)
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch.
Published: 2024-08-08T10:30:43.133Z
Updated: 2024-08-29T15:05:01.225Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7586 |
vulnerable | 2026-06-03 14:58:06.452512 |
Insertion of Sensitive Information into Log File in GitLab
MEDIUM (4.1)
An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, where webhook deletion audit log preserved auth credentials.
Published: 2025-06-20T13:58:37.159Z
Updated: 2025-06-20T14:53:39.330Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7554 |
vulnerable | 2026-06-03 14:58:06.351670 |
Exposure of Sensitive Information to an Unauthorized Actor in GitLab
MEDIUM (4.9)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was made in a specific manner.
Published: 2024-08-08T10:30:47.869Z
Updated: 2024-08-29T15:05:01.135Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7404 |
vulnerable | 2026-06-03 14:58:05.830390 |
Improper Restriction of Rendered UI Layers or Frames in GitLab
MEDIUM (6.8)
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow.
Published: 2024-11-14T13:02:23.587Z
Updated: 2024-11-14T15:08:01.260Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7296 |
vulnerable | 2026-06-03 14:58:05.487640 |
Incorrect Authorization in GitLab
LOW (2.7)
An issue was discovered in GitLab EE affecting all versions from 16.5 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2 which allowed a user with a custom permission to approve pending membership requests beyond the maximum number of allowed users.
Published: 2025-03-13T06:00:54.415Z
Updated: 2025-03-14T13:43:35.011Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7110 |
vulnerable | 2026-06-03 14:58:05.062569 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') in GitLab
MEDIUM (6.4)
An issue was discovered in GitLab EE affecting all versions starting 17.0 to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1 allows an attacker to execute arbitrary command in a victim's pipeline through prompt injection.
Published: 2024-08-22T15:30:47.474Z
Updated: 2024-09-17T15:35:37.142Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7102 |
vulnerable | 2026-06-03 14:58:05.054615 |
Execution with Unnecessary Privileges in GitLab
CRITICAL (9.6)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.0 which allows an attacker to trigger a pipeline as another user under certain circumstances.
Published: 2025-02-13T00:54:25.633Z
Updated: 2025-02-13T14:59:00.454Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7091 |
vulnerable | 2026-06-03 14:58:05.012431 |
Exposure of Sensitive Information to an Unauthorized Actor in GitLab
MEDIUM (4.1)
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where it was possible to disclose limited information of an exported group or project to another user.
Published: 2024-07-24T22:07:45.260Z
Updated: 2024-08-29T15:05:00.966Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7060 |
vulnerable | 2026-06-03 14:58:04.942778 |
Exposure of Sensitive Information to an Unauthorized Actor in GitLab
LOW (2.6)
An information disclosure vulnerability in GitLab CE/EE in project/group exports affecting all versions from 15.4 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows unauthorized users to view the resultant export.
Published: 2024-07-24T22:07:50.018Z
Updated: 2024-09-17T16:58:29.528Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7057 |
vulnerable | 2026-06-03 14:58:04.937227 |
Improper Access Control in GitLab
MEDIUM (4.3)
An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where job artifacts can be inappropriately exposed to users lacking the proper authorization level.
Published: 2024-07-25T00:30:55.513Z
Updated: 2024-08-29T15:05:00.782Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7047 |
vulnerable | 2026-06-03 14:58:04.918397 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (7.7)
A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user.
Published: 2024-07-25T00:30:40.657Z
Updated: 2024-08-29T15:05:00.689Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6826 |
vulnerable | 2026-06-03 14:58:04.244259 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. A denial of service could occur via importing a malicious crafted XML manifest file.
Published: 2024-10-24T09:30:58.183Z
Updated: 2024-10-24T12:56:42.887Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6685 |
vulnerable | 2026-06-03 14:58:03.871159 |
Authorization Bypass Through User-Controlled Key in GitLab
LOW (3.1)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, where group runners information was disclosed to unauthorised group members.
Published: 2024-09-16T21:33:58.732Z
Updated: 2024-09-17T15:25:59.042Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6678 |
vulnerable | 2026-06-03 14:58:03.859857 |
Authentication Bypass by Spoofing in GitLab
CRITICAL (9.9)
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.
Published: 2024-09-12T18:26:33.060Z
Updated: 2024-09-13T14:17:37.029Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6595 |
vulnerable | 2026-06-03 14:58:03.641274 |
Uncontrolled Search Path Element in GitLab
LOW (3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to upload an NPM package with conflicting package data.
Published: 2024-07-17T01:30:43.332Z
Updated: 2024-09-17T15:32:29.174Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6530 |
vulnerable | 2026-06-03 14:58:03.419606 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (7.3)
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When adding a authorizing an application, it can be made to render as HTML under specific circumstances.
Published: 2024-10-10T12:02:10.807Z
Updated: 2024-10-10T13:32:29.455Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6502 |
vulnerable | 2026-06-03 14:58:03.335212 |
Incorrect Provision of Specified Functionality in GitLab
MEDIUM (5.7)
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.2 prior to 17.1.6 starting from 17.2 prior to 17.2.4, and starting from 17.3 prior to 17.3.1, which allows an attacker to create a branch with the same name as a deleted tag.
Published: 2024-08-22T15:30:52.480Z
Updated: 2024-08-29T15:05:00.518Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6446 |
vulnerable | 2026-06-03 14:58:03.200860 |
Business Logic Errors in GitLab
LOW (3.5)
An issue has been discovered in GitLab affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. A crafted URL could be used to trick a victim to trust an attacker controlled application.
Published: 2024-09-12T16:56:53.258Z
Updated: 2024-09-13T14:17:36.471Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6389 |
vulnerable | 2026-06-03 14:58:03.070923 |
Exposure of Sensitive System Information to an Unauthorized Control Sphere in GitLab
MEDIUM (4.3)
An issue was discovered in GitLab-CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions.
Published: 2024-09-12T16:56:48.267Z
Updated: 2024-09-13T14:17:35.852Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6385 |
vulnerable | 2026-06-03 14:58:02.969369 |
Improper Access Control in GitLab
CRITICAL (9.6)
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.
Published: 2024-07-11T06:56:54.515Z
Updated: 2024-09-18T13:11:50.553Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6356 |
vulnerable | 2026-06-03 14:58:02.699978 |
Incorrect User Management in GitLab
MEDIUM (4.4)
An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which allowed cross project access for Security policy bot.
Published: 2025-02-05T10:02:22.677Z
Updated: 2025-02-05T14:29:45.373Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6329 |
vulnerable | 2026-06-03 14:58:02.593274 |
Improper Encoding or Escaping of Output in GitLab
MEDIUM (5.7)
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which causes the web interface to fail to render the diff correctly when the path is encoded.
Published: 2024-08-08T10:02:09.817Z
Updated: 2024-08-29T15:05:00.349Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6324 |
vulnerable | 2026-06-03 14:58:02.578384 |
Inefficient Algorithmic Complexity in GitLab
MEDIUM (4.3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. It was possible to trigger a DoS by creating cyclic references between epics.
Published: 2025-01-09T06:02:46.213Z
Updated: 2025-01-09T15:32:34.143Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6323 |
vulnerable | 2026-06-03 14:58:02.576609 |
Improper Isolation or Compartmentalization in GitLab
HIGH (7.5)
Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project.
Published: 2024-06-26T23:30:40.557Z
Updated: 2024-09-17T17:03:09.769Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5655 |
vulnerable | 2026-06-03 14:57:53.658896 |
Improper Access Control in GitLab
CRITICAL (9.6)
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to trigger a pipeline as another user under certain circumstances.
Published: 2024-06-26T23:30:55.421Z
Updated: 2024-09-17T15:33:21.131Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5528 |
vulnerable | 2026-06-03 14:57:53.039428 |
Incomplete Comparison with Missing Factors in GitLab
LOW (3.5)
An issue was discovered in GitLab CE/EE affecting all versions prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows a subdomain takeover in GitLab Pages.
Published: 2025-02-05T10:31:06.106Z
Updated: 2025-02-05T20:13:11.436Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5470 |
vulnerable | 2026-06-03 14:57:52.906231 |
Improper Access Control in GitLab
LOW (3.8)
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Guest user with `admin_push_rules` permission may have been able to create project-level deploy tokens.
Published: 2024-07-11T06:57:04.361Z
Updated: 2024-08-29T15:04:59.607Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5469 |
vulnerable | 2026-06-03 14:57:52.905809 |
Uncontrolled Resource Consumption in GitLab
LOW (3.1)
DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 and 16.11.0 prior to 16.11.3 allows an attacker to crash KAS via crafted gRPC requests.
Published: 2024-06-14T04:04:49.726Z
Updated: 2025-01-09T21:40:26.611Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5435 |
vulnerable | 2026-06-03 14:57:52.784529 |
Generation of Error Message Containing Sensitive Information in GitLab
MEDIUM (4.5)
An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration.
Published: 2024-09-12T16:56:58.445Z
Updated: 2024-09-13T14:17:35.209Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5430 |
vulnerable | 2026-06-03 14:57:52.768049 |
Improper Access Control in GitLab
MEDIUM (6.8)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows a project maintainer can delete the merge request approval policy via graphQL.
Published: 2024-06-26T23:30:50.436Z
Updated: 2024-08-29T15:04:59.442Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5423 |
vulnerable | 2026-06-03 14:57:52.743544 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2 which allowed an attacker to cause resource exhaustion via banzai pipeline.
Published: 2024-08-08T10:31:02.871Z
Updated: 2024-08-29T15:04:59.365Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5318 |
vulnerable | 2026-06-03 14:57:52.372335 |
Missing Authorization in GitLab
MEDIUM (4)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.11 prior to 16.10.6, starting from 16.11 prior to 16.11.3, and starting from 17.0 prior to 17.0.1. A Guest user can view dependency lists of private projects through job artifacts.
Published: 2024-05-24T12:44:25.720Z
Updated: 2024-10-03T06:23:19.497Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5258 |
vulnerable | 2026-06-03 14:57:52.217966 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (4.4)
An authorization vulnerability exists within GitLab from versions 16.10 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1 where an authenticated attacker could utilize a crafted naming convention to bypass pipeline authorization logic.
Published: 2024-05-23T11:02:06.904Z
Updated: 2024-08-29T15:04:59.201Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5257 |
vulnerable | 2026-06-03 14:57:52.217499 |
Improper Access Control in GitLab
MEDIUM (4.9)
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Developer user with `admin_compliance_framework` custom role may have been able to modify the URL for a group namespace.
Published: 2024-07-11T06:57:09.372Z
Updated: 2024-08-29T15:04:59.125Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5067 |
vulnerable | 2026-06-03 14:57:51.654447 |
Exposure of Sensitive Information to an Unauthorized Actor in GitLab
MEDIUM (4.4)
An issue was discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where certain project-level analytics settings could be leaked in DOM to group members with Developer or higher roles.
Published: 2024-07-24T22:08:05.034Z
Updated: 2024-08-29T15:04:59.039Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5005 |
vulnerable | 2026-06-03 14:57:51.459474 |
Incorrect Provision of Specified Functionality in GitLab
MEDIUM (4.3)
An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the API.
Published: 2024-10-11T11:30:57.104Z
Updated: 2024-10-11T13:41:55.311Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4994 |
vulnerable | 2026-06-03 14:57:16.673989 |
Cross-Site Request Forgery (CSRF) in GitLab
HIGH (8.1)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations.
Published: 2025-06-20T18:14:37.887Z
Updated: 2025-06-23T15:22:37.297Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4901 |
vulnerable | 2026-06-03 14:57:16.455209 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit notes.
Published: 2024-06-26T23:31:05.422Z
Updated: 2024-09-17T17:02:23.803Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4835 |
vulnerable | 2026-06-03 14:57:16.287149 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8)
A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.
Published: 2024-05-23T06:30:50.384Z
Updated: 2024-09-17T15:33:50.607Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4784 |
vulnerable | 2026-06-03 14:57:16.204172 |
Authentication Bypass by Primary Weakness in GitLab
MEDIUM (4.2)
An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2 that allowed bypassing the password re-entry requirement to approve a policy.
Published: 2024-08-08T10:02:19.809Z
Updated: 2024-08-29T15:04:58.457Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4660 |
vulnerable | 2026-06-03 14:57:15.962419 |
Missing Authorization in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates.
Published: 2024-09-12T16:57:03.244Z
Updated: 2024-09-13T14:17:34.642Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4612 |
vulnerable | 2026-06-03 14:57:15.878931 |
URL Redirection to Untrusted Site ('Open Redirect') in GitLab
MEDIUM (6.4)
An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.
Published: 2024-09-12T16:57:08.255Z
Updated: 2024-09-13T14:17:34.021Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4597 |
vulnerable | 2026-06-03 14:57:15.828258 |
Cross-Site Request Forgery (CSRF) in GitLab
MEDIUM (5.7)
An issue has been discovered in GitLab EE affecting all versions from 16.7 before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. An attacker could force a user with an active SAML session to approve an MR via CSRF.
Published: 2024-05-09T01:38:11.850Z
Updated: 2024-08-29T15:04:58.230Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4557 |
vulnerable | 2026-06-03 14:57:15.755615 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an attacker to cause resource exhaustion via banzai pipeline.
Published: 2024-06-26T23:31:10.425Z
Updated: 2024-08-29T15:04:58.095Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4539 |
vulnerable | 2026-06-03 14:57:15.715765 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 where abusing the API to filter branch and tags could lead to Denial of Service.
Published: 2024-05-09T01:38:21.737Z
Updated: 2024-10-03T06:23:19.371Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4472 |
vulnerable | 2026-06-03 14:57:15.537014 |
Insertion of Sensitive Information into Log File in GitLab
MEDIUM (4)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs.
Published: 2024-09-12T18:26:38.059Z
Updated: 2024-09-13T14:17:33.408Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4283 |
vulnerable | 2026-06-03 14:57:15.125330 |
URL Redirection to Untrusted Site ('Open Redirect') in GitLab
MEDIUM (6.4)
An issue has been discovered in GitLab EE affecting all versions starting from 11.1 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.
Published: 2024-09-16T21:34:08.579Z
Updated: 2024-09-18T13:07:40.681Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4278 |
vulnerable | 2026-06-03 14:57:15.117826 |
Incorrect Synchronization in GitLab
MEDIUM (5.5)
An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting.
Published: 2024-09-26T06:30:59.796Z
Updated: 2024-09-26T17:26:34.539Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4210 |
vulnerable | 2026-06-03 14:57:14.932426 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 12.6 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause a denial of service using crafted adoc files.
Published: 2024-08-08T10:02:29.806Z
Updated: 2024-08-29T15:04:57.922Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4207 |
vulnerable | 2026-06-03 14:57:14.929838 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (4.4)
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 prior 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances.
Published: 2024-08-08T10:31:12.873Z
Updated: 2024-08-29T15:04:57.844Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4201 |
vulnerable | 2026-06-03 14:57:14.922207 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (4.4)
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 16.10.7, all versions starting from 16.11 before 16.111.4, all versions starting from 17.0 before 17.0.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances.
Published: 2024-06-12T23:01:56.967Z
Updated: 2024-08-29T15:04:57.749Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4099 |
vulnerable | 2026-06-03 14:57:14.725343 |
Improper Encoding or Escaping of Output in GitLab
LOW (3.1)
An issue has been discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. An AI feature was found to read unsanitized content in a way that could have allowed an attacker to hide prompt injection.
Published: 2024-09-26T23:02:15.810Z
Updated: 2024-09-27T15:48:49.456Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4025 |
vulnerable | 2026-06-03 14:57:14.562081 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions from 7.10 prior before 16.11.5, version 17.0 before 17.0.3, and 17.1 before 17.1.1. It is possible for an attacker to cause a denial of service using a crafted markdown page.
Published: 2025-06-20T18:14:33.011Z
Updated: 2025-06-23T15:22:59.976Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4024 |
vulnerable | 2026-06-03 14:57:14.561456 |
Authentication Bypass by Assumed-Immutable Data in GitLab
HIGH (7.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.8 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker with their Bitbucket account credentials may be able to take over a GitLab account linked to another user's Bitbucket account, if Bitbucket is used as an OAuth 2.0 provider on GitLab.
Published: 2024-04-25T13:30:46.597Z
Updated: 2026-06-02T04:14:54.728Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4011 |
vulnerable | 2026-06-03 14:57:14.531728 |
Improper Access Control in GitLab
LOW (3.1)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives.
Published: 2024-06-26T23:31:20.436Z
Updated: 2025-01-09T21:38:32.388Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4006 |
vulnerable | 2026-06-03 14:57:14.475908 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not honored by GraphQL subscriptions
Published: 2024-04-25T13:30:36.721Z
Updated: 2026-06-02T04:14:49.738Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45409 |
vulnerable | 2026-06-03 14:56:56.496473 |
The Ruby SAML library vulnerable to a SAML authentication bypass via Incorrect XPath selector
CRITICAL (10)
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
Published: 2024-09-10T18:50:12.965Z
Updated: 2024-11-11T17:02:31.329Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3976 |
vulnerable | 2026-06-03 14:56:32.572223 |
Missing Authorization in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose via the UI the confidential issues title and description from a public project to unauthorised instance users.
Published: 2025-02-05T12:02:27.929Z
Updated: 2025-02-05T20:12:12.955Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3959 |
vulnerable | 2026-06-03 14:56:32.525792 |
Improper Authorization in GitLab
MEDIUM (6.5)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows private job artifacts can be accessed by any user.
Published: 2024-06-26T23:31:25.425Z
Updated: 2024-08-29T15:04:57.412Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3958 |
vulnerable | 2026-06-03 14:56:32.523662 |
Improper Control of Generation of Code ('Code Injection') in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code.
Published: 2024-08-08T10:31:17.868Z
Updated: 2024-09-17T15:31:43.886Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3303 |
vulnerable | 2026-06-03 14:56:23.975194 |
Improper Neutralization of Input Used for LLM Prompting in GitLab
MEDIUM (6.4)
An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.6.5, starting from 17.7 prior to 17.7.4, and starting from 17.8 prior to 17.8.2, which allows an attacker to exfiltrate contents of a private issue using prompt injection.
Published: 2025-02-13T08:31:11.062Z
Updated: 2025-02-13T14:36:00.382Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3127 |
vulnerable | 2026-06-03 14:56:23.541284 |
Improper Access Control in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL allowing unauthorised users to perform some actions at the group level.
Published: 2024-08-22T15:31:07.481Z
Updated: 2024-08-29T15:04:57.250Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3115 |
vulnerable | 2026-06-03 14:56:23.511381 |
Exposure of Sensitive Information to an Unauthorized Actor in GitLab
MEDIUM (4.3)
An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to access issues and epics without having an SSO session using Duo Chat.
Published: 2024-06-26T23:31:35.425Z
Updated: 2024-08-30T13:24:42.967Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3114 |
vulnerable | 2026-06-03 14:56:23.510912 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (4.3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server.
Published: 2024-08-08T10:31:22.868Z
Updated: 2024-08-30T13:24:42.884Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3092 |
vulnerable | 2026-06-03 14:56:23.353545 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. A payload may lead to a Stored XSS while using the diff viewer, allowing attackers to perform arbitrary actions on behalf of victims.
Published: 2024-04-12T00:53:11.346Z
Updated: 2026-05-31T04:05:33.433Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3035 |
vulnerable | 2026-06-03 14:56:23.159410 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (6.8)
A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories.
Published: 2024-08-08T10:31:32.879Z
Updated: 2024-09-17T15:29:42.165Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2880 |
vulnerable | 2026-06-03 14:55:36.430182 |
Improper Access Control in GitLab
LOW (2.7)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 in which a user with `admin_group_member` custom role permission could ban group members.
Published: 2024-07-11T06:57:24.360Z
Updated: 2024-09-17T17:00:19.878Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2878 |
vulnerable | 2026-06-03 14:55:36.424617 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible for an attacker to cause a denial of service by crafting unusual search terms for branch names.
Published: 2025-02-05T12:21:10.806Z
Updated: 2025-02-05T20:11:02.837Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2874 |
vulnerable | 2026-06-03 14:55:36.416651 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. A runner registered with a crafted description has the potential to disrupt the loading of targeted GitLab web resources.
Published: 2024-05-23T07:02:35.610Z
Updated: 2024-10-03T06:23:19.176Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2829 |
vulnerable | 2026-06-03 14:55:36.299140 |
Inefficient Regular Expression Complexity in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.5 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. A crafted wildcard filter in FileFinder may lead to a denial of service.
Published: 2024-04-25T11:02:06.060Z
Updated: 2025-11-20T04:12:19.477Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2818 |
vulnerable | 2026-06-03 14:55:36.276259 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. It was possible for an attacker to cause a denial of service using malicious crafted description parameter for labels.
Published: 2024-03-28T07:17:48.930Z
Updated: 2024-10-03T06:23:18.989Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2800 |
vulnerable | 2026-06-03 14:55:36.253639 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking.
Published: 2024-08-08T10:31:37.860Z
Updated: 2024-08-30T13:24:42.805Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2743 |
vulnerable | 2026-06-03 14:55:30.059129 |
Incorrect Authorization in GitLab
MEDIUM (5.3)
An issue was discovered in GitLab-EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variables.
Published: 2024-09-12T16:57:23.260Z
Updated: 2024-09-13T14:17:32.500Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2651 |
vulnerable | 2026-06-03 14:55:29.820662 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. It was possible for an attacker to cause a denial of service using maliciously crafted markdown content.
Published: 2024-05-09T01:38:31.730Z
Updated: 2024-10-03T06:23:18.818Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2454 |
vulnerable | 2026-06-03 14:55:29.286699 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. The pins endpoint is susceptible to DoS through a crafted request.
Published: 2024-05-09T01:38:36.737Z
Updated: 2024-10-03T06:23:18.723Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2434 |
vulnerable | 2026-06-03 14:55:29.239129 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in GitLab
HIGH (8.5)
An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to 16.11.1 where path traversal could lead to DoS and restricted file read.
Published: 2024-04-25T11:02:15.928Z
Updated: 2025-11-20T04:12:14.487Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2279 |
vulnerable | 2026-06-03 14:55:28.866565 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. Using the autocomplete for issues references feature a crafted payload may lead to a stored XSS, allowing attackers to perform arbitrary actions on behalf of victims.
Published: 2024-04-12T00:53:21.240Z
Updated: 2026-05-02T04:05:37.944Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2191 |
vulnerable | 2026-06-03 14:55:28.634372 |
Improper Access Control in GitLab
MEDIUM (5.3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members only.
Published: 2024-06-26T23:31:45.431Z
Updated: 2024-09-17T16:01:03.749Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2177 |
vulnerable | 2026-06-03 14:55:28.546191 |
Improper Restriction of Rendered UI Layers or Frames in GitLab
MEDIUM (6.8)
A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload.
Published: 2024-07-09T13:30:57.825Z
Updated: 2024-09-17T16:00:34.552Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1963 |
vulnerable | 2026-06-03 14:54:35.090743 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.
Published: 2024-06-12T23:02:11.841Z
Updated: 2024-08-30T13:24:42.721Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1947 |
vulnerable | 2026-06-03 14:54:35.060674 |
Improper Handling of Highly Compressed Data (Data Amplification) in GitLab
MEDIUM (4.3)
A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls.
Published: 2024-05-23T11:02:21.780Z
Updated: 2024-10-03T06:23:18.622Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1816 |
vulnerable | 2026-06-03 14:54:34.717840 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (5.3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 12.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows for an attacker to cause a denial of service using a crafted OpenAPI file.
Published: 2024-06-26T23:31:50.436Z
Updated: 2024-08-29T15:04:55.560Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1736 |
vulnerable | 2026-06-03 14:54:34.444481 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's CI/CD pipeline editor could allow for denial of service attacks through maliciously crafted configuration files.
Published: 2024-06-12T23:02:21.879Z
Updated: 2024-09-18T13:10:48.392Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1539 |
vulnerable | 2026-06-03 14:54:27.224071 |
Missing Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE affecting all versions starting from 15.2 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose updates to issues to a banned group member using the API.
Published: 2025-02-05T09:46:46.182Z
Updated: 2025-02-05T14:30:37.885Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1525 |
vulnerable | 2026-06-03 14:54:27.206122 |
Authentication Bypass Using an Alternate Path or Channel in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Under some specialized conditions, an LDAP user may be able to reset their password using their verified secondary email address and sign-in using direct authentication with the reset password, bypassing LDAP.
Published: 2024-02-21T23:30:44.816Z
Updated: 2026-06-02T04:14:44.730Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1495 |
vulnerable | 2026-06-03 14:54:27.128703 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.1 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. It was possible for an attacker to cause a denial of service using maliciously crafted file.
Published: 2024-06-12T23:02:16.842Z
Updated: 2024-08-30T13:24:42.541Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1493 |
vulnerable | 2026-06-03 14:54:27.125969 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
An issue was discovered in GitLab CE/EE affecting all versions starting from 9.2 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, with the processing logic for generating link in dependency files can lead to a regular expression DoS attack on the server
Published: 2024-06-26T23:31:55.434Z
Updated: 2024-08-30T13:24:42.450Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1451 |
vulnerable | 2026-06-03 14:54:26.950132 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.1. A crafted payload added to the user profile page could lead to a stored XSS on the client side, allowing attackers to perform arbitrary actions on behalf of victims."
Published: 2024-02-21T23:30:49.790Z
Updated: 2026-05-23T04:05:17.051Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1347 |
vulnerable | 2026-06-03 14:54:26.736578 |
Authentication Bypass by Spoofing in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker through a crafted email address may be able to bypass domain based restrictions on an instance or a group.
Published: 2024-04-25T11:02:25.923Z
Updated: 2025-11-20T04:11:59.475Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1299 |
vulnerable | 2026-06-03 14:54:26.637445 |
Privilege Chaining in GitLab
MEDIUM (6.5)
A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with owner privileges.
Published: 2024-03-07T00:39:45.501Z
Updated: 2024-10-03T06:23:18.349Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1250 |
vulnerable | 2026-06-03 14:54:26.553209 |
Privilege Chaining in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab EE affecting all versions starting from 16.8 before 16.8.2. When a user is assigned a custom role with manage_group_access_tokens permission, they may be able to create group access tokens with Owner privileges, which may lead to privilege escalation.
Published: 2024-02-12T20:47:44.401Z
Updated: 2026-06-02T04:14:39.731Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1211 |
vulnerable | 2026-06-03 14:54:26.467646 |
Cross-Site Request Forgery (CSRF) in GitLab
MEDIUM (6.4)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 in which cross-site request forgery may have been possible on GitLab instances configured to use JWT as an OmniAuth provider.
Published: 2025-01-30T23:45:00.772Z
Updated: 2025-01-31T20:51:47.207Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1066 |
vulnerable | 2026-06-03 14:54:26.091381 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab EE affecting all versions from 13.3.0 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows an attacker to do a resource exhaustion using GraphQL `vulnerabilitiesCountByDay`
Published: 2024-02-07T22:02:11.043Z
Updated: 2026-06-02T04:14:34.755Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-13054 |
vulnerable | 2026-06-03 14:54:23.654164 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue was discovered in GitLab CE/EE affecting all versions before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. where a denial of service vulnerability could allow an attacker to cause a system reboot under certain conditions.
Published: 2025-03-13T05:56:09.637Z
Updated: 2025-03-14T14:36:19.463Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-13041 |
vulnerable | 2026-06-03 14:54:23.631904 |
Incorrect User Management in GitLab
MEDIUM (4.2)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. When a user is created via the SAML provider, the external groups setting overrides the external provider configuration. As a result, the user may not be marked as external thereby giving those users access to internal projects or groups.
Published: 2025-01-09T06:33:13.241Z
Updated: 2025-01-09T15:29:59.641Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12619 |
vulnerable | 2026-06-03 14:54:22.773884 |
Insufficient Granularity of Access Control in GitLab
MEDIUM (5.2)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1, allowing internal users to gain unauthorized access to internal projects.
Published: 2025-03-28T10:02:13.406Z
Updated: 2025-03-28T13:46:51.887Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12570 |
vulnerable | 2026-06-03 14:54:22.668589 |
Privilege Context Switching Error in GitLab
MEDIUM (6.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.4.6, from 17.5 prior to 17.5.4, and from 17.6 prior to 17.6.2. It may have been possible for an attacker with a victim's `CI_JOB_TOKEN` to obtain a GitLab session token belonging to the victim.
Published: 2024-12-12T11:30:44.818Z
Updated: 2024-12-17T04:56:08.962Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12431 |
vulnerable | 2026-06-03 14:54:16.360864 |
Missing Authorization in GitLab
MEDIUM (4.3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.5 before 17.5.5, 17.6 before 17.6.3, and 17.7 before 17.7.1, in which unauthorized users could manipulate the status of issues in public projects.
Published: 2025-01-08T20:30:42.896Z
Updated: 2025-02-12T17:12:59.442Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12380 |
vulnerable | 2026-06-03 14:54:16.252766 |
Generation of Error Message Containing Sensitive Information in GitLab
MEDIUM (4.4)
An issue was discovered in GitLab EE/CE affecting all versions starting from 11.5 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. Certain user inputs in repository mirroring settings could potentially expose sensitive authentication information.
Published: 2025-03-13T05:56:14.642Z
Updated: 2025-03-14T14:35:18.525Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12379 |
vulnerable | 2026-06-03 14:54:16.252413 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
A denial of service vulnerability in GitLab CE/EE affecting all versions from 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to impact the availability of GitLab via unbounded symbol creation via the scopes parameter in a Personal Access Token.
Published: 2025-02-12T15:02:32.062Z
Updated: 2025-02-12T21:00:39.234Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12303 |
vulnerable | 2026-06-03 14:54:16.094911 |
Incorrect Privilege Assignment in GitLab
MEDIUM (6.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated users with specific roles and permissions to delete issues including confidential ones by inviting users with a specific role.
Published: 2025-08-13T17:27:45.555Z
Updated: 2025-08-13T20:00:25.961Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12292 |
vulnerable | 2026-06-03 14:54:16.056960 |
Insertion of Sensitive Information into Log File in GitLab
MEDIUM (4)
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.0 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, where sensitive information passed in GraphQL mutations may have been retained in GraphQL logs.
Published: 2024-12-12T11:30:39.823Z
Updated: 2024-12-12T15:44:52.213Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12244 |
vulnerable | 2026-06-03 14:54:15.904349 |
Missing Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in access controls could allow users to view certain restricted project information even when related features are disabled in GitLab EE, affecting all versions from 17.7 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1.
Published: 2025-04-24T07:31:11.125Z
Updated: 2025-04-24T15:23:11.499Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12093 |
vulnerable | 2026-06-03 14:54:15.618056 |
Improper Validation of Consistency within Input in GitLab
MEDIUM (6.8)
An issue has been discovered in GitLab CE/EE affecting all versions from 11.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Improper XPath validation allows modified SAML response to bypass 2FA requirement under specialized conditions.
Published: 2025-05-22T14:32:04.147Z
Updated: 2025-05-22T14:44:03.881Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-11931 |
vulnerable | 2026-06-03 14:54:15.146392 |
Insufficient Granularity of Access Control in GitLab
MEDIUM (6.4)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI variables via CI lint.
Published: 2025-01-24T03:02:16.074Z
Updated: 2025-02-05T20:14:21.196Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-11828 |
vulnerable | 2026-06-03 14:54:14.930078 |
Inefficient Algorithmic Complexity in GitLab
MEDIUM (4.3)
A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls. This was a regression of an earlier patch.
Published: 2024-11-26T18:41:19.280Z
Updated: 2024-11-26T19:53:40.674Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-11669 |
vulnerable | 2026-06-03 14:54:14.643765 |
Incorrect Authorization in GitLab
MEDIUM (6.5)
An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes.
Published: 2024-11-26T18:41:09.488Z
Updated: 2024-11-30T04:55:54.926Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-11668 |
vulnerable | 2026-06-03 14:54:14.640526 |
Insufficient Session Expiration in GitLab
MEDIUM (4.2)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results.
Published: 2024-11-26T18:30:45.846Z
Updated: 2024-11-26T18:42:38.028Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-11274 |
vulnerable | 2026-06-03 14:54:13.807751 |
URL Redirection to Untrusted Site ('Open Redirect') in GitLab
HIGH (8.7)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, injection of NEL headers in k8s proxy response could lead to session data exfiltration.
Published: 2024-12-12T12:02:20.019Z
Updated: 2024-12-12T15:44:45.428Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-11129 |
vulnerable | 2026-06-03 14:54:13.487437 |
Generation of Error Message Containing Sensitive Information in GitLab
MEDIUM (6.3)
An issue has been discovered in GitLab EE affecting all versions from 17.1 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. This allows attackers to perform targeted searches with sensitive keywords to get the count of issues containing the searched term."
Published: 2025-04-10T13:02:48.148Z
Updated: 2025-04-10T13:16:35.153Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-10925 |
vulnerable | 2026-06-03 14:54:12.974879 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (5.3)
A vulnerability in GitLab-EE affecting all versions from 16.2 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows a Guest user to read Security policy YAML
Published: 2025-03-03T11:02:24.017Z
Updated: 2025-08-26T19:58:07.582Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-10307 |
vulnerable | 2026-06-03 14:54:05.314273 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE/CE affecting all versions from 12.10 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A maliciously crafted file can cause uncontrolled CPU consumption when viewing the associated merge request.
Published: 2025-03-28T10:02:23.294Z
Updated: 2025-03-28T13:42:16.490Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-10240 |
vulnerable | 2026-06-03 14:54:05.171173 |
Exposure of Sensitive System Information to an Unauthorized Control Sphere in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances.
Published: 2024-11-26T19:22:52.689Z
Updated: 2024-11-26T20:26:23.503Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-10219 |
vulnerable | 2026-06-03 14:54:05.135167 |
Incorrect Authorization in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated users to bypass access controls and download private artifacts by accessing specific API endpoints.
Published: 2025-08-13T17:28:00.498Z
Updated: 2025-08-13T19:59:02.008Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-10043 |
vulnerable | 2026-06-03 14:54:04.798636 |
Incorrect Authorization in GitLab
LOW (3.1)
An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 17.4.6, all versions starting from 17.5 before 17.5.4 all versions starting from 17.6 before 17.6.2, that allows group users to view confidential incident title through the Wiki History Diff feature, potentially leading to information disclosure.
Published: 2024-12-12T12:02:29.814Z
Updated: 2024-12-12T15:44:38.834Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-0861 |
vulnerable | 2026-06-03 14:54:04.356305 |
Direct Request ('Forced Browsing') in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE affecting all versions starting from 16.4 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Users with the `Guest` role can change `Custom dashboard projects` settings contrary to permissions.
Published: 2024-02-21T23:30:39.942Z
Updated: 2026-05-01T04:05:36.289Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-0456 |
vulnerable | 2026-06-03 14:54:02.795909 |
Direct Request ('Forced Browsing') in GitLab
MEDIUM (4.3)
An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project
Published: 2024-01-26T01:02:43.953Z
Updated: 2026-06-05T22:59:50.196Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-0410 |
vulnerable | 2026-06-03 14:54:02.616830 |
Improper Enforcement of Behavioral Workflow in GitLab
HIGH (7.7)
An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1. A developer could bypass CODEOWNERS approvals by creating a merge conflict.
Published: 2024-02-21T23:30:59.792Z
Updated: 2025-11-20T04:11:49.579Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-0402 |
vulnerable | 2026-06-03 14:54:02.348396 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in GitLab
CRITICAL (9.9)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.
Published: 2024-01-26T01:02:39.052Z
Updated: 2026-06-03T04:08:40.742Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-0231 |
vulnerable | 2026-06-03 14:54:01.941825 |
Improper Control of Resource Identifiers ('Resource Injection') in GitLab
LOW (2.7)
A resource misdirection vulnerability in GitLab CE/EE versions 12.0 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows an attacker to craft a repository import in such a way as to misdirect commits.
Published: 2024-07-24T22:08:20.025Z
Updated: 2024-08-29T15:04:54.292Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-0199 |
vulnerable | 2026-06-03 14:54:01.878792 |
Incorrect Authorization in GitLab
HIGH (7.7)
An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old feature branch to perform malicious actions.
Published: 2024-03-07T00:39:50.159Z
Updated: 2025-04-16T15:53:24.694Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-7045 |
vulnerable | 2026-06-03 14:53:59.814334 |
Cross-Site Request Forgery (CSRF) in GitLab
MEDIUM (5.4)
A CSRF vulnerability exists within GitLab CE/EE from versions 13.11 before 16.10.6, from 16.11 before 16.11.3, from 17.0 before 17.0.1. By leveraging this vulnerability, an attacker could exfiltrate anti-CSRF tokens via the Kubernetes Agent Server (KAS).
Published: 2024-05-23T11:02:26.796Z
Updated: 2024-09-18T13:11:01.842Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-7028 |
vulnerable | 2026-06-03 14:53:59.588563 |
Weak Password Recovery Mechanism for Forgotten Password in GitLab
CRITICAL (10)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
Published: 2024-01-12T13:56:41.726Z
Updated: 2026-05-26T04:05:15.369Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6955 |
vulnerable | 2026-06-03 14:53:59.431241 |
Missing Authorization in GitLab
MEDIUM (6.6)
A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group.
Published: 2024-01-12T13:56:31.881Z
Updated: 2026-05-25T23:00:20.223Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6840 |
vulnerable | 2026-06-03 14:53:59.134597 |
Missing Authorization in GitLab
MEDIUM (6.7)
An issue has been discovered in GitLab EE affecting all versions from 16.4 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows a maintainer to change the name of a protected branch that bypasses the security policy added to block MR.
Published: 2024-02-07T22:02:20.934Z
Updated: 2026-04-24T04:07:19.586Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6736 |
vulnerable | 2026-06-03 14:53:58.826328 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab EE affecting all versions starting from 11.3 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted content in the CODEOWNERS file.
Published: 2024-02-07T22:02:30.947Z
Updated: 2026-04-24T04:07:14.453Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6688 |
vulnerable | 2026-06-03 14:53:58.673424 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.11 prior to 16.11.2. A problem with the processing logic for Google Chat Messages integration may lead to a regular expression DoS attack on the server.
Published: 2024-05-09T01:38:46.718Z
Updated: 2024-10-03T06:23:17.156Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6682 |
vulnerable | 2026-06-03 14:53:58.664378 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. A problem with the processing logic for Discord Integrations Chat Messages can lead to a regular expression DoS attack on the server.
Published: 2024-05-09T01:42:44.606Z
Updated: 2024-10-03T06:23:17.063Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6680 |
vulnerable | 2026-06-03 14:53:58.658531 |
Improper Certificate Validation in GitLab
HIGH (7.4)
An improper certificate validation issue in Smartcard authentication in GitLab EE affecting all versions from 11.6 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows an attacker to authenticate as another user given their public key if they use Smartcard authentication. Smartcard authentication is an experimental feature and has to be manually enabled by an administrator.
Published: 2023-12-15T16:02:40.371Z
Updated: 2026-05-12T04:05:56.897Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6678 |
vulnerable | 2026-06-03 14:53:58.656966 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE affecting all versions before 16.8.6, all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. It was possible for an attacker to cause a denial of service using malicious crafted content in a junit test report file.
Published: 2024-04-12T00:53:31.239Z
Updated: 2025-11-20T04:11:33.276Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6564 |
vulnerable | 2026-06-03 14:53:52.151745 |
Incorrect Authorization in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab EE Premium and Ultimate affecting versions 16.4.3, 16.5.3, and 16.6.1. In projects using subgroups to define who can push and/or merge to protected branches, there may have been instances in which subgroup members with the Developer role were able to push or merge to protected branches.
Published: 2024-02-08T11:30:52.438Z
Updated: 2024-10-03T06:23:16.888Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6502 |
vulnerable | 2026-06-03 14:53:52.005733 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (4.3)
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. It is possible for an attacker to cause a denial of service using a crafted wiki page.
Published: 2024-05-23T11:02:31.779Z
Updated: 2024-10-03T06:23:16.789Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6489 |
vulnerable | 2026-06-03 14:53:51.974718 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (4.3)
A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature.
Published: 2024-04-12T00:53:41.230Z
Updated: 2025-11-20T04:11:28.262Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6477 |
vulnerable | 2026-06-03 14:53:51.954038 |
Incorrect Privilege Assignment in GitLab
MEDIUM (6.7)
An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be able to make a group, other members or themselves Owners of that group, which may lead to privilege escalation.
Published: 2024-02-21T23:31:09.811Z
Updated: 2026-05-15T04:05:17.852Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6386 |
vulnerable | 2026-06-03 14:53:51.628763 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
A denial of service vulnerability was identified in GitLab CE/EE, affecting all versions from 15.11 prior to 16.6.7, 16.7 prior to 16.7.5 and 16.8 prior to 16.8.2 which allows an attacker to spike the GitLab instance resource usage resulting in service degradation.
Published: 2025-02-05T09:31:10.106Z
Updated: 2025-02-05T14:45:32.989Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6371 |
vulnerable | 2026-06-03 14:53:51.598391 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. A wiki page with a crafted payload may lead to a Stored XSS, allowing attackers to perform arbitrary actions on behalf of victims.
Published: 2024-03-28T07:18:03.820Z
Updated: 2026-05-08T04:06:58.687Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6195 |
vulnerable | 2026-06-03 14:53:51.086396 |
Server-Side Request Forgery (SSRF) in GitLab
LOW (2.6)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.5 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. GitLab was vulnerable to Server Side Request Forgery when an attacker uses a malicious URL in the markdown image value when importing a GitHub repository.
Published: 2025-01-30T23:45:10.780Z
Updated: 2025-02-18T18:59:19.527Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6159 |
vulnerable | 2026-06-03 14:53:51.032498 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a `Cargo.toml` containing maliciously crafted input.
Published: 2024-01-26T02:02:29.909Z
Updated: 2026-05-06T04:06:19.058Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6051 |
vulnerable | 2026-06-03 14:53:50.231711 |
Improper Control of Generation of Code ('Code Injection') in GitLab
MEDIUM (5.7)
An issue has been discovered in GitLab CE/EE affecting all versions before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when source code or installation packages are pulled from a specific tag.
Published: 2023-12-15T16:02:50.265Z
Updated: 2025-11-20T04:11:13.279Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6033 |
vulnerable | 2026-06-03 14:53:50.203921 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
Improper neutralization of input in Jira integration configuration in GitLab CE/EE, affecting all versions from 15.10 prior to 16.6.1, 16.5 prior to 16.5.3, and 16.4 prior to 16.4.3 allows attacker to execute javascript in victim's browser.
Published: 2023-12-01T07:01:38.124Z
Updated: 2025-11-20T04:11:08.273Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5995 |
vulnerable | 2026-06-03 14:53:50.139507 |
Incorrect Authorization in GitLab
MEDIUM (4.4)
An issue has been discovered in GitLab EE affecting all versions starting from 16.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the policy bot to gain access to internal projects.
Published: 2023-12-01T07:01:28.253Z
Updated: 2025-11-20T04:11:03.258Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5963 |
vulnerable | 2026-06-03 14:53:50.032664 |
Allocation of Resources Without Limits or Throttling in GitLab
LOW (3.1)
An issue has been discovered in GitLab EE with Advanced Search affecting all versions from 13.9 to 16.3.6, 16.4 prior to 16.4.2 and 16.5 prior to 16.5.1 that could allow a denial of service in the Advanced Search function by chaining too many syntax operators.
Published: 2023-11-06T12:18:56.276Z
Updated: 2026-06-04T04:09:15.482Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5933 |
vulnerable | 2026-06-03 14:53:49.955703 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab
MEDIUM (6.4)
An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests.
Published: 2024-01-26T01:02:58.931Z
Updated: 2026-04-25T04:05:38.198Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5831 |
vulnerable | 2026-06-03 14:53:49.749793 |
Insertion of Sensitive Information Into Sent Data in GitLab
LOW (3.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, and all versions starting from 16.5.0 before 16.5.1 which have the `super_sidebar_logged_out` feature flag enabled. Affected versions with this default-disabled feature flag enabled may unintentionally disclose GitLab version metadata to unauthorized actors.
Published: 2023-11-06T10:30:28.442Z
Updated: 2026-06-02T04:13:27.636Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5825 |
vulnerable | 2026-06-03 14:53:49.730629 |
Loop with Unreachable Exit Condition ('Infinite Loop') in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.2 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A low-privileged attacker can point a CI/CD Component to an incorrect path and cause the server to exhaust all available memory through an infinite loop and cause Denial of Service.
Published: 2023-11-06T10:30:38.334Z
Updated: 2026-04-29T04:05:16.721Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5612 |
vulnerable | 2026-06-03 14:53:49.087715 |
Missing Authorization in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled.
Published: 2024-01-26T02:02:39.783Z
Updated: 2025-11-20T04:10:48.267Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5600 |
vulnerable | 2026-06-03 14:53:49.069929 |
Missing Authorization in GitLab
LOW (3.1)
An issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. Arbitrary access to the titles of an private specific references could be leaked through the service-desk custom email template.
Published: 2025-06-20T19:31:08.397Z
Updated: 2025-06-20T19:52:09.173Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5512 |
vulnerable | 2026-06-03 14:53:48.876504 |
Improper Control of Generation of Code ('Code Injection') in GitLab
MEDIUM (4.8)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when specific HTML encoding is used for file names leading for incorrect representation in the UI.
Published: 2023-12-15T16:03:00.260Z
Updated: 2026-04-28T04:05:20.348Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5356 |
vulnerable | 2026-06-03 14:53:48.393145 |
Incorrect Authorization in GitLab
HIGH (7.3)
Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user.
Published: 2024-01-12T13:56:51.714Z
Updated: 2026-04-28T04:05:15.311Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5332 |
vulnerable | 2026-06-03 14:53:48.278600 |
Dependency on Vulnerable Third-Party Component in GitLab
MEDIUM (5.9)
Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE.
Published: 2023-12-04T06:30:33.856Z
Updated: 2024-10-03T06:23:16.051Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5226 |
vulnerable | 2026-06-03 14:53:48.017176 |
Improper Control of Generation of Code ('Code Injection') in GitLab
MEDIUM (4.8)
An issue has been discovered in GitLab affecting all versions before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. Under certain circumstances, a malicious actor bypass prohibited branch checks using a specially crafted branch name to manipulate repository content in the UI.
Published: 2023-12-01T07:01:43.131Z
Updated: 2026-04-23T04:05:16.458Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5207 |
vulnerable | 2026-06-03 14:53:47.975392 |
Execution with Unnecessary Privileges in GitLab
HIGH (8.2)
A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user.
Published: 2023-09-30T08:30:30.788Z
Updated: 2025-11-20T04:10:28.256Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5198 |
vulnerable | 2026-06-03 14:53:47.952958 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to protected branches using deploy keys.
Published: 2023-09-29T07:01:42.219Z
Updated: 2026-05-17T04:06:13.122Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5117 |
vulnerable | 2026-06-03 14:53:47.666199 |
Exposure of Sensitive Information Due to Incompatible Policies in GitLab
LOW (3.7)
An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in which users were unaware that files uploaded to comments on confidential issues and epics of public projects could be accessed without authentication via a direct link to the uploaded file URL.
Published: 2024-12-25T14:46:47.927Z
Updated: 2024-12-26T18:10:54.988Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5106 |
vulnerable | 2026-06-03 14:53:47.011567 |
Incorrect Authorization in GitLab
HIGH (8.2)
An issue has been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through direct transfer group imports.
Published: 2023-10-02T11:49:56.333Z
Updated: 2026-04-07T04:06:43.836Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5061 |
vulnerable | 2026-06-03 14:53:46.880810 |
Missing Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 9.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. In certain situations, it may have been possible for developers to override predefined CI variables via the REST API.
Published: 2023-12-15T16:03:05.257Z
Updated: 2026-05-02T04:05:18.070Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5009 |
vulnerable | 2026-06-03 14:53:46.475116 |
Incorrect Authorization in GitLab
CRITICAL (9.6)
An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. This was a bypass of [CVE-2023-3932](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3932) showing additional impact.
Published: 2023-09-19T07:01:14.930Z
Updated: 2026-05-02T04:05:13.152Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4912 |
vulnerable | 2026-06-03 14:53:29.965407 |
Allocation of Resources Without Limits or Throttling in GitLab
LOW (2.6)
An issue has been discovered in GitLab EE affecting all versions starting from 10.5 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted mermaid diagram input.
Published: 2023-12-01T07:01:48.155Z
Updated: 2026-04-30T04:06:57.160Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4895 |
vulnerable | 2026-06-03 14:53:29.903029 |
Missing Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE affecting all versions starting from 12.0 to 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. This vulnerability allows for bypassing the 'group ip restriction' settings to access environment details of projects
Published: 2024-02-22T00:02:43.649Z
Updated: 2025-11-20T04:10:03.293Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4812 |
vulnerable | 2026-06-03 14:53:29.722099 |
Incorrect Authorization in GitLab
HIGH (7.6)
An issue has been discovered in GitLab EE affecting all versions starting from 15.3 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. The required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge request.
Published: 2024-01-12T13:56:56.701Z
Updated: 2026-05-01T04:05:16.393Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4700 |
vulnerable | 2026-06-03 14:53:29.464571 |
Missing Authorization in GitLab
LOW (3.5)
An authorization issue affecting GitLab EE affecting all versions from 14.7 prior to 16.3.6, 16.4 prior to 16.4.2, and 16.5 prior to 16.5.1, allowed a user to run jobs in protected environments, bypassing any required approvals.
Published: 2023-11-06T17:30:35.198Z
Updated: 2025-11-20T04:09:53.262Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4658 |
vulnerable | 2026-06-03 14:53:29.243250 |
Incorrect Authorization in GitLab
LOW (3.1)
An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the `Allowed to merge` permission as a guest user, when granted the permission through a group.
Published: 2023-12-01T07:01:58.125Z
Updated: 2026-04-26T04:06:59.596Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4647 |
vulnerable | 2026-06-03 14:53:29.236599 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab affecting all versions starting from 15.2 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which the projects API pagination can be skipped, potentially leading to DoS on certain instances.
Published: 2023-09-01T10:30:27.108Z
Updated: 2026-06-02T04:13:14.397Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4630 |
vulnerable | 2026-06-03 14:53:29.196120 |
Missing Authorization in GitLab
MEDIUM (5)
An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which any user can read limited information about any project's imports.
Published: 2023-09-11T13:01:02.519Z
Updated: 2026-06-02T04:13:09.394Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4532 |
vulnerable | 2026-06-03 14:53:28.447902 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of private projects which they are not a member of.
Published: 2023-09-29T06:02:01.299Z
Updated: 2026-04-26T04:06:54.749Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4522 |
vulnerable | 2026-06-03 14:53:28.407262 |
Improper Validation of Specified Type of Input in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions before 16.2.0. Committing directories containing LF character results in 500 errors when viewing the commit.
Published: 2023-08-30T07:01:19.117Z
Updated: 2026-05-26T04:04:53.890Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4379 |
vulnerable | 2026-06-03 14:53:27.888387 |
Incorrect Authorization in GitLab
HIGH (8.1)
An issue has been discovered in GitLab EE affecting all versions starting from 15.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Code owner approval was not removed from merge requests when the target branch was updated.
Published: 2023-11-09T21:01:10.733Z
Updated: 2026-06-02T04:13:04.410Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4378 |
vulnerable | 2026-06-03 14:53:27.887922 |
Insertion of Sensitive Information Into Sent Data in GitLab
MEDIUM (5.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A malicious Maintainer can, under specific circumstances, leak the sentry token by changing the configured URL in the Sentry error tracking settings page. This was as a result of an incomplete fix for CVE-2022-4365.
Published: 2023-09-01T10:30:31.991Z
Updated: 2026-04-24T04:06:57.149Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4317 |
vulnerable | 2026-06-03 14:53:27.822771 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a user with the Developer role to update a pipeline schedule from an unprotected branch to a protected branch.
Published: 2023-12-01T07:02:03.130Z
Updated: 2025-11-20T04:09:33.265Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4018 |
vulnerable | 2026-06-03 14:53:26.930430 |
Direct Request ('Forced Browsing') in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to create model experiments in public projects.
Published: 2023-09-01T10:30:41.985Z
Updated: 2026-04-27T04:06:36.504Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4011 |
vulnerable | 2026-06-03 14:53:26.912579 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE affecting all versions from 15.11 prior to 16.2.2 which allows an attacker to spike the resource consumption resulting in DoS.
Published: 2023-08-02T05:30:35.128Z
Updated: 2024-10-03T06:23:14.085Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4008 |
vulnerable | 2026-06-03 14:53:26.903395 |
Incorrect Ownership Assignment in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to takeover GitLab Pages with unique domain URLs if the random string added was known.
Published: 2023-08-03T06:31:21.677Z
Updated: 2026-06-02T04:12:58.974Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4002 |
vulnerable | 2026-06-03 14:53:26.884218 |
Insertion of Sensitive Information Into Sent Data in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab EE affecting all versions starting from 14.1 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for EE-licensed users to link any security policy project by its ID to projects or groups the user has access to, potentially revealing the security projects's configured security policies.
Published: 2023-08-04T00:30:28.797Z
Updated: 2026-06-02T04:12:54.090Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3994 |
vulnerable | 2026-06-03 14:52:42.313916 |
Inefficient Regular Expression Complexity in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 9.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use ProjectReferenceFilter to the preview_markdown endpoint.
Published: 2023-08-02T00:06:50.342Z
Updated: 2026-04-27T04:06:31.406Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3993 |
vulnerable | 2026-06-03 14:52:42.313453 |
Insertion of Sensitive Information into Log File in GitLab
MEDIUM (4.9)
An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Access tokens may have been logged when a query was made to a specific endpoint.
Published: 2023-08-02T00:07:00.242Z
Updated: 2024-10-03T06:23:13.637Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3979 |
vulnerable | 2026-06-03 14:52:42.287355 |
Incorrect Authorization in GitLab
LOW (3.1)
An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collaborate with you on your branch get permission to write to the merge request’s source branch.
Published: 2023-09-29T06:02:06.310Z
Updated: 2026-05-08T04:06:39.092Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3964 |
vulnerable | 2026-06-03 14:52:42.230907 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer packages on public projects that have package registry disabled in the project settings.
Published: 2023-12-01T07:02:18.158Z
Updated: 2026-05-06T04:05:57.591Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3950 |
vulnerable | 2026-06-03 14:52:42.203852 |
Cleartext Storage of Sensitive Information in GitLab
MEDIUM (5.5)
An information disclosure issue in GitLab EE affecting all versions from 16.2 prior to 16.2.5, and 16.3 prior to 16.3.1 allowed other Group Owners to see the Public Key for a Google Cloud Logging audit event streaming destination, if configured. Owners can now only write the key, not read it.
Published: 2023-09-01T10:30:46.990Z
Updated: 2026-05-06T04:05:52.878Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3949 |
vulnerable | 2026-06-03 14:52:42.203376 |
Insertion of Sensitive Information Into Sent Data in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for unauthorized users to view a public projects' release descriptions via an atom endpoint when release access on the public was set to only project members.
Published: 2023-12-01T07:02:13.130Z
Updated: 2025-11-20T04:09:03.271Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3932 |
vulnerable | 2026-06-03 14:52:42.134831 |
Incorrect User Management in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies.
Published: 2023-08-03T04:01:58.186Z
Updated: 2025-11-20T04:08:58.262Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3922 |
vulnerable | 2026-06-03 14:52:42.134272 |
URL Redirection to Untrusted Site ('Open Redirect') in GitLab
LOW (3)
An issue has been discovered in GitLab affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons on the GitLab UI to a malicious page.
Published: 2023-09-29T07:30:50.402Z
Updated: 2026-04-25T04:05:19.195Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3920 |
vulnerable | 2026-06-03 14:52:42.133658 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork relationship between existing projects contrary to the documentation.
Published: 2023-09-29T06:02:31.303Z
Updated: 2026-04-25T04:05:14.315Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3917 |
vulnerable | 2026-06-03 14:52:42.133108 |
Improper Validation of Specified Type of Input in GitLab
MEDIUM (4.3)
Denial of Service in pipelines affecting all versions of Gitlab EE and CE prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows attacker to cause pipelines to fail.
Published: 2023-09-29T06:02:26.304Z
Updated: 2026-04-29T04:04:53.712Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3915 |
vulnerable | 2026-06-03 14:52:42.132472 |
Incorrect Execution-Assigned Permissions in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab EE affecting all versions starting from 16.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. If an external user is given an owner role on any group, that external user may escalate their privileges on the instance by creating a service account in that group. This service account is not classified as external and may be used to access internal projects.
Published: 2023-09-01T10:01:16.853Z
Updated: 2026-05-13T04:04:58.023Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3914 |
vulnerable | 2026-06-03 14:52:42.131899 |
Incorrect User Management in GitLab
MEDIUM (5.4)
A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal projects. A service account is not deleted when a namespace is deleted, allowing access to internal projects.
Published: 2023-09-29T06:02:21.304Z
Updated: 2026-04-28T04:04:57.469Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3909 |
vulnerable | 2026-06-03 14:52:42.131309 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.3 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A Regular Expression Denial of Service was possible by adding a large string in timeout input in gitlab-ci.yml file.
Published: 2023-11-06T12:08:45.129Z
Updated: 2025-11-20T04:08:28.265Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3907 |
vulnerable | 2026-06-03 14:52:42.130859 |
Improper User Management in GitLab
MEDIUM (4.9)
A privilege escalation vulnerability in GitLab EE affecting all versions from 16.0 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows a project Maintainer to use a Project Access Token to escalate their role to Owner
Published: 2023-12-17T23:02:36.694Z
Updated: 2026-05-31T04:05:00.429Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3906 |
vulnerable | 2026-06-03 14:52:42.130423 |
Improper Validation of Specified Type of Input in GitLab
LOW (3.5)
An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.
Published: 2023-09-29T06:02:16.308Z
Updated: 2025-11-20T04:08:18.260Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3904 |
vulnerable | 2026-06-03 14:52:42.129967 |
Improper Validation of Specified Type of Input in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE affecting all versions starting before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible to overflow the time spent on an issue that altered the details shown in the issue boards.
Published: 2023-12-15T16:03:15.329Z
Updated: 2025-11-20T04:08:13.275Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3900 |
vulnerable | 2026-06-03 14:52:42.129597 |
Improper Validation of Specified Type of Input in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. An invalid 'start_sha' value on merge requests page may lead to Denial of Service as Changes tab would not load.
Published: 2023-08-02T00:07:05.231Z
Updated: 2025-11-20T04:08:08.254Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3511 |
vulnerable | 2026-06-03 14:52:41.040328 |
Incorrect Authorization in GitLab
LOW (2)
An issue has been discovered in GitLab EE affecting all versions starting from 8.17 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible for auditor users to fork and submit merge requests to private projects they're not a member of.
Published: 2023-12-15T15:31:04.966Z
Updated: 2025-11-20T04:08:03.264Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3509 |
vulnerable | 2026-06-03 14:52:41.028482 |
Incorrect Authorization in GitLab
LOW (3.7)
An issue has been discovered in GitLab affecting all versions before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for group members with sub-maintainer role to change the title of privately accessible deploy keys associated with projects in the group.
Published: 2024-02-21T22:57:15.488Z
Updated: 2025-11-20T04:07:58.271Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3500 |
vulnerable | 2026-06-03 14:52:41.012463 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (4.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A reflected XSS was possible when creating specific PlantUML diagrams that allowed the attacker to perform arbitrary actions on behalf of victims.
Published: 2023-08-02T00:07:15.239Z
Updated: 2025-11-20T04:07:53.323Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3484 |
vulnerable | 2026-06-03 14:52:40.992060 |
Incorrect Authorization in GitLab
HIGH (8)
An issue has been discovered in GitLab EE affecting all versions starting from 12.8 before 15.11.11, all versions starting from 16.0 before 16.0.7, all versions starting from 16.1 before 16.1.2. An attacker could change the name or path of a public top-level group in certain situations.
Published: 2023-07-21T13:01:03.770Z
Updated: 2025-11-20T04:07:48.264Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3444 |
vulnerable | 2026-06-03 14:52:40.872219 |
Incorrect Authorization in GitLab
MEDIUM (5.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to merge arbitrary code into protected branches.
Published: 2023-07-13T02:08:20.930Z
Updated: 2024-11-05T15:15:46.783Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3443 |
vulnerable | 2026-06-03 14:52:40.869126 |
Incorrect Authorization in GitLab
LOW (3.1)
An issue has been discovered in GitLab affecting all versions starting from 12.1 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a Guest user to add an emoji on confidential work items.
Published: 2023-12-01T07:02:33.126Z
Updated: 2025-11-20T04:07:43.258Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3441 |
vulnerable | 2026-06-03 14:52:40.868361 |
Exposure of Sensitive Information Due to Incompatible Policies in GitLab
MEDIUM (6.6)
An issue has been discovered in GitLab EE/CE affecting all versions starting from 8.0 before 16.4. The product did not sufficiently warn about security implications of granting merge rights to protected branches.
Published: 2024-10-01T09:47:16.444Z
Updated: 2024-10-01T13:28:02.702Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3424 |
vulnerable | 2026-06-03 14:52:40.764198 |
Inefficient Regular Expression Complexity in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.
Published: 2023-07-13T02:08:07.284Z
Updated: 2024-10-30T19:29:27.116Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3413 |
vulnerable | 2026-06-03 14:52:40.751602 |
Insertion of Sensitive Information Into Sent Data in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members.
Published: 2023-09-29T08:30:56.742Z
Updated: 2025-11-20T04:07:38.285Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3401 |
vulnerable | 2026-06-03 14:52:40.732608 |
Improper Control of Generation of Code ('Code Injection') in GitLab
MEDIUM (4.8)
An issue has been discovered in GitLab affecting all versions before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code.
Published: 2023-08-02T08:30:48.302Z
Updated: 2025-11-20T04:07:33.267Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3399 |
vulnerable | 2026-06-03 14:52:40.729773 |
Insertion of Sensitive Information Into Sent Data in GitLab
HIGH (8.5)
An issue has been discovered in GitLab EE affecting all versions starting from 11.6 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. It was possible for an unauthorised project or group member to read the CI/CD variables using the custom project templates.
Published: 2023-11-06T12:08:54.970Z
Updated: 2025-11-20T04:07:28.274Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3385 |
vulnerable | 2026-06-03 14:52:40.696966 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in GitLab
MEDIUM (6.3)
An issue has been discovered in GitLab affecting all versions starting from 8.10 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Under specific circumstances, a user importing a project 'from export' could access and read unrelated files via uploading a specially crafted file. This was due to a bug in `tar`, fixed in [`tar-1.35`](https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html).
Published: 2023-08-01T23:35:55.776Z
Updated: 2025-11-20T04:07:23.274Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3364 |
vulnerable | 2026-06-03 14:52:40.633141 |
Inefficient Regular Expression Complexity in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use AutolinkFilter to the preview_markdown endpoint.
Published: 2023-08-01T23:36:00.662Z
Updated: 2025-11-20T04:07:18.275Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3363 |
vulnerable | 2026-06-03 14:52:40.632667 |
Insertion of Sensitive Information into Log File in GitLab
LOW (3.9)
An information disclosure issue in Gitlab CE/EE affecting all versions from 13.6 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1, resulted in the Sidekiq log including webhook tokens when the log format was set to `default`.
Published: 2023-07-13T02:08:35.069Z
Updated: 2024-11-05T15:14:10.202Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3362 |
vulnerable | 2026-06-03 14:52:40.631042 |
Generation of Error Message Containing Sensitive Information in GitLab
MEDIUM (5.3)
An information disclosure issue in GitLab CE/EE affecting all versions from 16.0 prior to 16.0.6, and version 16.1.0 allows unauthenticated actors to access the import error information if a project was imported from GitHub.
Published: 2023-07-13T02:08:46.856Z
Updated: 2024-11-05T15:10:55.758Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3246 |
vulnerable | 2026-06-03 14:52:40.258475 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE/CE affecting all versions starting before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1 which allows an attackers to block Sidekiq job processor.
Published: 2023-11-06T12:01:43.918Z
Updated: 2025-11-20T04:07:13.254Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3210 |
vulnerable | 2026-06-03 14:52:40.188401 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content.
Published: 2023-09-01T10:31:06.983Z
Updated: 2025-11-20T04:07:08.262Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3205 |
vulnerable | 2026-06-03 14:52:40.179832 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content.
Published: 2023-09-01T10:01:26.675Z
Updated: 2025-11-20T04:07:03.335Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3115 |
vulnerable | 2026-06-03 14:52:39.955316 |
Incorrect User Management in GitLab
MEDIUM (5.4)
An issue has been discovered in GitLab EE affecting all versions affecting all versions from 11.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Single Sign On restrictions were not correctly enforced for indirect project members accessing public members-only project repositories.
Published: 2023-09-29T06:02:51.300Z
Updated: 2025-11-20T04:06:58.296Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3102 |
vulnerable | 2026-06-03 14:52:39.901723 |
Insertion of Sensitive Information Into Sent Data in GitLab
MEDIUM (5.3)
A sensitive information leak issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows access to titles of private issue and MR.
Published: 2023-07-21T15:30:47.974Z
Updated: 2025-11-20T04:06:53.267Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2825 |
vulnerable | 2026-06-03 14:51:44.084907 |
Details available
CRITICAL (10)
An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.
Published: 2023-05-26T00:00:00.000Z
Updated: 2025-01-15T15:45:18.054Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2620 |
vulnerable | 2026-06-03 14:51:43.512593 |
Insertion of Sensitive Information Into Sent Data in GitLab
MEDIUM (5.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1. A maintainer could modify a webhook URL to leak masked webhook secrets by manipulating other masked portions. This addresses an incomplete fix for CVE-2023-0838.
Published: 2023-07-13T02:11:05.008Z
Updated: 2024-11-06T14:22:24.167Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2589 |
vulnerable | 2026-06-03 14:51:43.456934 |
Details available
MEDIUM (5.9)
An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker can clone a repository from a public project, from a disallowed IP, even after the top-level group has enabled IP restrictions on the group.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T16:25:26.100Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2576 |
vulnerable | 2026-06-03 14:51:43.422811 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. This allowed a developer to remove the CODEOWNERS rules and merge to a protected branch.
Published: 2023-07-13T02:08:59.291Z
Updated: 2024-10-30T19:24:40.514Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2485 |
vulnerable | 2026-06-03 14:51:43.219326 |
Incorrect Privilege Assignment in GitLab
MEDIUM (4.4)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A malicious maintainer in a project can escalate other users to Owners in that project if they import members from another project that those other users are Owners of.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T15:44:24.332Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2478 |
vulnerable | 2026-06-03 14:51:43.205203 |
Details available
CRITICAL (9.6)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, all versions starting from 15.11 before 15.11.2. Under certain conditions, a malicious unauthorized GitLab user may use a GraphQL endpoint to attach a malicious runner to any project.
Published: 2023-05-08T00:00:00.000Z
Updated: 2025-01-29T17:16:21.653Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2442 |
vulnerable | 2026-06-03 14:51:43.151966 |
Details available
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A specially crafted merge request could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T16:29:51.039Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2233 |
vulnerable | 2026-06-03 14:51:42.426089 |
Missing Authorization in GitLab
LOW (3.1)
An improper authorization issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.2.8, all versions starting from 16.3 before 16.3.5 and all versions starting from 16.4 before 16.4.1. It allows a project reporter to leak the owner's Sentry instance projects.
Published: 2023-09-29T06:30:51.179Z
Updated: 2025-11-20T04:06:48.254Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2232 |
vulnerable | 2026-06-03 14:51:42.425656 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 15.10 before 16.1, leading to a ReDoS vulnerability in the Jira prefix
Published: 2023-06-28T00:00:00.000Z
Updated: 2024-11-27T18:57:25.059Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2200 |
vulnerable | 2026-06-03 14:51:42.372215 |
Improper Encoding or Escaping of Output in GitLab
MEDIUM (4.1)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to inject HTML in an email address field.
Published: 2023-07-13T02:02:34.411Z
Updated: 2024-10-30T19:31:16.274Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2199 |
vulnerable | 2026-06-03 14:51:42.371798 |
Details available
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T16:45:38.544Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2198 |
vulnerable | 2026-06-03 14:51:42.371389 |
Details available
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T16:46:54.703Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2190 |
vulnerable | 2026-06-03 14:51:42.354457 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public.
Published: 2023-07-13T02:00:02.797Z
Updated: 2024-10-30T19:53:19.973Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2182 |
vulnerable | 2026-06-03 14:51:42.329819 |
Details available
MEDIUM (6.8)
An issue has been discovered in GitLab EE affecting all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Under certain conditions when OpenID Connect is enabled on an instance, it may allow users who are marked as 'external' to become 'regular' users thus leading to privilege escalation for those users.
Published: 2023-05-03T00:00:00.000Z
Updated: 2025-01-30T20:51:04.176Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2181 |
vulnerable | 2026-06-03 14:51:42.329497 |
Details available
MEDIUM (6.3)
An issue has been discovered in GitLab affecting all versions before 15.9.8, 15.10.0 before 15.10.7, and 15.11.0 before 15.11.3. A malicious developer could use a git feature called refs/replace to smuggle content into a merge request which would not be visible during review in the UI.
Published: 2023-05-12T00:00:00.000Z
Updated: 2025-01-24T15:47:03.675Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2164 |
vulnerable | 2026-06-03 14:51:42.294127 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (5.4)
An issue has been discovered in GitLab affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to trigger a stored XSS vulnerability via user interaction with a crafted URL in the WebIDE beta.
Published: 2023-08-01T23:36:10.665Z
Updated: 2025-11-20T04:06:43.271Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2132 |
vulnerable | 2026-06-03 14:51:42.235454 |
Details available
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A DollarMathPostFilter Regular Expression Denial of Service in was possible by sending crafted payloads to the preview_markdown endpoint.
Published: 2023-06-06T00:00:00.000Z
Updated: 2025-01-07T21:34:45.492Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2069 |
vulnerable | 2026-06-03 14:51:42.126436 |
Details available
MEDIUM (6.4)
An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. A user with the role of developer could use the import project feature to leak CI/CD variables.
Published: 2023-05-03T00:00:00.000Z
Updated: 2025-01-30T20:30:20.164Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2030 |
vulnerable | 2026-06-03 14:51:42.028417 |
Improper Verification of Cryptographic Signature in GitLab
LOW (3.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits.
Published: 2024-01-12T13:57:06.694Z
Updated: 2025-11-20T04:06:38.255Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2022 |
vulnerable | 2026-06-03 14:51:42.003634 |
Missing Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2, which leads to developers being able to create pipeline schedules on protected branches even if they don't have access to merge
Published: 2023-08-02T08:30:58.187Z
Updated: 2025-11-20T04:06:33.293Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2015 |
vulnerable | 2026-06-03 14:51:41.964484 |
Details available
MEDIUM (4.4)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.8 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A reflected XSS was possible when creating new abuse reports which allows attackers to perform arbitrary actions on behalf of victims.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T16:48:03.485Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2013 |
vulnerable | 2026-06-03 14:51:41.961804 |
Details available
LOW (2.6)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 1.2 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T16:50:56.690Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2001 |
vulnerable | 2026-06-03 14:51:41.914510 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker was able to spoof protected tags, which could potentially lead a victim to download malicious code.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T16:54:05.061Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1965 |
vulnerable | 2026-06-03 14:48:56.754462 |
Details available
MEDIUM (6.8)
An issue has been discovered in GitLab EE affecting all versions starting from 14.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Lack of verification on RelayState parameter allowed a maliciously crafted URL to obtain access tokens granted for 3rd party Group SAML SSO logins. This feature isn't enabled by default.
Published: 2023-05-03T00:00:00.000Z
Updated: 2025-01-29T21:40:33.282Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1936 |
vulnerable | 2026-06-03 14:48:56.728988 |
Exposure of Private Personal Information to an Unauthorized Actor in GitLab
LOW (3.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to leak the email address of a user who created a service desk issue.
Published: 2023-07-11T07:58:27.746Z
Updated: 2024-11-12T16:22:49.564Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1836 |
vulnerable | 2026-06-03 14:48:56.577022 |
Details available
MEDIUM (4.4)
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. When viewing an XML file in a repository in "raw" mode, it can be made to render as HTML if viewed under specific circumstances
Published: 2023-05-03T00:00:00.000Z
Updated: 2025-01-29T21:46:34.969Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1825 |
vulnerable | 2026-06-03 14:48:56.553858 |
Insertion of Sensitive Information Into Sent Data in GitLab
LOW (3.1)
An issue has been discovered in GitLab EE affecting all versions starting from 15.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. It was possible to disclose issue notes to an unauthorized user at project export.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T16:56:43.350Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1787 |
vulnerable | 2026-06-03 14:48:56.501119 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A search timeout could be triggered if a specific HTML payload was used in the issue description.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T20:42:19.982Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1733 |
vulnerable | 2026-06-03 14:48:56.358185 |
Details available
MEDIUM (5.8)
A denial of service condition exists in the Prometheus server bundled with GitLab affecting all versions from 11.10 to 15.8.5, 15.9 to 15.9.4 and 15.10 to 15.10.1.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T20:48:40.695Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1710 |
vulnerable | 2026-06-03 14:48:56.304056 |
Details available
MEDIUM (5.3)
A sensitive information disclosure vulnerability in GitLab affecting all versions from 15.0 prior to 15.8.5, 15.9 prior to 15.9.4 and 15.10 prior to 15.10.1 allows an attacker to view the count of internal notes for a given issue.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T20:49:48.239Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1708 |
vulnerable | 2026-06-03 14:48:56.295045 |
Details available
MEDIUM (5.7)
An issue was identified in GitLab CE/EE affecting all versions from 1.0 prior to 15.8.5, 15.9 prior to 15.9.4, and 15.10 prior to 15.10.1 where non-printable characters gets copied from clipboard, allowing unexpected commands to be executed on victim machine.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T20:51:52.816Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1621 |
vulnerable | 2026-06-03 14:48:55.962114 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.5, all versions starting from 15.11 before 15.11.1. A malicious group member may continue to commit to projects even from a restricted IP address.
Published: 2023-06-06T00:00:00.000Z
Updated: 2025-01-07T21:38:25.067Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1555 |
vulnerable | 2026-06-03 14:48:55.734084 |
Missing Authorization in GitLab
LOW (2.7)
An issue has been discovered in GitLab affecting all versions starting from 15.2 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A namespace-level banned user can access the API.
Published: 2023-09-01T10:01:36.711Z
Updated: 2025-11-20T04:06:28.258Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1417 |
vulnerable | 2026-06-03 14:48:55.442203 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to victim's epic in an unrelated group.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-11T15:26:30.751Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1401 |
vulnerable | 2026-06-03 14:48:55.410258 |
Insertion of Sensitive Information Into Sent Data in GitLab
MEDIUM (5)
An issue has been discovered in GitLab DAST scanner affecting all versions starting from 3.0.29 before 4.0.5, in which the DAST scanner leak cross site cookies on redirect during authorization.
Published: 2023-07-26T06:01:46.447Z
Updated: 2025-11-20T04:06:23.275Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1279 |
vulnerable | 2026-06-03 14:48:54.203857 |
URL Redirection to Untrusted Site in GitLab
LOW (2.6)
An issue has been discovered in GitLab affecting all versions starting from 4.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 where it was possible to create a URL that would redirect to a different project.
Published: 2023-09-01T10:01:41.677Z
Updated: 2025-11-20T04:06:18.262Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1265 |
vulnerable | 2026-06-03 14:48:54.181249 |
Details available
MEDIUM (5.4)
An issue has been discovered in GitLab affecting all versions starting from 11.9 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. The condition allows for a privileged attacker, under certain conditions, to obtain session tokens from all users of a GitLab instance.
Published: 2023-05-03T00:00:00.000Z
Updated: 2025-01-29T21:48:35.944Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1210 |
vulnerable | 2026-06-03 14:48:54.046545 |
Generation of Error Message Containing Sensitive Information in GitLab
LOW (3.1)
An issue has been discovered in GitLab affecting all versions starting from 12.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to leak a user's email via an error message for groups that restrict membership by email domain.
Published: 2023-08-01T23:36:25.668Z
Updated: 2025-11-20T04:06:13.263Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1204 |
vulnerable | 2026-06-03 14:48:53.994349 |
Details available
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A user could use an unverified email as a public email and commit email by sending a specifically crafted request on user update settings.
Published: 2023-05-03T00:00:00.000Z
Updated: 2025-01-30T15:23:14.205Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1178 |
vulnerable | 2026-06-03 14:48:53.941369 |
Details available
MEDIUM (5.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromised when source code or installation packages are pulled from a tag or from a release containing a ref to another commit.
Published: 2023-05-03T00:00:00.000Z
Updated: 2025-02-12T16:24:29.956Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1167 |
vulnerable | 2026-06-03 14:48:53.914761 |
Details available
MEDIUM (5.3)
Improper authorization in Gitlab EE affecting all versions from 12.3.0 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 allows an unauthorized access to security reports in MR.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T20:52:43.715Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1098 |
vulnerable | 2026-06-03 14:48:53.730768 |
Details available
MEDIUM (5.8)
An information disclosure vulnerability has been discovered in GitLab EE/CE affecting all versions starting from 11.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 will allow an admin to leak password from repository mirror configuration.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T20:58:02.109Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1084 |
vulnerable | 2026-06-03 14:48:53.689396 |
Details available
LOW (2.7)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A malicious project Maintainer may create a Project Access Token with Owner level privileges using a crafted request.
Published: 2023-03-09T00:00:00.000Z
Updated: 2025-02-28T21:34:19.563Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1072 |
vulnerable | 2026-06-03 14:48:53.638747 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 9.0 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible to trigger a resource depletion attack due to improper filtering for number of requests to read commits details.
Published: 2023-03-09T00:00:00.000Z
Updated: 2025-02-28T21:33:11.787Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1071 |
vulnerable | 2026-06-03 14:48:53.638297 |
Details available
LOW (3.1)
An issue has been discovered in GitLab affecting all versions from 15.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. Due to improper permissions checks it was possible for an unauthorised user to remove an issue from an epic.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T20:58:46.736Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0989 |
vulnerable | 2026-06-03 14:48:53.461220 |
Improper Ownership Management in GitLab
MEDIUM (4.3)
An information disclosure issue in GitLab CE/EE affecting all versions starting from 13.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows an attacker to extract non-protected CI/CD variables by tricking a user to visit a fork with a malicious CI/CD configuration.
Published: 2023-09-29T06:30:56.081Z
Updated: 2025-11-20T04:06:08.264Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0921 |
vulnerable | 2026-06-03 14:48:53.305158 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage.
Published: 2023-06-06T00:00:00.000Z
Updated: 2025-01-07T21:51:37.372Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0838 |
vulnerable | 2026-06-03 14:48:52.959600 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab affecting versions starting from 15.1 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. A maintainer could modify a webhook URL to leak masked webhook secrets by adding a new parameter to the url. This addresses an incomplete fix for CVE-2022-4342.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T20:59:42.972Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0805 |
vulnerable | 2026-06-03 14:48:52.751428 |
Details available
MEDIUM (4.9)
An issue has been discovered in GitLab EE affecting all versions starting from 15.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. A malicious group member may continue to have access to the public projects of a public group even after being banned from the public group by the owner.
Published: 2023-05-03T00:00:00.000Z
Updated: 2025-02-12T16:12:30.237Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0756 |
vulnerable | 2026-06-03 14:48:52.661076 |
Details available
MEDIUM (4.8)
An issue has been discovered in GitLab affecting all versions before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. The main branch of a repository with a specially crafted name allows an attacker to create repositories with malicious code, victims who clone or download these repositories will execute arbitrary code on their systems.
Published: 2023-05-03T00:00:00.000Z
Updated: 2025-02-12T16:08:12.043Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0632 |
vulnerable | 2026-06-03 14:48:52.284324 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 15.2 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible by using crafted payloads to search Harbor Registry.
Published: 2023-08-01T23:36:30.662Z
Updated: 2025-11-20T04:06:03.830Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0523 |
vulnerable | 2026-06-03 14:48:51.967681 |
Details available
MEDIUM (5.4)
An issue has been discovered in GitLab affecting all versions starting from 15.6 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. An XSS was possible via a malicious email address for certain instances.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T21:09:32.085Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0518 |
vulnerable | 2026-06-03 14:48:46.588498 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. It was possible to trigger a DoS attack by uploading a malicious Helm chart.
Published: 2023-02-13T00:00:00.000Z
Updated: 2025-03-21T19:13:59.735Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0508 |
vulnerable | 2026-06-03 14:48:46.577752 |
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in GitLab
LOW (3.1)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the NPM package API.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T16:58:22.665Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0485 |
vulnerable | 2026-06-03 14:48:46.506230 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 13.11 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible that a project member demoted to a user role to read project updates by doing a diff with a pre-existing fork.
Published: 2023-05-03T00:00:00.000Z
Updated: 2025-02-12T16:07:11.683Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0483 |
vulnerable | 2026-06-03 14:48:46.502281 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab affecting all versions starting from 12.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible for a project maintainer to extract a Datadog integration API key by modifying the site.
Published: 2023-03-09T00:00:00.000Z
Updated: 2025-02-28T21:31:41.989Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0450 |
vulnerable | 2026-06-03 14:48:46.337014 |
Details available
LOW (3.7)
An issue has been discovered in GitLab affecting all versions starting from 8.1 to 15.8.5, and from 15.9 to 15.9.4, and from 15.10 to 15.10.1. It was possible to add a branch with an ambiguous name that could be used to social engineer users.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-11T15:29:29.135Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0319 |
vulnerable | 2026-06-03 14:48:46.035021 |
Details available
MEDIUM (5.8)
An issue has been discovered in GitLab affecting all versions starting from 13.6 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1, allowing to read environment names supposed to be restricted to project memebers only.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-11T16:09:27.128Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0223 |
vulnerable | 2026-06-03 14:48:45.867198 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Non-project members could retrieve release descriptions via the API, even if the release visibility is restricted to project members only in the project settings.
Published: 2023-03-09T00:00:00.000Z
Updated: 2025-02-28T21:29:52.818Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0155 |
vulnerable | 2026-06-03 14:48:45.723572 |
Details available
MEDIUM (5.4)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.8.5, 15.9.4, 15.10.1. Open redirects was possible due to framing arbitrary content on any page allowing user controlled markdown
Published: 2023-05-03T00:00:00.000Z
Updated: 2025-02-12T16:06:37.397Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0121 |
vulnerable | 2026-06-03 14:48:45.659668 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
A denial of service issue was discovered in GitLab CE/EE affecting all versions starting from 13.2.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2 which allows an attacker to cause high resource consumption using malicious test report artifacts.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T17:00:17.563Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0120 |
vulnerable | 2026-06-03 14:48:45.657434 |
Incorrect Authorization in GitLab
LOW (3.5)
An issue has been discovered in GitLab affecting all versions starting from 10.0 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to edit labels description by an unauthorised user.
Published: 2023-09-01T10:01:51.685Z
Updated: 2025-11-20T04:05:58.275Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0050 |
vulnerable | 2026-06-03 14:48:45.494411 |
Details available
HIGH (8.7)
An issue has been discovered in GitLab affecting all versions starting from 13.7 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A specially crafted Kroki diagram could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims.
Published: 2023-03-09T00:00:00.000Z
Updated: 2025-02-28T21:28:39.137Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0042 |
vulnerable | 2026-06-03 14:48:45.475315 |
Details available
MEDIUM (6.1)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.4 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2. GitLab Pages allows redirection to arbitrary protocols.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-08T13:41:06.344Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4462 |
vulnerable | 2026-06-03 14:48:40.976595 |
Details available
MEDIUM (5)
An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. This vulnerability could allow a user to unmask the Discord Webhook URL through viewing the raw API response.
Published: 2023-03-09T00:00:00.000Z
Updated: 2025-02-28T21:27:23.832Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4376 |
vulnerable | 2026-06-03 14:48:35.610432 |
Details available
LOW (3.1)
An issue has been discovered in GitLab affecting all versions before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Under certain conditions, an attacker may be able to map a private email of a GitLab user to their GitLab account on an instance.
Published: 2023-05-03T00:00:00.000Z
Updated: 2025-02-12T16:05:51.793Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4365 |
vulnerable | 2026-06-03 14:48:35.588794 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak the sentry token by changing the configured URL in the Sentry error tracking settings page.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-08T13:51:16.139Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4343 |
vulnerable | 2026-06-03 14:48:35.546959 |
Exposure of Sensitive Information to an Unauthorized Actor in GitLab
MEDIUM (5)
An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which a project member can leak credentials stored in site profile.
Published: 2023-09-01T10:01:56.677Z
Updated: 2025-11-20T04:05:53.441Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4342 |
vulnerable | 2026-06-03 14:48:35.546537 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak masked webhook secrets by changing target URL of the webhook.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-08T16:44:33.383Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4335 |
vulnerable | 2026-06-03 14:48:35.534814 |
Details available
MEDIUM (4.3)
A blind SSRF vulnerability was identified in all versions of GitLab EE prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which allows an attacker to connect to a local host.
Published: 2023-01-27T00:00:00.000Z
Updated: 2025-03-28T14:39:12.458Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4331 |
vulnerable | 2026-06-03 14:48:35.516056 |
Details available
MEDIUM (5.7)
An issue has been discovered in GitLab EE affecting all versions starting from 15.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. If a group with SAML SSO enabled is transferred to a new namespace as a child group, it's possible previously removed malicious maintainer or owner of the child group can still gain access to the group via SSO or a SCIM token to perform actions on the group.
Published: 2023-03-09T00:00:00.000Z
Updated: 2025-02-28T17:25:16.373Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4315 |
vulnerable | 2026-06-03 14:48:35.481913 |
Details available
MEDIUM (5)
An issue has been discovered in GitLab DAST analyzer affecting all versions starting from 2.0 before 3.0.55, which sends custom request headers with every request on the authentication page.
Published: 2023-03-08T00:00:00.000Z
Updated: 2025-03-04T15:58:11.641Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4289 |
vulnerable | 2026-06-03 14:48:35.416039 |
Details available
MEDIUM (6.4)
An issue has been discovered in GitLab affecting all versions starting from 15.3 before 15.7.8, versions of 15.8 before 15.8.4, and version 15.9 before 15.9.2. Google IAP details in Prometheus integration were not hidden, could be leaked from instance, group, or project settings to other users.
Published: 2023-03-09T00:00:00.000Z
Updated: 2024-08-03T01:34:50.021Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4255 |
vulnerable | 2026-06-03 14:48:35.341738 |
Details available
MEDIUM (4.3)
An info leak issue was identified in all versions of GitLab EE from 13.7 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which exposes user email id through webhook payload.
Published: 2023-01-27T00:00:00.000Z
Updated: 2025-03-27T20:17:04.693Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4205 |
vulnerable | 2026-06-03 14:48:35.258479 |
Details available
MEDIUM (6.3)
In Gitlab EE/CE before 15.6.1, 15.5.5 and 15.4.6 using a branch with a hexadecimal name could override an existing hash.
Published: 2023-01-27T00:00:00.000Z
Updated: 2025-03-27T20:21:18.593Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4201 |
vulnerable | 2026-06-03 14:48:35.254352 |
Details available
LOW (3.5)
A blind SSRF in GitLab CE/EE affecting all from 11.3 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 allows an attacker to connect to local addresses when configuring a malicious GitLab Runner.
Published: 2023-01-27T00:00:00.000Z
Updated: 2025-03-27T20:20:58.630Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4167 |
vulnerable | 2026-06-03 14:48:35.212270 |
Details available
MEDIUM (5.3)
Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group owner loses the ability to revoke them.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-08T16:28:42.595Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4143 |
vulnerable | 2026-06-03 14:48:35.186509 |
Details available
MEDIUM (6.4)
An issue has been discovered in GitLab affecting all versions starting from 15.7 before 15.8.5, from 15.9 before 15.9.4, and from 15.10 before 15.10.1 that allows for crafted, unapproved MRs to be introduced and merged without authorization
Published: 2023-06-28T00:00:00.000Z
Updated: 2024-12-03T19:59:00.410Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4138 |
vulnerable | 2026-06-03 14:48:35.175314 |
Details available
MEDIUM (6.4)
A Cross Site Request Forgery issue has been discovered in GitLab CE/EE affecting all versions before 15.6.7, all versions starting from 15.7 before 15.7.6, and all versions starting from 15.8 before 15.8.1. An attacker could take over a project if an Owner or Maintainer uploads a file to a malicious project.
Published: 2023-02-13T00:00:00.000Z
Updated: 2025-03-21T19:13:19.474Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4131 |
vulnerable | 2026-06-03 14:48:35.158546 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in how the application parses user agents.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-08T16:27:37.240Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4092 |
vulnerable | 2026-06-03 14:48:35.048181 |
Details available
MEDIUM (5.7)
An issue has been discovered in GitLab EE affecting all versions starting from 15.6 before 15.6.1. It was possible to create a malicious README page due to improper neutralisation of user supplied input.
Published: 2023-01-24T00:00:00.000Z
Updated: 2025-04-01T17:36:33.623Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4054 |
vulnerable | 2026-06-03 14:48:35.008375 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to leak a webhook secret token by changing the webhook URL to an endpoint that allows them to capture request headers.
Published: 2023-01-24T00:00:00.000Z
Updated: 2025-04-02T15:15:52.961Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4037 |
vulnerable | 2026-06-03 14:48:34.963235 |
Details available
MEDIUM (6.4)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A race condition can lead to verified email forgery and takeover of third-party accounts when using GitLab as an OAuth provider.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-08T16:22:03.062Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4007 |
vulnerable | 2026-06-03 14:48:34.893161 |
Details available
MEDIUM (5.4)
A issue has been discovered in GitLab CE/EE affecting all versions from 15.3 prior to 15.7.8, version 15.8 prior to 15.8.4, and version 15.9 prior to 15.9.2 A cross-site scripting vulnerability was found in the title field of work items that allowed attackers to perform arbitrary actions on behalf of victims at client side.
Published: 2023-03-08T00:00:00.000Z
Updated: 2025-03-12T19:52:24.294Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3902 |
vulnerable | 2026-06-03 14:47:59.503972 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to unmask webhook secret tokens by reviewing the logs after testing webhooks.
Published: 2023-01-24T00:00:00.000Z
Updated: 2025-04-02T15:00:25.550Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3870 |
vulnerable | 2026-06-03 14:47:59.440159 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. GitLab allows unauthenticated users to download user avatars using the victim's user ID, on private instances that restrict public level visibility.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-09T13:14:42.655Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3820 |
vulnerable | 2026-06-03 14:47:59.336078 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid Deploy Token to misuse it from any location.
Published: 2023-01-24T00:00:00.000Z
Updated: 2025-04-02T15:02:18.005Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3819 |
vulnerable | 2026-06-03 14:47:59.335670 |
Details available
LOW (3.5)
An improper authorization issue in GitLab CE/EE affecting all versions from 15.0 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a malicious users to set emojis on internal notes they don't have access to.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:20:42.132Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3818 |
vulnerable | 2026-06-03 14:47:59.335243 |
Details available
MEDIUM (5.3)
An uncontrolled resource consumption issue when parsing URLs in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to cause performance issues and potentially a denial of service on the GitLab instance.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:21:26.144Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3793 |
vulnerable | 2026-06-03 14:47:59.313831 |
Details available
MEDIUM (4.3)
An improper authorization issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to read variables set directly in a GitLab CI/CD configuration file they don't have access to.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:22:11.846Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3759 |
vulnerable | 2026-06-03 14:47:59.256688 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. An attacker may upload a crafted CI job artifact zip file in a project that uses dynamic child pipelines and make a sidekiq job allocate a lot of memory. In GitLab instances where Sidekiq is memory-limited, this may cause Denial of Service.
Published: 2023-02-13T00:00:00.000Z
Updated: 2025-03-21T18:38:24.181Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3758 |
vulnerable | 2026-06-03 14:47:59.256275 |
Details available
MEDIUM (5.4)
An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Due to improper permissions checks an unauthorised user was able to read, add or edit a users private snippet.
Published: 2023-03-09T00:00:00.000Z
Updated: 2025-02-28T17:30:48.778Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3740 |
vulnerable | 2026-06-03 14:47:58.993306 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. A group owner may be able to bypass External Authorization check, if it is enabled, to access git repositories and package registries by using Deploy tokens or Deploy keys .
Published: 2023-01-24T00:00:00.000Z
Updated: 2025-04-02T15:03:23.934Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3726 |
vulnerable | 2026-06-03 14:47:58.951699 |
Details available
MEDIUM (4.8)
Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions from 12.6 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick a user to click on the Swagger OpenAPI viewer and issue HTTP requests that affect the victim's account.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:23:10.307Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3706 |
vulnerable | 2026-06-03 14:47:58.930276 |
Details available
LOW (3.1)
Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user retrying a job in a downstream pipeline to take ownership of the retried jobs in the upstream pipeline even if the user doesn't have access to that project.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:23:59.790Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3639 |
vulnerable | 2026-06-03 14:47:58.827766 |
Details available
MEDIUM (4.3)
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 10.8 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. Improper data handling on branch creation could have been used to trigger high CPU usage.
Published: 2022-10-21T00:00:00.000Z
Updated: 2025-05-07T14:53:08.897Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3613 |
vulnerable | 2026-06-03 14:47:58.801143 |
Details available
MEDIUM (5.8)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A crafted Prometheus Server query can cause high resource consumption and may lead to Denial of Service.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-08T15:06:58.671Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3573 |
vulnerable | 2026-06-03 14:47:58.721931 |
Details available
MEDIUM (5.4)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. Due to the improper filtering of query parameters in the wiki changes page, an attacker can execute arbitrary JavaScript on the self-hosted instances running without strict CSP.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-08T15:15:38.863Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3572 |
vulnerable | 2026-06-03 14:47:58.721400 |
Details available
CRITICAL (9.3)
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected XSS that allowed attackers to perform arbitrary actions on behalf of victims.
Published: 2023-01-24T00:00:00.000Z
Updated: 2025-04-02T15:03:52.887Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3514 |
vulnerable | 2026-06-03 14:47:58.632845 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 6.6 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in the submodule URL parser.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-08T15:55:39.078Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3513 |
vulnerable | 2026-06-03 14:47:58.632329 |
Details available
MEDIUM (6.1)
An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A specially crafted payload could lead to a reflected XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims on self-hosted instances running without strict CSP.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-11T16:12:28.033Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3486 |
vulnerable | 2026-06-03 14:47:58.588163 |
Details available
MEDIUM (4.7)
An open redirect vulnerability in GitLab EE/CE affecting all versions from 9.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allows an attacker to redirect users to an arbitrary location if they trust the URL.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:28:07.599Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3483 |
vulnerable | 2026-06-03 14:47:58.579659 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 15.3.5, all versions starting from 15.4 before 15.4.4, all versions starting from 15.5 before 15.5.2. A malicious maintainer could exfiltrate a Datadog integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:28:48.167Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3482 |
vulnerable | 2026-06-03 14:47:58.579141 |
Details available
MEDIUM (5.3)
An improper access control issue in GitLab CE/EE affecting all versions from 11.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allowed an unauthorized user to see release names even when releases we set to be restricted to project members only
Published: 2023-01-24T00:00:00.000Z
Updated: 2025-04-02T15:04:21.592Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3478 |
vulnerable | 2026-06-03 14:47:58.499328 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible to trigger a DoS attack by uploading a malicious nuget package.
Published: 2023-01-24T00:00:00.000Z
Updated: 2025-04-02T15:05:04.648Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3413 |
vulnerable | 2026-06-03 14:47:58.292938 |
Details available
MEDIUM (4.3)
Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T15:53:13.899Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3411 |
vulnerable | 2026-06-03 14:47:58.292483 |
Details available
MEDIUM (6.5)
A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage.
Published: 2023-02-13T00:00:00.000Z
Updated: 2025-03-21T18:39:31.969Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3381 |
vulnerable | 2026-06-03 14:47:58.233651 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 10.0 to 15.7.8, 15.8 prior to 15.8.4 and 15.9 prior to 15.9.2. A crafted URL could be used to redirect users to arbitrary sites
Published: 2023-03-09T00:00:00.000Z
Updated: 2025-02-28T17:31:41.075Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3375 |
vulnerable | 2026-06-03 14:47:58.213583 |
Details available
LOW (3.1)
An issue has been discovered in GitLab affecting all versions starting from 11.10 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible to disclose the branch names when attacker has a fork of a project that was switched to private.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T21:11:02.636Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3351 |
vulnerable | 2026-06-03 14:47:58.125690 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab EE affecting all versions starting from 13.7 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A user's primary email may be disclosed to an attacker through group member events webhooks.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-14T20:23:01.453Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3331 |
vulnerable | 2026-06-03 14:47:52.904628 |
Details available
LOW (3.5)
An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab's Zentao integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Zentao project issues.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-14T20:19:13.396Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3330 |
vulnerable | 2026-06-03 14:47:52.904186 |
Details available
MEDIUM (4.3)
It was possible for a guest user to read a todo targeting an inaccessible note in Gitlab CE/EE affecting all versions from 15.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-14T20:17:58.974Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3325 |
vulnerable | 2026-06-03 14:47:52.894499 |
Details available
LOW (2.7)
Improper access control in the GitLab CE/EE API affecting all versions starting from 12.8 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. Allowed for editing the approval rules via the API by an unauthorised user.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T15:37:11.798Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3293 |
vulnerable | 2026-06-03 14:47:52.863118 |
Details available
LOW (3.5)
Email addresses were leaked in WebHook logs in GitLab EE affecting all versions from 9.3 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T15:39:25.307Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3291 |
vulnerable | 2026-06-03 14:47:52.862322 |
Details available
MEDIUM (6.5)
Serialization of sensitive data in GitLab EE affecting all versions from 14.9 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 can leak sensitive information via cache
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T15:42:30.176Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3288 |
vulnerable | 2026-06-03 14:47:52.861462 |
Details available
LOW (3.5)
A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to manipulate pages where the content of the default branch would be expected.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T15:43:38.380Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3286 |
vulnerable | 2026-06-03 14:47:52.859064 |
Details available
MEDIUM (5.3)
Lack of IP address checking in GitLab EE affecting all versions from 14.2 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows a group member to bypass IP restrictions when using a deploy token
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T15:45:08.979Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3285 |
vulnerable | 2026-06-03 14:47:52.856985 |
Details available
MEDIUM (5.3)
Bypass of healthcheck endpoint allow list affecting all versions from 12.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an unauthorized attacker to prevent access to GitLab
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:24:39.816Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3283 |
vulnerable | 2026-06-03 14:47:52.853638 |
Details available
HIGH (7.5)
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 While cloning an issue with special crafted content added to the description could have been used to trigger high CPU usage.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T15:46:08.723Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3280 |
vulnerable | 2026-06-03 14:47:52.749364 |
Details available
LOW (3.5)
An open redirect in GitLab CE/EE affecting all versions from 10.1 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick users into visiting a trustworthy URL and being redirected to arbitrary content.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:25:23.142Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3279 |
vulnerable | 2026-06-03 14:47:52.748926 |
Details available
LOW (2.7)
An unhandled exception in job log parsing in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to prevent access to job logs
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T15:50:02.812Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3265 |
vulnerable | 2026-06-03 14:47:52.583788 |
Details available
HIGH (7.3)
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:26:11.438Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3067 |
vulnerable | 2026-06-03 14:47:51.935173 |
Details available
MEDIUM (6.5)
An issue has been discovered in the Import functionality of GitLab CE/EE affecting all versions starting from 14.4 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an authenticated user to read arbitrary projects' content given the project's ID.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T16:05:44.923Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3066 |
vulnerable | 2026-06-03 14:47:51.934616 |
Details available
MEDIUM (5.4)
An issue has been discovered in GitLab affecting all versions starting from 10.0 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an unauthorised user to create issues in a project.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T16:18:33.204Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3060 |
vulnerable | 2026-06-03 14:47:51.922875 |
Details available
HIGH (7.3)
Improper control of a resource identifier in Error Tracking in GitLab CE/EE affecting all versions from 12.7 allows an authenticated attacker to generate content which could cause a victim to make unintended arbitrary requests
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T16:19:52.449Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3031 |
vulnerable | 2026-06-03 14:47:51.897251 |
Details available
LOW (3.7)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It may be possible for an attacker to guess a user's password by brute force by sending crafted requests to a specific endpoint, even if the victim user has 2FA enabled on their account.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T16:20:42.728Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3030 |
vulnerable | 2026-06-03 14:47:51.896675 |
Details available
MEDIUM (4.3)
An improper access control issue in GitLab CE/EE affecting all versions starting before 15.1.6, all versions from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of pipeline status to unauthorized users.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T16:21:50.323Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3018 |
vulnerable | 2026-06-03 14:47:51.871519 |
Details available
MEDIUM (6.8)
An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 9.3 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 allows a project maintainer to access the DataDog integration API key from webhook logs.
Published: 2022-10-28T00:00:00.000Z
Updated: 2025-05-07T14:36:20.373Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2992 |
vulnerable | 2026-06-03 14:47:07.704686 |
Details available
CRITICAL (9.9)
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-14T14:27:30.020Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2931 |
vulnerable | 2026-06-03 14:47:07.594177 |
Details available
HIGH (7.5)
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. Malformed content added to the issue description could have been used to trigger high CPU usage.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T16:25:28.130Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2908 |
vulnerable | 2026-06-03 14:47:07.546601 |
Details available
MEDIUM (4.3)
A potential DoS vulnerability was discovered in Gitlab CE/EE versions starting from 10.7 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1 allowed an attacker to trigger high CPU usage via a special crafted input added in the Commit message field.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T19:10:54.397Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2907 |
vulnerable | 2026-06-03 14:47:07.546146 |
Details available
MEDIUM (5.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It was possible to read repository content by an unauthorised user if a project member used a crafted link.
Published: 2023-01-17T00:00:00.000Z
Updated: 2025-04-04T17:43:37.905Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2904 |
vulnerable | 2026-06-03 14:47:07.539912 |
Details available
HIGH (7.3)
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 It was possible to exploit a vulnerability in the external status checks feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.
Published: 2022-11-02T00:00:00.000Z
Updated: 2025-05-02T18:47:03.811Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2884 |
vulnerable | 2026-06-03 14:47:07.515380 |
Details available
CRITICAL (9.9)
A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-14T14:24:19.300Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2882 |
vulnerable | 2026-06-03 14:47:07.514559 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A malicious maintainer could exfiltrate a GitHub integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server.
Published: 2022-10-28T00:00:00.000Z
Updated: 2025-05-07T15:09:31.479Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2865 |
vulnerable | 2026-06-03 14:47:07.484001 |
Details available
HIGH (7.3)
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4 and 15.3 prior to 15.3.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-14T13:57:18.072Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2826 |
vulnerable | 2026-06-03 14:47:07.420336 |
Details available
LOW (2.7)
An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. TODO
Published: 2022-10-28T00:00:00.000Z
Updated: 2025-05-07T15:26:45.559Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2761 |
vulnerable | 2026-06-03 14:47:07.271458 |
Details available
MEDIUM (4.3)
An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to use GitLab Flavored Markdown (GFM) references in a Jira issue to disclose the names of resources they don't have access to.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:35:56.179Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2630 |
vulnerable | 2026-06-03 14:47:06.795497 |
Details available
MEDIUM (4.3)
An improper access control issue in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of confidential information via the Incident timeline events.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T19:13:05.848Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2592 |
vulnerable | 2026-06-03 14:47:06.738917 |
Details available
MEDIUM (6.5)
A lack of length validation in Snippet descriptions in GitLab CE/EE affecting all versions prior to 15.1.6, 15.2 prior to 15.2.4 and 15.3 prior to 15.3.2 allows an authenticated attacker to create a maliciously large Snippet which when requested with or without authentication places excessive load on the server, potential leading to Denial of Service.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T19:16:27.656Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2539 |
vulnerable | 2026-06-03 14:47:06.616668 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.6 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1, allowed a project member to filter issues by contact and organization.
Published: 2022-08-05T15:09:58.000Z
Updated: 2024-08-03T00:39:08.068Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2534 |
vulnerable | 2026-06-03 14:47:06.604254 |
Details available
LOW (2.2)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 9.3 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab was returning contributor emails due to improper data handling in the Datadog integration.
Published: 2022-08-05T15:11:53.000Z
Updated: 2024-08-03T00:39:08.000Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2533 |
vulnerable | 2026-06-03 14:47:06.603850 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 12.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid Deploy Token to misuse it from any location.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T19:32:13.138Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2531 |
vulnerable | 2026-06-03 14:47:06.603108 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab was not performing correct authentication on Grafana API under specific conditions allowing unauthenticated users to perform queries through a path traversal vulnerability.
Published: 2022-08-05T15:09:05.000Z
Updated: 2024-08-03T00:39:08.030Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2527 |
vulnerable | 2026-06-03 14:47:06.599293 |
Details available
HIGH (7.3)
An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2.which allowed an authenticated attacker to inject arbitrary content. A victim interacting with this content could lead to arbitrary requests.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T19:34:35.460Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2512 |
vulnerable | 2026-06-03 14:47:06.552250 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. Membership changes are not reflected in TODO for confidential notes, allowing a former project members to read updates via TODOs.
Published: 2022-08-05T15:09:47.000Z
Updated: 2024-08-03T00:39:07.942Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2501 |
vulnerable | 2026-06-03 14:47:06.526997 |
Details available
MEDIUM (5.9)
An improper access control issue in GitLab EE affecting all versions from 12.0 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an attacker to bypass IP allow-listing and download artifacts. This attack only bypasses IP allow-listing, proper permissions are still required.
Published: 2022-08-05T15:12:09.000Z
Updated: 2024-08-03T00:39:07.844Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2500 |
vulnerable | 2026-06-03 14:47:06.526609 |
Details available
MEDIUM (4.4)
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1. A stored XSS flaw in job error messages allows attackers to perform arbitrary actions on behalf of victims at client side.
Published: 2022-08-05T15:12:34.000Z
Updated: 2024-08-03T00:39:07.807Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2499 |
vulnerable | 2026-06-03 14:47:06.526211 |
Details available
LOW (3.5)
An issue has been discovered in GitLab EE affecting all versions starting from 13.10 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab's Jira integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Jira issues.
Published: 2022-08-05T15:09:33.000Z
Updated: 2024-08-03T00:39:07.654Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2498 |
vulnerable | 2026-06-03 14:47:06.525844 |
Details available
MEDIUM (6.4)
An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author.
Published: 2022-08-05T15:10:57.000Z
Updated: 2024-08-03T00:39:07.874Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2497 |
vulnerable | 2026-06-03 14:47:06.525437 |
Details available
HIGH (8.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. A malicious developer could exfiltrate an integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server.
Published: 2022-08-05T15:09:19.000Z
Updated: 2024-08-03T00:39:07.794Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2459 |
vulnerable | 2026-06-03 14:47:06.420311 |
Details available
LOW (2.7)
An issue has been discovered in GitLab EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for email invited members to join a project even after the Group Owner has enabled the setting to prevent members from being added to projects in a group, if the invite was sent before the setting was enabled.
Published: 2022-08-05T15:12:45.000Z
Updated: 2024-08-03T00:39:07.815Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2456 |
vulnerable | 2026-06-03 14:47:06.413668 |
Details available
MEDIUM (4.9)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for malicious group or project maintainers to change their corresponding group or project visibility by crafting a malicious POST request.
Published: 2022-08-05T15:10:42.000Z
Updated: 2024-08-03T00:39:07.782Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2455 |
vulnerable | 2026-06-03 14:47:06.413252 |
Details available
MEDIUM (6.5)
A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10.0 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allowed an authenticated and authorized user to exhaust server resources by importing a malicious project.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T19:41:20.560Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2428 |
vulnerable | 2026-06-03 14:47:06.336635 |
Details available
MEDIUM (6.4)
A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attacker to issue arbitrary HTTP requests
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T19:48:23.382Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2417 |
vulnerable | 2026-06-03 14:47:06.312322 |
Details available
MEDIUM (6.2)
Insufficient validation in GitLab CE/EE affecting all versions from 12.10 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an authenticated and authorised user to import a project that includes branch names which are 40 hexadecimal characters, which could be abused in supply chain attacks where a victim pinned to a specific Git commit of the project.
Published: 2022-08-05T15:10:27.000Z
Updated: 2024-08-03T00:39:06.949Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2326 |
vulnerable | 2026-06-03 14:47:06.088976 |
Details available
MEDIUM (6.4)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible to gain access to a private project through an email invite by using other user's email address as an unverified secondary email.
Published: 2022-08-05T15:11:26.000Z
Updated: 2024-08-03T00:32:09.623Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2307 |
vulnerable | 2026-06-03 14:47:06.017649 |
Details available
LOW (3.5)
A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited.
Published: 2022-08-05T15:11:12.000Z
Updated: 2024-08-03T00:32:09.596Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2303 |
vulnerable | 2026-06-03 14:47:06.005362 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for group members to bypass 2FA enforcement enabled at the group level by using Resource Owner Password Credentials grant to obtain an access token without using 2FA.
Published: 2022-08-05T15:11:39.000Z
Updated: 2024-08-03T00:32:09.595Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2281 |
vulnerable | 2026-06-03 14:47:05.935080 |
Details available
LOW (2.6)
An information disclosure vulnerability in GitLab EE affecting all versions from 12.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows disclosure of release titles if group milestones are associated with any project releases.
Published: 2022-07-01T15:48:46.000Z
Updated: 2024-08-03T00:32:09.342Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2270 |
vulnerable | 2026-06-03 14:47:05.904749 |
Details available
LOW (3.5)
An issue has been discovered in GitLab affecting all versions starting from 12.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab was leaking Conan packages names due to incorrect permissions verification.
Published: 2022-07-01T16:31:47.000Z
Updated: 2024-08-03T00:32:09.374Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2250 |
vulnerable | 2026-06-03 14:47:05.831611 |
Details available
MEDIUM (4.7)
An open redirect vulnerability in GitLab EE/CE affecting all versions from 11.1 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to redirect users to an arbitrary location if they trust the URL.
Published: 2022-07-01T15:03:14.000Z
Updated: 2024-08-03T00:32:09.428Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2244 |
vulnerable | 2026-06-03 14:47:00.507893 |
Details available
MEDIUM (4.3)
An improper authorization vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows project memebers with reporter role to manage issues in project's error tracking feature.
Published: 2022-07-01T15:04:24.000Z
Updated: 2024-08-03T00:32:09.492Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2243 |
vulnerable | 2026-06-03 14:47:00.507428 |
Details available
MEDIUM (5)
An access control vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows authenticated users to enumerate issues in non-linked sentry projects.
Published: 2022-07-01T15:52:32.000Z
Updated: 2024-08-03T00:32:09.539Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2235 |
vulnerable | 2026-06-03 14:47:00.495131 |
Details available
HIGH (8.7)
Insufficient sanitization in GitLab EE's external issue tracker affecting all versions from 14.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to perform cross-site scripting when a victim clicks on a maliciously crafted ZenTao link
Published: 2022-07-01T15:51:14.000Z
Updated: 2024-08-03T00:32:09.564Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2230 |
vulnerable | 2026-06-03 14:47:00.485229 |
Details available
HIGH (8.1)
A Stored Cross-Site Scripting vulnerability in the project settings page in GitLab CE/EE affecting all versions from 14.4 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf.
Published: 2022-07-01T15:55:13.000Z
Updated: 2024-08-03T00:32:09.532Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2229 |
vulnerable | 2026-06-03 14:47:00.484683 |
Details available
HIGH (7.5)
An improper authorization issue in GitLab CE/EE affecting all versions from 13.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to extract the value of an unprotected variable they know the name of in public projects or private projects they're a member of.
Published: 2022-07-01T16:30:45.000Z
Updated: 2024-08-03T00:32:09.479Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2228 |
vulnerable | 2026-06-03 14:47:00.484278 |
Details available
MEDIUM (5.3)
Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling from outside the allowed IP range
Published: 2022-07-01T16:08:11.000Z
Updated: 2024-08-03T00:32:09.424Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2227 |
vulnerable | 2026-06-03 14:47:00.483841 |
Details available
LOW (3.1)
Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain conditions
Published: 2022-07-01T15:53:58.000Z
Updated: 2024-08-03T00:32:09.371Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2185 |
vulnerable | 2026-06-03 14:47:00.424107 |
Details available
CRITICAL (9.9)
A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution.
Published: 2022-07-01T15:50:03.000Z
Updated: 2024-08-03T00:32:08.558Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2095 |
vulnerable | 2026-06-03 14:47:00.245639 |
Details available
MEDIUM (4.3)
An improper access control check in GitLab CE/EE affecting all versions starting from 13.7 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious authenticated user to view a public project's Deploy Key's public fingerprint and name when that key has write permission. Note that GitLab never asks for nor stores the private key.
Published: 2022-08-05T15:12:59.000Z
Updated: 2024-08-03T00:24:44.172Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1999 |
vulnerable | 2026-06-03 14:46:00.049346 |
Details available
LOW (3.1)
An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. Under certain conditions, using the REST API an unprivileged user was able to change labels description.
Published: 2022-07-01T16:06:59.000Z
Updated: 2024-08-03T00:24:43.699Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1983 |
vulnerable | 2026-06-03 14:46:00.020403 |
Details available
MEDIUM (6.5)
Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allowed an attacker already in possession of a valid Deploy Key or a Deploy Token to misuse it from any location to access Container Registries even when IP address restrictions were configured.
Published: 2022-07-01T15:56:23.000Z
Updated: 2024-08-03T00:24:43.972Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1981 |
vulnerable | 2026-06-03 14:46:00.017313 |
Details available
LOW (2.7)
An issue has been discovered in GitLab EE affecting all versions starting from 12.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. In GitLab, if a group enables the setting to restrict access to users belonging to specific domains, that allow-list may be bypassed if a Maintainer uses the 'Invite a group' feature to invite a group that has members that don't comply with domain allow-list.
Published: 2022-07-01T16:05:41.000Z
Updated: 2024-08-03T00:24:44.102Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1963 |
vulnerable | 2026-06-03 14:45:59.991562 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab reveals if a user has enabled two-factor authentication on their account in the HTML source, to unauthenticated users.
Published: 2022-07-01T17:00:05.000Z
Updated: 2024-08-03T00:24:43.676Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1954 |
vulnerable | 2026-06-03 14:45:59.972128 |
Details available
MEDIUM (4.3)
A Regular Expression Denial of Service vulnerability in GitLab CE/EE affecting all versions from 1.0.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to make a GitLab instance inaccessible via specially crafted web server response headers
Published: 2022-07-01T17:01:14.000Z
Updated: 2024-08-03T00:24:43.630Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1948 |
vulnerable | 2026-06-03 14:45:59.956672 |
Details available
HIGH (8.7)
An issue has been discovered in GitLab affecting all versions starting from 15.0 before 15.0.1. Missing validation of input used in quick actions allowed an attacker to exploit XSS by injecting HTML in contact details.
Published: 2022-07-28T14:46:01.000Z
Updated: 2024-08-03T00:24:42.604Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1944 |
vulnerable | 2026-06-03 14:45:59.948730 |
Details available
MEDIUM (5.4)
When the feature is configured, improper authorization in the Interactive Web Terminal in GitLab CE/EE affecting all versions from 11.3 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows users with the Developer role to open terminals on other Developers' running jobs
Published: 2022-06-06T16:58:35.000Z
Updated: 2024-08-03T00:24:42.991Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1940 |
vulnerable | 2026-06-03 14:45:59.942948 |
Details available
HIGH (7.7)
A Stored Cross-Site Scripting vulnerability in Jira integration in GitLab EE affecting all versions from 13.11 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf via specially crafted Jira Issues
Published: 2022-06-06T16:52:22.000Z
Updated: 2024-08-03T00:24:42.587Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1936 |
vulnerable | 2026-06-03 14:45:59.936386 |
Details available
MEDIUM (6.5)
Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Deploy Token to misuse it from any location even when IP address restrictions were configured
Published: 2022-06-06T16:54:22.000Z
Updated: 2024-08-03T00:24:42.557Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1935 |
vulnerable | 2026-06-03 14:45:59.935995 |
Details available
MEDIUM (6.5)
Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Trigger Token to misuse it from any location even when IP address restrictions were configured
Published: 2022-06-06T16:50:27.000Z
Updated: 2024-08-03T00:24:42.627Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1821 |
vulnerable | 2026-06-03 14:45:59.683113 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for a subgroup member to access the members list of their parent group.
Published: 2022-06-06T16:56:35.000Z
Updated: 2024-08-03T00:17:00.595Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1783 |
vulnerable | 2026-06-03 14:45:59.604740 |
Details available
LOW (2.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for malicious group maintainers to add new members to a project within their group, through the REST API, even after their group owner enabled a setting to prevent members from being added to projects within that group.
Published: 2022-06-06T17:00:32.000Z
Updated: 2024-08-03T00:16:59.907Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1680 |
vulnerable | 2026-06-03 14:45:59.382688 |
Details available
CRITICAL (9.9)
An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account.
Published: 2022-06-06T17:05:16.000Z
Updated: 2024-08-03T00:10:03.843Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1545 |
vulnerable | 2026-06-03 14:45:59.102747 |
Details available
MEDIUM (4.3)
It was possible to disclose details of confidential notes created via the API in Gitlab CE/EE affecting all versions from 13.2 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1 if an unauthorised project member was tagged in the note.
Published: 2022-05-11T14:25:17.000Z
Updated: 2024-08-03T00:10:02.897Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1510 |
vulnerable | 2026-06-03 14:45:59.026150 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 13.9 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly handling malicious text in the CI Editor and CI Pipeline details page allowing the attacker to cause uncontrolled resource consumption.
Published: 2022-05-11T14:48:22.000Z
Updated: 2024-08-03T00:03:06.350Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1460 |
vulnerable | 2026-06-03 14:45:58.932646 |
Details available
MEDIUM (6.1)
An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not performing correct authorizations on scheduled pipelines allowing a malicious user to run a pipeline in the context of another user.
Published: 2022-05-11T14:45:11.000Z
Updated: 2024-08-03T00:03:06.291Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1433 |
vulnerable | 2026-06-03 14:45:58.898314 |
Details available
LOW (2.6)
An issue has been discovered in GitLab affecting all versions starting from 14.4 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. Missing invalidation of Markdown caching causes potential payloads from a previously exploitable XSS vulnerability (CVE-2022-1175) to persist and execute.
Published: 2022-05-11T14:27:44.000Z
Updated: 2024-08-03T00:03:06.378Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1431 |
vulnerable | 2026-06-03 14:45:58.897509 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly handling malicious requests to the PyPi API endpoint allowing the attacker to cause uncontrolled resource consumption.
Published: 2022-05-10T20:27:54.000Z
Updated: 2024-08-03T00:03:06.272Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1428 |
vulnerable | 2026-06-03 14:45:58.890725 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was incorrectly verifying throttling limits for authenticated package requests which resulted in limits not being enforced.
Published: 2022-05-11T14:40:27.000Z
Updated: 2024-08-03T00:03:06.260Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1426 |
vulnerable | 2026-06-03 14:45:58.889842 |
Details available
LOW (2)
An issue has been discovered in GitLab affecting all versions starting from 12.6 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly authenticating a user that had some certain amount of information which allowed an user to authenticate without a personal access token.
Published: 2022-05-11T14:35:42.000Z
Updated: 2024-08-03T00:03:06.238Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1423 |
vulnerable | 2026-06-03 14:45:58.888875 |
Details available
HIGH (7.1)
Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows a malicious actor with Developer privileges to perform cache poisoning leading to arbitrary code execution in protected branches
Published: 2022-05-19T17:12:32.000Z
Updated: 2024-08-03T00:03:06.294Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1417 |
vulnerable | 2026-06-03 14:45:58.881265 |
Details available
MEDIUM (4.3)
Improper access control in GitLab CE/EE affecting all versions starting from 8.12 before 14.8.6, all versions starting from 14.9 before 14.9.4, and all versions starting from 14.10 before 14.10.1 allows non-project members to access contents of Project Members-only Wikis via malicious CI jobs
Published: 2022-05-10T20:30:36.000Z
Updated: 2024-08-03T00:03:06.201Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1416 |
vulnerable | 2026-06-03 14:45:58.880793 |
Details available
MEDIUM (4.3)
Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows for rendering of attacker controlled HTML tags and CSS styling
Published: 2022-05-19T17:10:07.000Z
Updated: 2024-08-03T00:03:06.264Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1413 |
vulnerable | 2026-06-03 14:45:58.874797 |
Details available
MEDIUM (5.4)
Missing input masking in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 causes potentially sensitive integration properties to be disclosed in the web interface
Published: 2022-05-19T17:11:12.000Z
Updated: 2024-08-03T00:03:06.276Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1406 |
vulnerable | 2026-06-03 14:45:58.865467 |
Details available
MEDIUM (6.5)
Improper input validation in GitLab CE/EE affecting all versions from 8.12 prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0 allows a Developer to read protected Group or Project CI/CD variables by importing a malicious project
Published: 2022-05-11T14:42:27.000Z
Updated: 2024-08-03T00:03:06.362Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1352 |
vulnerable | 2026-06-03 14:45:58.598626 |
Details available
MEDIUM (5.3)
Due to an insecure direct object reference vulnerability in Gitlab EE/CE affecting all versions from 11.0 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1, an endpoint may reveal the issue title to a user who crafted an API call with the ID of the issue from a public project that restricts access to issue only to project members.
Published: 2022-05-11T14:30:02.000Z
Updated: 2024-08-03T00:03:05.823Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1193 |
vulnerable | 2026-06-03 14:45:58.226436 |
Details available
MEDIUM (4.3)
Improper access control in GitLab CE/EE versions 10.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows a malicious actor to obtain details of the latest commit in a private project via Merge Requests under certain circumstances
Published: 2022-04-11T19:38:25.000Z
Updated: 2024-08-02T23:55:24.436Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1190 |
vulnerable | 2026-06-03 14:45:58.222737 |
Details available
HIGH (8.7)
Improper handling of user input in GitLab CE/EE versions 8.3 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to exploit a stored XSS by abusing multi-word milestone references in issue descriptions, comments, etc.
Published: 2022-04-04T19:46:15.000Z
Updated: 2024-08-02T23:55:24.448Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1189 |
vulnerable | 2026-06-03 14:45:58.222331 |
Details available
LOW (3.1)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.2 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 that allowed for an unauthorised user to read the the approval rules of a private project.
Published: 2022-04-04T19:46:00.000Z
Updated: 2024-08-02T23:55:24.233Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1188 |
vulnerable | 2026-06-03 14:45:58.221770 |
Details available
LOW (3.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 where a blind SSRF attack through the repository mirroring feature was possible.
Published: 2022-04-04T19:46:05.000Z
Updated: 2024-08-02T23:55:24.446Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1185 |
vulnerable | 2026-06-03 14:45:58.213870 |
Details available
MEDIUM (6.5)
A denial of service vulnerability when rendering RDoc files in GitLab CE/EE versions 10 to 14.7.7, 14.8.0 to 14.8.5, and 14.9.0 to 14.9.2 allows an attacker to crash the GitLab web application with a maliciously crafted RDoc file
Published: 2022-04-04T19:46:09.000Z
Updated: 2024-08-02T23:55:24.257Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1175 |
vulnerable | 2026-06-03 14:45:58.194369 |
Details available
HIGH (8.7)
Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.
Published: 2022-04-04T19:46:15.000Z
Updated: 2024-08-02T23:55:24.361Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1174 |
vulnerable | 2026-06-03 14:45:58.193839 |
Details available
MEDIUM (4.3)
A potential DoS vulnerability was discovered in Gitlab CE/EE versions 13.7 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to trigger high CPU usage via a special crafted input added in Issues, Merge requests, Milestones, Snippets, Wiki pages, etc.
Published: 2022-04-04T19:46:06.000Z
Updated: 2024-08-02T23:55:24.266Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1162 |
vulnerable | 2026-06-03 14:45:58.170346 |
Details available
CRITICAL (9.1)
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
Published: 2022-04-04T19:46:14.000Z
Updated: 2024-08-02T23:55:24.375Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1157 |
vulnerable | 2026-06-03 14:45:58.114131 |
Details available
LOW (2.6)
Missing sanitization of logged exception messages in all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 of GitLab CE/EE causes potential sensitive values in invalid URLs to be logged
Published: 2022-04-11T19:38:26.000Z
Updated: 2024-08-02T23:55:24.358Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1148 |
vulnerable | 2026-06-03 14:45:58.098354 |
Details available
MEDIUM (5.3)
Improper authorization in GitLab Pages included with GitLab CE/EE affecting all versions from 11.5 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to steal a user's access token on an attacker-controlled private GitLab Pages website and reuse that token on the victim's other private websites
Published: 2022-04-04T19:46:13.000Z
Updated: 2024-08-02T23:55:24.266Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1124 |
vulnerable | 2026-06-03 14:45:58.090938 |
Details available
MEDIUM (4.3)
An improper authorization issue has been discovered in GitLab CE/EE affecting all versions prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0, allowing Guest project members to access trace log of jobs when it is enabled
Published: 2022-05-11T14:50:29.000Z
Updated: 2024-08-02T23:55:24.360Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1120 |
vulnerable | 2026-06-03 14:45:58.081643 |
Details available
MEDIUM (4.8)
Missing filtering in an error message in GitLab CE/EE affecting all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 exposed sensitive information when an include directive fails in the CI/CD configuration.
Published: 2022-04-04T19:46:08.000Z
Updated: 2024-08-02T23:55:23.714Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1111 |
vulnerable | 2026-06-03 14:45:58.063216 |
Details available
LOW (2.4)
A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain conditions caused imported projects to show an incorrect user in the 'Access Granted' column in the project membership pages
Published: 2022-04-04T19:46:10.000Z
Updated: 2024-08-02T23:55:24.171Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1105 |
vulnerable | 2026-06-03 14:45:58.021580 |
Details available
MEDIUM (4.3)
An improper access control vulnerability in GitLab CE/EE affecting all versions from 13.11 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an unauthorized user to access pipeline analytics even when public pipelines are disabled
Published: 2022-04-04T19:46:04.000Z
Updated: 2024-08-02T23:55:22.835Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1100 |
vulnerable | 2026-06-03 14:45:58.012436 |
Details available
MEDIUM (4.3)
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prior to 14.9.2. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage.
Published: 2022-04-04T19:46:02.000Z
Updated: 2024-08-02T23:55:23.609Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1099 |
vulnerable | 2026-06-03 14:45:58.012021 |
Details available
MEDIUM (4.3)
Adding a very large number of tags to a runner in GitLab CE/EE affecting all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an attacker to impact the performance of GitLab
Published: 2022-04-04T19:46:03.000Z
Updated: 2024-08-02T23:55:24.230Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0751 |
vulnerable | 2026-06-03 14:45:56.831098 |
Details available
MEDIUM (6.5)
Inaccurate display of Snippet files containing special characters in all versions of GitLab CE/EE allows an attacker to create Snippets with misleading content which could trick unsuspecting users into executing arbitrary commands
Published: 2022-03-28T18:53:03.000Z
Updated: 2024-08-02T23:40:03.589Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0741 |
vulnerable | 2026-06-03 14:45:56.805947 |
Details available
MEDIUM (5.8)
Improper input validation in all versions of GitLab CE/EE using sendmail to send emails allowed an attacker to steal environment variables via specially crafted email addresses.
Published: 2022-04-01T22:17:40.000Z
Updated: 2024-08-02T23:40:03.552Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0740 |
vulnerable | 2026-06-03 14:45:56.805512 |
Details available
LOW (3.1)
Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 makes it possible to close Asana tasks from unrestricted branches.
Published: 2022-04-04T19:45:59.000Z
Updated: 2024-08-02T23:40:03.563Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0738 |
vulnerable | 2026-06-03 14:45:56.801785 |
Details available
MEDIUM (4.2)
An issue has been discovered in GitLab affecting all versions starting from 14.6 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. GitLab was leaking user passwords when adding mirrors with SSH credentials under specific conditions.
Published: 2022-03-28T18:53:04.000Z
Updated: 2024-08-02T23:40:03.539Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0735 |
vulnerable | 2026-06-03 14:45:56.795615 |
Details available
CRITICAL (10)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorised user was able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands.
Published: 2022-03-28T18:52:59.000Z
Updated: 2024-08-02T23:40:03.557Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0549 |
vulnerable | 2026-06-03 14:45:56.377588 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under certain conditions, GitLab REST API may allow unprivileged users to add other users to groups even if that is not possible to do through the Web UI.
Published: 2022-03-28T18:53:00.000Z
Updated: 2024-08-02T23:32:46.433Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0489 |
vulnerable | 2026-06-03 14:45:56.260787 |
Details available
LOW (3.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting with 8.15 . It was possible to trigger a DOS by using the math feature with a specific formula in issue comments.
Published: 2022-04-01T22:17:35.000Z
Updated: 2024-08-02T23:32:45.611Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0488 |
vulnerable | 2026-06-03 14:45:56.260350 |
Details available
LOW (3.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting with version 8.10. It was possible to trigger a timeout on a page with markdown by using a specific amount of block-quotes.
Published: 2022-03-28T18:53:08.000Z
Updated: 2024-08-02T23:32:45.231Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0477 |
vulnerable | 2026-06-03 14:45:56.239252 |
Details available
MEDIUM (4.9)
An issue has been discovered in GitLab affecting all versions starting from 11.9 before 14.5.4, all versions starting from 14.6.0 before 14.6.4, all versions starting from 14.7.0 before 14.7.1. GitLab was not correctly handling bulk requests to delete existing packages from the package registries which could result in a Denial of Service under specific conditions.
Published: 2022-04-25T16:35:06.000Z
Updated: 2024-08-02T23:32:45.789Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0427 |
vulnerable | 2026-06-03 14:45:56.158926 |
Details available
HIGH (7.7)
Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading to potential account takeover
Published: 2022-03-28T18:53:05.000Z
Updated: 2024-08-02T23:25:40.340Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0425 |
vulnerable | 2026-06-03 14:45:56.156466 |
Details available
MEDIUM (5.4)
A DNS rebinding vulnerability in the Irker IRC Gateway integration in all versions of GitLab CE/EE since version 7.9 allows an attacker to trigger Server Side Request Forgery (SSRF) attacks.
Published: 2022-04-01T22:17:39.000Z
Updated: 2024-08-02T23:25:40.638Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0390 |
vulnerable | 2026-06-03 14:45:56.079277 |
Details available
MEDIUM (4.3)
Improper access control in Gitlab CE/EE versions 12.7 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1 allowed for project non-members to retrieve issue details when it was linked to an item from the vulnerability dashboard.
Published: 2022-04-01T22:17:36.000Z
Updated: 2024-08-02T23:25:40.347Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0373 |
vulnerable | 2026-06-03 14:45:56.047724 |
Details available
MEDIUM (4.3)
Improper access control in GitLab CE/EE versions 12.4 to 14.5.4, 14.5 to 14.6.4, and 12.6 to 14.7.1 allows project non-members to retrieve the service desk email address
Published: 2022-04-01T22:17:37.000Z
Updated: 2024-08-02T23:25:40.164Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0371 |
vulnerable | 2026-06-03 14:45:56.047003 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.4 before 14.5.4, all versions starting from 14.6 before 14.6.4, all versions starting from 14.7 before 14.7.1. GitLab search may allow authenticated users to search other users by their respective private emails even if a user set their email to private.
Published: 2022-03-28T18:53:01.000Z
Updated: 2024-08-02T23:25:40.560Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0344 |
vulnerable | 2026-06-03 14:45:55.993850 |
Details available
LOW (3.1)
An issue has been discovered in GitLab affecting all versions starting from 10.0 before 14.5.4, all versions starting from 10.1 before 14.6.4, all versions starting from 10.2 before 14.7.1. Private project paths can be disclosed to unauthorized users via system notes when an Issue is closed via a Merge Request and later moved to a public project
Published: 2022-03-28T18:53:07.000Z
Updated: 2024-08-02T23:25:40.256Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0283 |
vulnerable | 2026-06-03 14:45:55.835117 |
Details available
MEDIUM (4.7)
An issue has been discovered affecting GitLab versions prior to 13.5. An open redirect vulnerability was fixed in GitLab integration with Jira that a could cause the web application to redirect the request to the attacker specified URL.
Published: 2022-03-28T18:53:11.000Z
Updated: 2024-08-02T23:25:40.269Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0249 |
vulnerable | 2026-06-03 14:45:55.789662 |
Details available
LOW (3.1)
A vulnerability was discovered in GitLab starting with version 12. GitLab was vulnerable to a blind SSRF attack since requests to shared address space were not blocked.
Published: 2022-03-28T18:53:07.000Z
Updated: 2024-08-02T23:18:42.887Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0244 |
vulnerable | 2026-06-03 14:45:55.780712 |
Details available
HIGH (8.6)
An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group was due to incorrect handling of file.
Published: 2022-01-18T16:52:00.000Z
Updated: 2024-08-02T23:18:42.896Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0172 |
vulnerable | 2026-06-03 14:45:55.577858 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.3. Under certain conditions it was possible to bypass the IP restriction for public projects through GraphQL allowing unauthorised users to read titles of issues, merge requests and milestones.
Published: 2022-01-18T16:51:53.000Z
Updated: 2024-08-02T23:18:41.998Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0167 |
vulnerable | 2026-06-03 14:45:55.564447 |
Details available
LOW (3.1)
An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not disabling the Autocomplete attribute of fields related to sensitive information making it possible to be retrieved under certain conditions.
Published: 2022-07-01T17:02:23.000Z
Updated: 2024-08-02T23:18:41.986Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0154 |
vulnerable | 2026-06-03 14:45:55.530576 |
Details available
HIGH (7.5)
An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account.
Published: 2022-01-18T16:52:04.000Z
Updated: 2024-08-02T23:18:41.740Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0152 |
vulnerable | 2026-06-03 14:45:55.529628 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 13.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to unauthorized access to some particular fields through the GraphQL API.
Published: 2022-01-18T16:51:56.000Z
Updated: 2024-08-02T23:18:42.056Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0151 |
vulnerable | 2026-06-03 14:45:55.529100 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not correctly handling requests to delete existing packages which could result in a Denial of Service under specific conditions.
Published: 2022-01-18T16:51:58.000Z
Updated: 2024-08-02T23:18:41.720Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0136 |
vulnerable | 2026-06-03 14:45:55.478239 |
Details available
MEDIUM (5.4)
A vulnerability was discovered in GitLab versions 10.5 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1. GitLab was vulnerable to a blind SSRF attack through the Project Import feature.
Published: 2022-03-28T18:53:10.000Z
Updated: 2024-08-02T23:18:41.630Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0125 |
vulnerable | 2026-06-03 14:45:55.443000 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 12.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not verifying that a maintainer of a project had the right access to import members from a target project.
Published: 2022-01-18T16:52:06.000Z
Updated: 2024-08-02T23:18:41.803Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0124 |
vulnerable | 2026-06-03 14:45:55.442072 |
Details available
MEDIUM (4.3)
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. Gitlab's Slack integration is incorrectly validating user input and allows to craft malicious URLs that are sent to slack.
Published: 2022-01-18T16:52:03.000Z
Updated: 2024-08-02T23:18:41.675Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0123 |
vulnerable | 2026-06-03 14:45:55.441265 |
Details available
MEDIUM (5.9)
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab does not validate SSL certificates for some of external CI services which makes it possible to perform MitM attacks on connections to these external services.
Published: 2022-03-28T18:53:06.000Z
Updated: 2024-08-02T23:18:41.713Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0093 |
vulnerable | 2026-06-03 14:45:55.415733 |
Details available
LOW (3.5)
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab allows a user with an expired password to access sensitive information through RSS feeds.
Published: 2022-01-18T16:52:07.000Z
Updated: 2024-08-02T23:18:41.539Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0090 |
vulnerable | 2026-06-03 14:45:55.414208 |
Details available
MEDIUM (6.5)
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab is configured in a way that it doesn't ignore replacement references with git sub-commands, allowing a malicious user to spoof the contents of their commits in the UI.
Published: 2022-01-18T16:52:09.000Z
Updated: 2024-08-02T23:18:41.713Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-4191 |
vulnerable | 2026-06-03 14:45:47.961093 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API.
Published: 2022-03-28T18:53:12.000Z
Updated: 2024-08-03T17:16:04.293Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39946 |
vulnerable | 2026-06-03 14:45:09.879657 |
Details available
HIGH (8.7)
Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis
Published: 2022-01-18T16:52:11.000Z
Updated: 2024-08-04T02:20:34.213Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39945 |
vulnerable | 2026-06-03 14:45:09.879271 |
Details available
LOW (2.7)
Improper access control in the GitLab CE/EE API affecting all versions starting from 9.4 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an author of a Merge Request to approve the Merge Request even after having their project access revoked
Published: 2021-12-13T15:47:49.000Z
Updated: 2024-08-04T02:20:34.109Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39944 |
vulnerable | 2026-06-03 14:45:09.878880 |
Details available
HIGH (7.1)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they import
Published: 2021-12-13T15:47:48.000Z
Updated: 2024-08-04T02:20:34.148Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39943 |
vulnerable | 2026-06-03 14:45:09.878497 |
Details available
MEDIUM (4.3)
An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call
Published: 2022-02-09T22:05:14.000Z
Updated: 2024-08-04T02:20:34.212Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39942 |
vulnerable | 2026-06-03 14:45:09.878112 |
Details available
MEDIUM (4.3)
A denial of service vulnerability in GitLab CE/EE affecting all versions starting from 12.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows low-privileged users to bypass file size limits in the NPM package repository to potentially cause denial of service.
Published: 2022-01-18T16:52:12.000Z
Updated: 2024-08-04T02:20:34.141Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39941 |
vulnerable | 2026-06-03 14:45:09.877712 |
Details available
LOW (3.7)
An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members
Published: 2021-12-13T15:48:00.000Z
Updated: 2024-08-04T02:20:34.131Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39940 |
vulnerable | 2026-06-03 14:45:09.877285 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab Maven Package registry is vulnerable to a regular expression denial of service when a specifically crafted string is sent.
Published: 2021-12-13T15:47:47.000Z
Updated: 2024-08-04T02:20:34.190Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39938 |
vulnerable | 2026-06-03 14:45:09.869017 |
Details available
LOW (3.1)
A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted deploy Slash commands
Published: 2021-12-13T15:47:52.000Z
Updated: 2024-08-04T02:20:34.129Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39937 |
vulnerable | 2026-06-03 14:45:09.868641 |
Details available
MEDIUM (5.9)
A collision in access memoization logic in all versions of GitLab CE/EE before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, leads to potential elevated privileges in groups and projects under rare circumstances
Published: 2021-12-13T15:47:51.000Z
Updated: 2024-08-04T02:20:34.096Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39936 |
vulnerable | 2026-06-03 14:45:09.868261 |
Details available
LOW (3.5)
Improper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker in possession of a deploy token to access a project's disabled wiki.
Published: 2021-12-13T15:47:50.000Z
Updated: 2024-08-04T02:20:34.197Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39935 |
vulnerable | 2026-06-03 14:45:09.867847 |
Details available
MEDIUM (6.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API
Published: 2021-12-13T15:47:59.000Z
Updated: 2026-02-03T17:20:23.263Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39934 |
vulnerable | 2026-06-03 14:45:09.867189 |
Details available
MEDIUM (4.3)
Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2.
Published: 2021-12-13T15:47:57.000Z
Updated: 2024-08-04T02:20:34.187Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39933 |
vulnerable | 2026-06-03 14:45:09.866806 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression used for handling user input (notes, comments, etc) was susceptible to catastrophic backtracking that could cause a DOS attack.
Published: 2021-12-13T15:47:53.000Z
Updated: 2024-08-04T02:20:34.065Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39932 |
vulnerable | 2026-06-03 14:45:09.866411 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for users reviewing code changes.
Published: 2021-12-13T15:47:58.000Z
Updated: 2024-08-04T02:20:34.203Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39931 |
vulnerable | 2026-06-03 14:45:09.866035 |
Details available
LOW (3.1)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.11 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under specific condition an unauthorised project member was allowed to delete a protected branches due to a business logic error.
Published: 2021-12-13T15:47:50.000Z
Updated: 2024-08-04T02:20:34.167Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39930 |
vulnerable | 2026-06-03 14:45:09.865643 |
Details available
MEDIUM (4.3)
Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates
Published: 2021-12-13T15:48:02.000Z
Updated: 2024-08-04T02:20:34.134Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39927 |
vulnerable | 2026-06-03 14:45:09.864262 |
Details available
LOW (3.5)
Server side request forgery protections in GitLab CE/EE versions between 8.4 and 14.4.4, between 14.5.0 and 14.5.2, and between 14.6.0 and 14.6.1 would fail to protect against attacks sending requests to localhost on port 80 or 443 if GitLab was configured to run on a port other than 80 or 443
Published: 2022-01-18T16:51:55.000Z
Updated: 2024-08-04T02:20:34.234Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39919 |
vulnerable | 2026-06-03 14:45:09.853528 |
Details available
MEDIUM (4.4)
In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure.
Published: 2021-12-13T15:47:55.000Z
Updated: 2024-08-04T02:20:34.231Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39918 |
vulnerable | 2026-06-03 14:45:09.853141 |
Details available
LOW (3.1)
Incorrect Authorization in GitLab EE affecting all versions starting from 11.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows a user to add comments to a vulnerability which cannot be accessed.
Published: 2021-12-13T15:47:46.000Z
Updated: 2024-08-04T02:20:34.144Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39917 |
vulnerable | 2026-06-03 14:45:09.852748 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression related to quick actions features was susceptible to catastrophic backtracking that could cause a DOS attack.
Published: 2021-12-13T15:47:58.000Z
Updated: 2024-08-04T02:20:34.188Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39916 |
vulnerable | 2026-06-03 14:45:09.852326 |
Details available
MEDIUM (4.3)
Lack of an access control check in the External Status Check feature allowed any authenticated user to retrieve the configuration of any External Status Check in GitLab EE starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2.
Published: 2021-12-13T15:47:56.000Z
Updated: 2024-08-04T02:20:33.776Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39915 |
vulnerable | 2026-06-03 14:45:09.851815 |
Details available
MEDIUM (5.3)
Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the names of project access tokens on arbitrary projects
Published: 2021-12-13T15:47:54.000Z
Updated: 2024-08-04T02:20:33.854Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39914 |
vulnerable | 2026-06-03 14:45:09.851403 |
Details available
LOW (3.1)
A regular expression denial of service issue in GitLab versions 8.13 to 14.2.5, 14.3.0 to 14.3.3 and 14.4.0 could cause excessive usage of resources when a specially crafted username was used when provisioning a new user
Published: 2021-11-04T22:39:17.000Z
Updated: 2024-08-04T02:20:33.786Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39913 |
vulnerable | 2026-06-03 14:45:09.850983 |
Details available
MEDIUM (4.4)
Accidental logging of system root password in the migration log in all versions of GitLab CE/EE before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker with local file system access to obtain system root-level privileges
Published: 2021-11-04T23:08:15.000Z
Updated: 2024-08-04T02:20:33.764Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39912 |
vulnerable | 2026-06-03 14:45:09.850613 |
Details available
MEDIUM (5.3)
A potential DoS vulnerability was discovered in GitLab CE/EE starting with version 13.7. Using a malformed TIFF images was possible to trigger memory exhaustion.
Published: 2021-11-04T23:05:49.000Z
Updated: 2024-08-04T02:20:33.680Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39911 |
vulnerable | 2026-06-03 14:45:09.850180 |
Details available
LOW (1.7)
An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers
Published: 2021-11-04T23:16:02.000Z
Updated: 2024-08-04T02:20:33.804Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39910 |
vulnerable | 2026-06-03 14:45:09.849800 |
Details available
LOW (2.6)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature.
Published: 2021-12-13T15:47:46.000Z
Updated: 2024-08-04T02:20:33.691Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39909 |
vulnerable | 2026-06-03 14:45:09.849413 |
Details available
MEDIUM (5.3)
Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE starting from 11.3 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker to bypass CODEOWNERS Merge Request approval requirement under rare circumstances
Published: 2021-11-04T23:03:27.000Z
Updated: 2024-08-04T02:20:33.725Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39908 |
vulnerable | 2026-06-03 14:45:09.848958 |
Details available
MEDIUM (6.5)
In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 certain Unicode characters can be abused to commit malicious code into projects without being noticed in merge request or source code viewer UI.
Published: 2022-04-01T22:17:38.000Z
Updated: 2024-08-04T02:20:33.693Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39907 |
vulnerable | 2026-06-03 14:45:09.848561 |
Details available
MEDIUM (5.3)
A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 13.7. The stripping of EXIF data from certain images resulted in high CPU usage.
Published: 2021-11-04T23:14:42.000Z
Updated: 2024-08-04T02:20:33.681Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39906 |
vulnerable | 2026-06-03 14:45:09.848150 |
Details available
HIGH (8.7)
Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf.
Published: 2021-11-04T23:04:36.000Z
Updated: 2024-08-04T02:20:33.690Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39905 |
vulnerable | 2026-06-03 14:45:09.847717 |
Details available
MEDIUM (4.3)
An information disclosure vulnerability in the GitLab CE/EE API since version 8.9.6 allows a user to see basic information on private groups that a public project has been shared with
Published: 2021-11-04T23:17:10.000Z
Updated: 2024-08-04T02:20:33.677Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39904 |
vulnerable | 2026-06-03 14:45:09.844687 |
Details available
MEDIUM (4.3)
An Improper Access Control vulnerability in the GraphQL API in all versions of GitLab CE/EE starting from 13.1 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows a Merge Request creator to resolve discussions and apply suggestions after a project owner has locked the Merge Request
Published: 2021-11-04T23:13:11.000Z
Updated: 2024-08-04T02:20:33.680Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39903 |
vulnerable | 2026-06-03 14:45:09.844258 |
Details available
MEDIUM (6.5)
In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings.
Published: 2021-11-04T22:42:01.000Z
Updated: 2024-08-04T02:20:33.686Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39902 |
vulnerable | 2026-06-03 14:45:09.843784 |
Details available
MEDIUM (4.3)
Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident.
Published: 2021-11-04T22:40:34.000Z
Updated: 2024-08-04T02:20:33.778Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39901 |
vulnerable | 2026-06-03 14:45:09.840382 |
Details available
LOW (2.7)
In all versions of GitLab CE/EE since version 11.10, an admin of a group can see the SCIM token of that group by visiting a specific endpoint.
Published: 2021-11-04T23:09:28.000Z
Updated: 2024-08-04T02:20:33.701Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39900 |
vulnerable | 2026-06-03 14:45:09.839939 |
Details available
LOW (2)
Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs.
Published: 2021-10-04T16:45:45.000Z
Updated: 2024-08-04T02:20:33.699Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39899 |
vulnerable | 2026-06-03 14:45:09.839555 |
Details available
LOW (2.9)
In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.
Published: 2021-10-04T16:47:01.000Z
Updated: 2024-08-04T02:20:33.678Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39898 |
vulnerable | 2026-06-03 14:45:09.839082 |
Details available
LOW (3.7)
In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from.
Published: 2021-11-04T23:21:32.000Z
Updated: 2024-08-04T02:20:33.663Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39897 |
vulnerable | 2026-06-03 14:45:09.834846 |
Details available
LOW (2.6)
Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transferred
Published: 2021-11-04T23:07:04.000Z
Updated: 2024-08-04T02:20:33.759Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39896 |
vulnerable | 2026-06-03 14:45:09.834465 |
Details available
LOW (3.8)
In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may lead to repudiation issues.
Published: 2021-10-04T16:44:28.000Z
Updated: 2024-08-04T02:20:33.774Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39895 |
vulnerable | 2026-06-03 14:45:09.834052 |
Details available
MEDIUM (6)
In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source.
Published: 2021-11-04T23:11:51.000Z
Updated: 2024-08-04T02:20:33.884Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39894 |
vulnerable | 2026-06-03 14:45:09.833617 |
Details available
MEDIUM (5.4)
In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks.
Published: 2021-10-05T12:33:05.000Z
Updated: 2024-08-04T02:20:33.670Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39893 |
vulnerable | 2026-06-03 14:45:09.833239 |
Details available
MEDIUM (5.3)
A potential DOS vulnerability was discovered in GitLab starting with version 9.1 that allowed parsing files without authorisation.
Published: 2021-10-05T12:18:22.000Z
Updated: 2024-08-04T02:20:33.763Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39892 |
vulnerable | 2026-06-03 14:45:09.832811 |
Details available
MEDIUM (4.3)
In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users.
Published: 2022-01-18T16:52:13.000Z
Updated: 2024-08-04T02:20:33.593Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39891 |
vulnerable | 2026-06-03 14:45:09.832383 |
Details available
MEDIUM (5.9)
In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure.
Published: 2021-10-05T13:38:07.000Z
Updated: 2024-08-04T02:20:33.670Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39890 |
vulnerable | 2026-06-03 14:45:09.828286 |
Details available
LOW (3.1)
It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above.
Published: 2021-12-06T17:34:34.000Z
Updated: 2024-08-04T02:20:33.754Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39889 |
vulnerable | 2026-06-03 14:45:09.827935 |
Details available
MEDIUM (4.3)
In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch.
Published: 2021-10-05T13:43:07.000Z
Updated: 2024-08-04T02:20:33.622Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39888 |
vulnerable | 2026-06-03 14:45:09.827562 |
Details available
MEDIUM (4.3)
In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates.
Published: 2021-10-05T12:20:58.000Z
Updated: 2024-08-04T02:20:33.655Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39887 |
vulnerable | 2026-06-03 14:45:09.827175 |
Details available
HIGH (7.3)
A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf.
Published: 2021-10-05T11:12:11.000Z
Updated: 2024-08-04T02:20:33.689Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39886 |
vulnerable | 2026-06-03 14:45:09.826785 |
Details available
LOW (2.6)
Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic references.
Published: 2021-10-05T13:39:17.000Z
Updated: 2024-08-04T02:20:33.642Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39885 |
vulnerable | 2026-06-03 14:45:09.826399 |
Details available
HIGH (8.7)
A Stored XSS in merge request creation page in all versions of Gitlab EE starting from 13.7 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious approval rule names
Published: 2021-10-04T16:33:54.000Z
Updated: 2024-08-04T02:20:33.578Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39884 |
vulnerable | 2026-06-03 14:45:09.825969 |
Details available
MEDIUM (4.3)
In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project.
Published: 2021-10-05T12:27:21.000Z
Updated: 2024-08-04T02:20:33.652Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39883 |
vulnerable | 2026-06-03 14:45:09.819234 |
Details available
MEDIUM (4.3)
Improper authorization checks in all versions of GitLab EE starting from 13.11 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows subgroup members to see epics from all parent subgroups.
Published: 2021-10-04T16:49:32.000Z
Updated: 2024-08-04T02:20:33.672Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39882 |
vulnerable | 2026-06-03 14:45:09.818850 |
Details available
MEDIUM (5.3)
In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user.
Published: 2021-10-05T12:22:05.000Z
Updated: 2024-08-04T02:20:33.633Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39881 |
vulnerable | 2026-06-03 14:45:09.818473 |
Details available
LOW (3.5)
In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description.
Published: 2021-10-05T13:40:33.000Z
Updated: 2024-08-04T02:20:33.652Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39880 |
vulnerable | 2026-06-03 14:45:09.818041 |
Details available
MEDIUM (6.5)
A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE all versions starting from 11.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to deny access to all users via specially crafted requests to the apollo_upload_server middleware.
Published: 2021-10-05T14:01:43.000Z
Updated: 2024-08-04T02:20:33.608Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39879 |
vulnerable | 2026-06-03 14:45:09.817622 |
Details available
LOW (2.2)
Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication
Published: 2021-10-04T16:42:11.000Z
Updated: 2024-08-04T02:20:33.644Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39878 |
vulnerable | 2026-06-03 14:45:09.817245 |
Details available
MEDIUM (5.8)
A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code.
Published: 2021-10-05T12:17:08.000Z
Updated: 2024-08-04T02:20:33.708Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39877 |
vulnerable | 2026-06-03 14:45:09.816739 |
Details available
HIGH (7.7)
A vulnerability was discovered in GitLab starting with version 12.2 that allows an attacker to cause uncontrolled resource consumption with a specially crafted file.
Published: 2021-10-04T16:41:04.000Z
Updated: 2024-08-04T02:20:33.679Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39876 |
vulnerable | 2026-06-03 14:45:09.816340 |
Details available
MEDIUM (4.3)
In all versions of GitLab CE/EE since version 11.3, the endpoint for auto-completing Assignee discloses the members of private groups.
Published: 2022-03-28T18:53:09.000Z
Updated: 2024-08-04T02:20:33.669Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39875 |
vulnerable | 2026-06-03 14:45:09.815908 |
Details available
MEDIUM (5.3)
In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint.
Published: 2021-10-05T12:28:28.000Z
Updated: 2024-08-04T02:20:33.568Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39874 |
vulnerable | 2026-06-03 14:45:09.815510 |
Details available
MEDIUM (4.3)
In all versions of GitLab CE/EE since version 11.0, the requirement to enforce 2FA is not honored when using git commands.
Published: 2021-10-04T16:50:47.000Z
Updated: 2024-08-04T02:20:33.620Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39873 |
vulnerable | 2026-06-03 14:45:09.815088 |
Details available
MEDIUM (4.3)
In all versions of GitLab CE/EE, there exists a content spoofing vulnerability which may be leveraged by attackers to trick users into visiting a malicious website by spoofing the content in an error response.
Published: 2021-10-04T16:43:24.000Z
Updated: 2024-08-04T02:20:33.651Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39872 |
vulnerable | 2026-06-03 14:45:09.814668 |
Details available
MEDIUM (6.5)
In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.
Published: 2021-10-05T12:34:28.000Z
Updated: 2024-08-04T02:20:33.624Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39871 |
vulnerable | 2026-06-03 14:45:09.814239 |
Details available
MEDIUM (4.3)
In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker making a crafted API call.
Published: 2021-10-04T16:48:11.000Z
Updated: 2024-08-04T02:20:33.665Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39870 |
vulnerable | 2026-06-03 14:45:09.813854 |
Details available
MEDIUM (4.3)
In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted API call.
Published: 2021-10-05T13:41:53.000Z
Updated: 2024-08-04T02:20:33.659Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39869 |
vulnerable | 2026-06-03 14:45:09.813424 |
Details available
MEDIUM (6.5)
In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project.
Published: 2021-10-05T12:30:52.000Z
Updated: 2024-08-04T02:20:33.663Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39868 |
vulnerable | 2026-06-03 14:45:09.812975 |
Details available
MEDIUM (4.3)
In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export.
Published: 2021-10-04T16:55:29.000Z
Updated: 2024-08-04T02:20:33.614Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39867 |
vulnerable | 2026-06-03 14:45:09.812517 |
Details available
MEDIUM (6.5)
In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks.
Published: 2021-10-05T12:29:39.000Z
Updated: 2024-08-04T02:20:33.672Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39866 |
vulnerable | 2026-06-03 14:45:09.809770 |
Details available
MEDIUM (5.4)
A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens.
Published: 2021-10-05T12:35:39.000Z
Updated: 2024-08-04T02:20:33.617Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22264 |
vulnerable | 2026-06-03 14:43:52.390260 |
Details available
MEDIUM (6.8)
An issue has been discovered in GitLab affecting all versions starting from 13.8 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. Under specialized conditions, an invited group member may continue to have access to a project even after the invited group, which the member was part of, is deleted.
Published: 2021-10-05T13:45:31.000Z
Updated: 2024-08-03T18:37:18.500Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22263 |
vulnerable | 2026-06-03 14:43:52.389848 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user account with 'external' status which is granted 'Maintainer' role on any project on the GitLab instance where 'project tokens' are allowed may elevate its privilege to 'Internal' and access Internal projects.
Published: 2021-10-11T16:47:47.000Z
Updated: 2024-08-03T18:37:18.536Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22262 |
vulnerable | 2026-06-03 14:43:52.389457 |
Details available
MEDIUM (5.4)
Missing access control in all GitLab versions starting from 13.12 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page
Published: 2021-10-05T13:48:15.000Z
Updated: 2024-08-03T18:37:18.492Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22261 |
vulnerable | 2026-06-03 14:43:52.389042 |
Details available
HIGH (7.3)
A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses
Published: 2021-10-05T13:59:40.000Z
Updated: 2024-08-03T18:37:18.487Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22260 |
vulnerable | 2026-06-03 14:43:52.388642 |
Details available
HIGH (7.7)
A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf
Published: 2021-11-04T23:10:38.000Z
Updated: 2024-08-03T18:37:18.503Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22259 |
vulnerable | 2026-06-03 14:43:52.388255 |
Details available
MEDIUM (4.3)
A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API.
Published: 2021-10-04T16:51:58.000Z
Updated: 2024-08-03T18:37:18.508Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22258 |
vulnerable | 2026-06-03 14:43:52.387887 |
Details available
MEDIUM (4.3)
The project import/export feature in GitLab 8.9 and greater could be used to obtain otherwise private email addresses
Published: 2021-10-05T13:49:33.000Z
Updated: 2024-08-03T18:37:18.484Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22257 |
vulnerable | 2026-06-03 14:43:52.387480 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. The route for /user.keys is not restricted on instances with public visibility disabled. This allows user enumeration on such instances.
Published: 2021-10-05T13:46:53.000Z
Updated: 2024-08-03T18:37:18.503Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22256 |
vulnerable | 2026-06-03 14:43:52.387060 |
Details available
MEDIUM (5.4)
Improper authorization in GitLab CE/EE affecting all versions since 12.6 allowed guest users to create issues for Sentry errors and track their status
Published: 2021-08-25T18:30:43.000Z
Updated: 2024-08-03T18:37:18.477Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22254 |
vulnerable | 2026-06-03 14:43:52.379641 |
Details available
LOW (3.1)
Under very specific conditions a user could be impersonated using Gitlab shell. This vulnerability affects GitLab CE/EE 13.1 and later through 14.1.2, 14.0.7 and 13.12.9.
Published: 2021-08-20T17:37:29.000Z
Updated: 2024-08-03T18:37:18.539Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22253 |
vulnerable | 2026-06-03 14:43:52.379252 |
Details available
MEDIUM (4.9)
Improper authorization in GitLab EE affecting all versions since 13.4 allowed a user who previously had the necessary access to trigger deployments to protected environments under specific conditions after the access has been removed
Published: 2021-08-23T19:34:47.000Z
Updated: 2024-08-03T18:37:18.258Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22252 |
vulnerable | 2026-06-03 14:43:52.378858 |
Details available
MEDIUM (6.5)
A confusion between tag and branch names in GitLab CE/EE affecting all versions since 13.7 allowed a Developer to access protected CI variables which should only be accessible to Maintainers
Published: 2021-08-23T19:36:39.000Z
Updated: 2024-08-03T18:37:18.277Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22251 |
vulnerable | 2026-06-03 14:43:52.378486 |
Details available
MEDIUM (4.3)
Improper validation of invited users' email address in GitLab EE affecting all versions since 12.2 allowed projects to add members with email address domain that should be blocked by group settings
Published: 2021-08-23T19:38:04.000Z
Updated: 2024-08-03T18:37:18.163Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22250 |
vulnerable | 2026-06-03 14:43:52.378109 |
Details available
MEDIUM (5.4)
Improper authorization in GitLab CE/EE affecting all versions since 13.3 allowed users to view and delete impersonation tokens that administrators created for their account
Published: 2021-08-25T18:28:30.000Z
Updated: 2024-08-03T18:37:18.267Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22249 |
vulnerable | 2026-06-03 14:43:52.377717 |
Details available
MEDIUM (4.3)
A verbose error message in GitLab EE affecting all versions since 12.2 could disclose the private email address of a user invited to a group
Published: 2021-08-23T19:53:20.000Z
Updated: 2024-08-03T18:37:18.281Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22248 |
vulnerable | 2026-06-03 14:43:52.377315 |
Details available
MEDIUM (5.3)
Improper authorization on the pipelines page in GitLab CE/EE affecting all versions since 13.12 allowed unauthorized users to view some pipeline information for public projects that have access to pipelines restricted to members only
Published: 2021-08-23T19:42:07.000Z
Updated: 2024-08-03T18:37:18.266Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22247 |
vulnerable | 2026-06-03 14:43:52.376935 |
Details available
MEDIUM (4.3)
Improper authorization in GitLab CE/EE affecting all versions since 13.0 allows guests in private projects to view CI/CD analytics
Published: 2021-08-25T18:32:59.000Z
Updated: 2024-08-03T18:37:18.175Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22246 |
vulnerable | 2026-06-03 14:43:52.376542 |
Details available
HIGH (7.7)
A vulnerability was discovered in GitLab versions before 14.0.2, 13.12.6, 13.11.6. GitLab Webhook feature could be abused to perform denial of service attacks.
Published: 2021-08-20T17:38:43.000Z
Updated: 2024-08-03T18:37:18.252Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22245 |
vulnerable | 2026-06-03 14:43:52.376128 |
Details available
LOW (2.7)
Improper validation of commit author in GitLab CE/EE affecting all versions allowed an attacker to make several pages in a project impossible to view
Published: 2021-08-25T18:31:57.000Z
Updated: 2024-08-03T18:37:18.243Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22244 |
vulnerable | 2026-06-03 14:43:52.375745 |
Details available
LOW (3.1)
Improper authorization in the vulnerability report feature in GitLab EE affecting all versions since 13.1 allowed a reporter to access vulnerability data
Published: 2021-08-25T18:34:06.000Z
Updated: 2024-08-03T18:37:18.393Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22243 |
vulnerable | 2026-06-03 14:43:52.375363 |
Details available
MEDIUM (5)
Under specialized conditions, GitLab CE/EE versions starting 7.10 may allow existing GitLab users to use an invite URL meant for another email address to gain access into a group.
Published: 2021-08-25T18:36:06.000Z
Updated: 2024-08-03T18:37:18.309Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22242 |
vulnerable | 2026-06-03 14:43:52.374952 |
Details available
HIGH (8.7)
Insufficient input sanitization in Mermaid markdown in GitLab CE/EE version 11.4 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown
Published: 2021-08-25T18:38:24.000Z
Updated: 2024-08-03T18:37:18.232Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22241 |
vulnerable | 2026-06-03 14:43:52.374521 |
Details available
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0. It was possible to exploit a stored cross-site-scripting via a specifically crafted default branch name.
Published: 2021-08-05T19:28:23.000Z
Updated: 2024-08-03T18:37:18.367Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22239 |
vulnerable | 2026-06-03 14:43:52.370041 |
Details available
MEDIUM (5)
An unauthorized user was able to insert metadata when creating new issue on GitLab CE/EE 14.0 and later.
Published: 2021-09-09T14:41:34.000Z
Updated: 2024-08-03T18:37:18.281Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22238 |
vulnerable | 2026-06-03 14:43:52.369662 |
Details available
MEDIUM (6.8)
An issue has been discovered in GitLab affecting all versions starting with 13.3. GitLab was vulnerable to a stored XSS by using the design feature in issues.
Published: 2021-08-20T17:39:54.000Z
Updated: 2024-08-03T18:37:18.293Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22237 |
vulnerable | 2026-06-03 14:43:52.369285 |
Details available
MEDIUM (6.6)
Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. This vulnerability is present in GitLab CE/EE versions before 13.12.9, 14.0.7, 14.1.2
Published: 2021-08-25T18:37:19.000Z
Updated: 2024-08-03T18:37:18.434Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22236 |
vulnerable | 2026-06-03 14:43:52.368884 |
Details available
MEDIUM (5.5)
Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1.
Published: 2021-08-25T18:39:18.000Z
Updated: 2024-08-03T18:37:18.092Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22234 |
vulnerable | 2026-06-03 14:43:52.368054 |
Details available
CRITICAL (9.6)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.11 before 13.11.7, all versions starting from 13.12 before 13.12.8, and all versions starting from 14.0 before 14.0.4. A specially crafted design image allowed attackers to read arbitrary files on the server.
Published: 2021-08-05T20:30:25.000Z
Updated: 2024-08-03T18:37:18.427Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22233 |
vulnerable | 2026-06-03 14:43:52.367658 |
Details available
MEDIUM (4.3)
An information disclosure vulnerability in GitLab EE versions 13.10 and later allowed a user to read project details
Published: 2021-07-07T13:22:15.000Z
Updated: 2024-08-03T18:37:18.418Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22232 |
vulnerable | 2026-06-03 14:43:52.367298 |
Details available
LOW (3.5)
HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE
Published: 2021-07-06T20:43:43.000Z
Updated: 2024-08-03T18:37:18.237Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22231 |
vulnerable | 2026-06-03 14:43:52.366911 |
Details available
LOW (3.5)
A denial of service in user's profile page is found starting with GitLab CE/EE 8.0 that allows attacker to reject access to their profile page via using a specially crafted username.
Published: 2021-07-07T10:28:23.000Z
Updated: 2024-08-03T18:37:18.497Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22230 |
vulnerable | 2026-06-03 14:43:52.366472 |
Details available
MEDIUM (4.9)
Improper code rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later through 13.11.6, 13.12.6, and 14.0.2.
Published: 2021-07-07T10:47:31.000Z
Updated: 2024-08-03T18:37:18.220Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22229 |
vulnerable | 2026-06-03 14:43:52.366102 |
Details available
MEDIUM (5.9)
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8. Under a special condition it was possible to access data of an internal repository through project fork done by a project member.
Published: 2021-07-06T20:30:47.000Z
Updated: 2024-08-03T18:37:17.875Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22228 |
vulnerable | 2026-06-03 14:43:52.365745 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions before 13.11.6, all versions starting from 13.12 before 13.12.6, and all versions starting from 14.0 before 14.0.2. Improper access control allows unauthorised users to access project details using Graphql.
Published: 2021-07-06T21:34:10.000Z
Updated: 2024-08-03T18:37:18.219Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22227 |
vulnerable | 2026-06-03 14:43:52.363486 |
Details available
MEDIUM (6.1)
A reflected cross-site script vulnerability in GitLab before versions 13.11.6, 13.12.6 and 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf if they clicked it
Published: 2021-07-07T10:40:54.000Z
Updated: 2024-08-03T18:37:18.316Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22226 |
vulnerable | 2026-06-03 14:43:52.363087 |
Details available
MEDIUM (6.5)
Under certain conditions, some users were able to push to protected branches that were restricted to deploy keys in GitLab CE/EE since version 13.9
Published: 2021-07-06T20:56:53.000Z
Updated: 2024-08-03T18:37:17.937Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22225 |
vulnerable | 2026-06-03 14:43:52.362736 |
Details available
MEDIUM (4.7)
Insufficient input sanitization in markdown in GitLab version 13.11 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown
Published: 2021-07-07T11:19:53.000Z
Updated: 2024-08-03T18:37:17.432Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22224 |
vulnerable | 2026-06-03 14:43:52.362398 |
Details available
HIGH (7.1)
A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim
Published: 2021-07-07T11:26:37.000Z
Updated: 2024-08-03T18:37:18.269Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22223 |
vulnerable | 2026-06-03 14:43:52.361983 |
Details available
MEDIUM (6.1)
Client-Side code injection through Feature Flag name in GitLab CE/EE starting with 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link
Published: 2021-07-06T21:50:25.000Z
Updated: 2024-08-03T18:37:18.268Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22221 |
vulnerable | 2026-06-03 14:43:52.355008 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2. Insufficient expired password validation in various operations allow user to maintain limited access after their password expired
Published: 2021-06-08T18:52:20.000Z
Updated: 2024-08-03T18:37:18.251Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22220 |
vulnerable | 2026-06-03 14:43:52.354657 |
Details available
MEDIUM (6.1)
An issue has been discovered in GitLab affecting all versions starting with 13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks.
Published: 2021-06-08T19:05:00.000Z
Updated: 2024-08-03T18:37:18.105Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22219 |
vulnerable | 2026-06-03 14:43:52.354248 |
Details available
MEDIUM (4.4)
All versions of GitLab CE/EE starting from 9.5 before 13.10.5, all versions starting from 13.11 before 13.11.5, and all versions starting from 13.12 before 13.12.2 allow a high privilege user to obtain sensitive information from log files because the sensitive information was not correctly registered for log masking.
Published: 2021-06-08T18:38:17.000Z
Updated: 2024-08-03T18:37:17.702Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22218 |
vulnerable | 2026-06-03 14:43:52.353783 |
Details available
LOW (2.6)
All versions of GitLab CE/EE starting from 12.8 before 13.10.5, all versions starting from 13.11 before 13.11.5, and all versions starting from 13.12 before 13.12.2 were affected by an issue in the handling of x509 certificates that could be used to spoof author of signed commits.
Published: 2021-06-08T15:04:57.000Z
Updated: 2024-08-03T18:37:17.682Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22217 |
vulnerable | 2026-06-03 14:43:52.353380 |
Details available
MEDIUM (6.5)
A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a specially crafted issue or merge request
Published: 2021-06-08T18:25:29.000Z
Updated: 2024-08-03T18:37:17.638Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22216 |
vulnerable | 2026-06-03 14:43:52.352977 |
Details available
MEDIUM (6.5)
A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a very long issue or merge request description
Published: 2021-06-08T19:19:25.000Z
Updated: 2024-08-03T18:37:18.260Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22215 |
vulnerable | 2026-06-03 14:43:52.352617 |
Details available
HIGH (7.5)
An information disclosure vulnerability in GitLab EE versions 13.11 and later allowed a project owner to leak information about the members' on-call rotations in other projects
Published: 2021-06-08T15:13:29.000Z
Updated: 2024-08-03T18:37:18.303Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22214 |
vulnerable | 2026-06-03 14:43:52.352290 |
Details available
MEDIUM (6.8)
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited
Published: 2021-06-08T14:59:37.000Z
Updated: 2024-08-03T18:37:18.229Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22213 |
vulnerable | 2026-06-03 14:43:52.351866 |
Details available
HIGH (8.8)
A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari
Published: 2021-06-08T18:03:58.000Z
Updated: 2024-08-03T18:37:18.348Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22211 |
vulnerable | 2026-06-03 14:43:52.347865 |
Details available
LOW (3.1)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling.
Published: 2021-05-05T22:03:25.000Z
Updated: 2024-08-03T18:37:18.409Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22210 |
vulnerable | 2026-06-03 14:43:52.347491 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. When querying the repository branches through API, GitLab was ignoring a query parameter and returning a considerable amount of results.
Published: 2021-05-06T13:19:32.000Z
Updated: 2024-08-03T18:37:17.924Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22209 |
vulnerable | 2026-06-03 14:43:52.347093 |
Details available
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.
Published: 2021-05-06T13:37:47.000Z
Updated: 2024-08-03T18:37:18.262Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22208 |
vulnerable | 2026-06-03 14:43:52.346676 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting versions starting with 13.5 up to 13.9.7. Improper permission check could allow the change of timestamp for issue creation or update.
Published: 2021-05-06T13:35:17.000Z
Updated: 2024-08-03T18:37:18.290Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22206 |
vulnerable | 2026-06-03 14:43:52.343247 |
Details available
MEDIUM (6.8)
An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text,
Published: 2021-05-06T13:25:10.000Z
Updated: 2024-08-03T18:37:18.443Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22205 |
vulnerable | 2026-06-03 14:43:52.342793 |
Details available
CRITICAL (10)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
Published: 2021-04-23T17:39:36.000Z
Updated: 2025-10-21T23:25:48.290Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22203 |
vulnerable | 2026-06-03 14:43:52.335741 |
Details available
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions starting from 13.9 before 13.9.5, and all versions starting from 13.10 before 13.10.1. A specially crafted Wiki page allowed attackers to read arbitrary files on the server.
Published: 2021-04-02T16:16:15.000Z
Updated: 2024-08-03T18:37:17.326Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22202 |
vulnerable | 2026-06-03 14:43:52.335331 |
Details available
LOW (2.4)
An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API.
Published: 2021-04-02T16:25:43.000Z
Updated: 2024-08-03T18:37:18.190Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22201 |
vulnerable | 2026-06-03 14:43:52.334918 |
Details available
CRITICAL (9.6)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server.
Published: 2021-04-02T16:17:40.000Z
Updated: 2024-08-03T18:37:18.224Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22200 |
vulnerable | 2026-06-03 14:43:52.331597 |
Details available
MEDIUM (5.9)
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user.
Published: 2021-04-02T16:22:37.000Z
Updated: 2024-08-03T18:37:18.276Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22199 |
vulnerable | 2026-06-03 14:43:52.331208 |
Details available
LOW (3.5)
An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used.
Published: 2021-04-22T21:56:00.000Z
Updated: 2024-08-03T18:37:18.257Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22198 |
vulnerable | 2026-06-03 14:43:52.330805 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects.
Published: 2021-04-02T16:20:10.000Z
Updated: 2024-08-03T18:37:17.882Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22197 |
vulnerable | 2026-06-03 14:43:52.330403 |
Details available
LOW (3.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other
Published: 2021-04-02T16:21:24.000Z
Updated: 2024-08-03T18:37:17.487Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22196 |
vulnerable | 2026-06-03 14:43:52.329967 |
Details available
MEDIUM (6.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name.
Published: 2021-04-02T16:14:37.000Z
Updated: 2024-08-03T18:37:17.698Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22194 |
vulnerable | 2026-06-03 14:43:52.322516 |
Details available
MEDIUM (5.7)
In all versions of GitLab, marshalled session keys were being stored in Redis.
Published: 2021-03-26T19:08:16.000Z
Updated: 2024-08-03T18:37:18.118Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22193 |
vulnerable | 2026-06-03 14:43:52.322122 |
Details available
LOW (3.5)
An issue has been discovered in GitLab affecting all versions starting with 7.1. A member of a private group was able to validate the use of a specific name for private project.
Published: 2021-03-24T16:57:47.000Z
Updated: 2024-08-03T18:37:18.311Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22192 |
vulnerable | 2026-06-03 14:43:52.321520 |
Details available
CRITICAL (9.9)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.
Published: 2021-03-24T16:36:47.000Z
Updated: 2024-08-03T18:37:17.341Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22190 |
vulnerable | 2026-06-03 14:43:52.320612 |
Details available
HIGH (8.5)
A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token
Published: 2021-04-12T14:31:04.000Z
Updated: 2024-08-03T18:37:18.205Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22189 |
vulnerable | 2026-06-03 14:43:52.320216 |
Details available
MEDIUM (5.9)
Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues.
Published: 2021-03-04T14:54:34.000Z
Updated: 2024-08-03T18:37:18.364Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22188 |
vulnerable | 2026-06-03 14:43:52.319828 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab affecting all versions starting with 13.0. Confidential issue titles in Gitlab were readable by an unauthorised user via branch logs.
Published: 2021-03-03T17:56:21.000Z
Updated: 2024-08-03T18:37:18.206Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22187 |
vulnerable | 2026-06-03 14:43:52.319417 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 13.6.7. A potential resource exhaustion issue that allowed running or pending jobs to continue even after project was deleted.
Published: 2021-03-02T18:15:16.000Z
Updated: 2024-08-03T18:37:18.277Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22186 |
vulnerable | 2026-06-03 14:43:52.319034 |
Details available
MEDIUM (4.9)
An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners
Published: 2021-03-24T16:42:06.000Z
Updated: 2024-08-03T18:37:17.915Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22185 |
vulnerable | 2026-06-03 14:43:52.318630 |
Details available
MEDIUM (5.4)
Insufficient input sanitization in wikis in GitLab version 13.8 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted commit to a wiki
Published: 2021-03-24T16:39:21.000Z
Updated: 2024-08-03T18:37:18.297Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22184 |
vulnerable | 2026-06-03 14:43:52.318240 |
Details available
MEDIUM (6.2)
An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted.
Published: 2021-03-26T19:11:39.000Z
Updated: 2024-08-03T18:37:18.076Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22183 |
vulnerable | 2026-06-03 14:43:52.317855 |
Details available
MEDIUM (4.1)
An issue has been discovered in GitLab affecting all versions starting with 11.8. GitLab was vulnerable to a stored XSS in the epics page, which could be exploited with user interactions.
Published: 2021-03-04T14:56:28.000Z
Updated: 2024-08-03T18:37:18.244Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22182 |
vulnerable | 2026-06-03 14:43:52.317449 |
Details available
LOW (3.5)
An issue has been discovered in GitLab affecting all versions starting with 13.7. GitLab was vulnerable to a stored XSS in merge request.
Published: 2021-03-03T17:57:50.000Z
Updated: 2024-08-03T18:37:17.169Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22181 |
vulnerable | 2026-06-03 14:43:52.317053 |
Details available
HIGH (7.7)
A denial of service vulnerability in GitLab CE/EE affecting all versions since 11.8 allows an attacker to create a recursive pipeline relationship and exhaust resources.
Published: 2021-06-11T15:43:20.000Z
Updated: 2024-08-03T18:37:17.999Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22180 |
vulnerable | 2026-06-03 14:43:52.316667 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages.
Published: 2021-03-26T19:09:59.000Z
Updated: 2024-08-03T18:37:17.452Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22179 |
vulnerable | 2026-06-03 14:43:52.316249 |
Details available
MEDIUM (5.4)
A vulnerability was discovered in GitLab versions before 12.2. GitLab was vulnerable to a SSRF attack through the Outbound Requests feature.
Published: 2021-03-24T16:48:30.000Z
Updated: 2024-08-03T18:37:17.689Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22178 |
vulnerable | 2026-06-03 14:43:52.315839 |
Details available
MEDIUM (5)
An issue has been discovered in GitLab affecting all versions starting from 13.2. Gitlab was vulnerable to SRRF attack through the Prometheus integration.
Published: 2021-03-24T16:59:51.000Z
Updated: 2024-08-03T18:37:17.932Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22177 |
vulnerable | 2026-06-03 14:43:52.315441 |
Details available
MEDIUM (4.3)
Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command.
Published: 2021-04-01T14:19:07.000Z
Updated: 2024-08-03T18:37:17.998Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22176 |
vulnerable | 2026-06-03 14:43:52.315015 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting with 3.0.1. Improper access control allows demoted project members to access details on authored merge requests
Published: 2021-03-24T16:46:05.000Z
Updated: 2024-08-03T18:37:17.155Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22175 |
vulnerable | 2026-06-03 14:43:52.314590 |
Details available
MEDIUM (6.8)
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled
Published: 2021-06-11T15:30:12.000Z
Updated: 2026-02-19T04:55:37.221Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22172 |
vulnerable | 2026-06-03 14:43:52.306863 |
Details available
MEDIUM (4.3)
Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page
Published: 2021-03-26T19:06:48.000Z
Updated: 2024-08-03T18:37:17.263Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22171 |
vulnerable | 2026-06-03 14:43:52.306401 |
Details available
HIGH (7.3)
Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link
Published: 2021-01-15T15:10:39.000Z
Updated: 2024-08-03T18:37:18.342Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22170 |
vulnerable | 2026-06-03 14:43:52.306005 |
Details available
MEDIUM (6.2)
Assuming a database breach, nonce reuse issues in GitLab 11.6+ allows an attacker to decrypt some of the database's encrypted content
Published: 2021-12-06T17:35:58.000Z
Updated: 2024-08-03T18:37:18.131Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22169 |
vulnerable | 2026-06-03 14:43:52.305619 |
Details available
MEDIUM (4.3)
An issue was identified in GitLab EE 13.4 or later which leaked internal IP address via error messages.
Published: 2021-03-24T17:03:04.000Z
Updated: 2024-08-03T18:37:18.113Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22168 |
vulnerable | 2026-06-03 14:43:52.305195 |
Details available
MEDIUM (4.3)
A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8.
Published: 2021-01-15T15:05:18.000Z
Updated: 2024-08-03T18:37:17.218Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22167 |
vulnerable | 2026-06-03 14:43:52.304730 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers in specific project page allows attacker to have a temporary read access to the private repository
Published: 2021-01-15T15:12:17.000Z
Updated: 2024-08-03T18:37:18.547Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22166 |
vulnerable | 2026-06-03 14:43:52.302873 |
Details available
MEDIUM (5.3)
An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method
Published: 2021-01-15T15:13:51.000Z
Updated: 2024-08-03T18:37:17.189Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-26415 |
vulnerable | 2026-06-03 14:42:16.835719 |
Details available
MEDIUM (4.3)
Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.
Published: 2020-12-11T03:29:26.000Z
Updated: 2024-08-04T15:56:04.810Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-26414 |
vulnerable | 2026-06-03 14:42:16.835334 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string.
Published: 2021-01-15T15:15:18.000Z
Updated: 2024-08-04T15:56:04.447Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-26411 |
vulnerable | 2026-06-03 14:42:16.834116 |
Details available
MEDIUM (4.3)
A potential DOS vulnerability was discovered in all versions of Gitlab starting from 13.4.x (>=13.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2). Using a specific query name for a project search can cause statement timeouts that can lead to a potential DOS if abused.
Published: 2020-12-11T04:09:00.000Z
Updated: 2024-08-04T15:56:03.962Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13346 |
vulnerable | 2026-06-03 14:41:36.555789 |
Details available
MEDIUM (6.5)
Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API.
Published: 2020-10-07T13:21:28.000Z
Updated: 2024-08-04T12:18:17.541Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13345 |
vulnerable | 2026-06-03 14:41:36.555395 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab affecting all versions starting from 10.8. Reflected XSS on Multiple Routes
Published: 2020-10-06T18:26:15.000Z
Updated: 2024-08-04T12:18:17.684Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13344 |
vulnerable | 2026-06-03 14:41:36.554990 |
Details available
MEDIUM (5.7)
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Sessions keys are stored in plain-text in Redis which allows attacker with Redis access to authenticate as any user that has a session stored in Redis
Published: 2020-10-08T13:43:02.000Z
Updated: 2024-08-04T12:18:17.452Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13343 |
vulnerable | 2026-06-03 14:41:36.554620 |
Details available
HIGH (7.5)
An issue has been discovered in GitLab affecting all versions starting from 11.2. Unauthorized Users Can View Custom Project Template
Published: 2020-10-06T18:24:10.000Z
Updated: 2024-08-04T12:18:17.542Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13342 |
vulnerable | 2026-06-03 14:41:36.554276 |
Details available
LOW (2.7)
An issue has been discovered in GitLab affecting versions prior to 13.2.10, 13.3.7 and 13.4.2: Lack of Rate Limiting at Re-Sending Confirmation Email
Published: 2020-10-07T15:57:08.000Z
Updated: 2024-08-04T12:18:17.451Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13341 |
vulnerable | 2026-06-03 14:41:36.553882 |
Details available
MEDIUM (4.9)
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Insufficient permission check allows attacker with developer role to perform various deletions.
Published: 2020-10-12T13:20:07.000Z
Updated: 2024-08-04T12:18:17.524Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13340 |
vulnerable | 2026-06-03 14:41:36.553484 |
Details available
HIGH (8.7)
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2: Stored XSS in CI Job Log
Published: 2020-10-08T13:46:33.000Z
Updated: 2024-08-04T12:18:17.588Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13339 |
vulnerable | 2026-06-03 14:41:36.553112 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab affecting all versions before 13.2.10, 13.3.7 and 13.4.2: XSS in SVG File Preview. Overall impact is limited due to the current user only being impacted.
Published: 2020-10-08T13:51:33.000Z
Updated: 2024-08-04T12:18:17.524Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13338 |
vulnerable | 2026-06-03 14:41:36.552741 |
Details available
MEDIUM (5.4)
An issue has been discovered in GitLab affecting versions prior to 12.10.13, 13.0.8, 13.1.2. A stored cross-site scripting vulnerability was discovered when editing references.
Published: 2020-10-02T19:20:06.000Z
Updated: 2024-08-04T12:18:17.515Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13337 |
vulnerable | 2026-06-03 14:41:36.552349 |
Details available
HIGH (7.2)
An issue has been discovered in GitLab affecting versions from 12.10 to 12.10.12 that allowed for a stored XSS payload to be added as a group name.
Published: 2020-10-02T19:15:50.000Z
Updated: 2024-08-04T12:18:17.783Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13336 |
vulnerable | 2026-06-03 14:41:36.551973 |
Details available
MEDIUM (4)
An issue has been discovered in GitLab affecting versions from 11.8 before 12.10.13. GitLab was vulnerable to a stored XSS by in the error tracking feature.
Published: 2020-09-30T20:56:45.000Z
Updated: 2024-08-04T12:18:17.577Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13335 |
vulnerable | 2026-06-03 14:41:36.551626 |
Details available
MEDIUM (4.3)
Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group.
Published: 2020-10-07T13:03:23.000Z
Updated: 2024-08-04T12:18:17.616Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13334 |
vulnerable | 2026-06-03 14:41:36.551180 |
Details available
MEDIUM (5.9)
In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, improper authorization checks allow a non-member of a project/group to change the confidentiality attribute of issue via mutation GraphQL query
Published: 2020-10-07T13:18:20.000Z
Updated: 2024-08-04T12:18:18.242Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13333 |
vulnerable | 2026-06-03 14:41:36.541327 |
Details available
MEDIUM (4.3)
A potential DOS vulnerability was discovered in GitLab versions 13.1, 13.2 and 13.3. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage.
Published: 2020-10-06T18:30:03.000Z
Updated: 2024-08-04T12:18:17.569Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13331 |
vulnerable | 2026-06-03 14:41:36.540879 |
Details available
MEDIUM (5.4)
An issue has been discovered in GitLab affecting versions prior to 12.10.13. GitLab was vulnerable to a stored XSS by in the Wiki pasges.
Published: 2020-09-29T17:47:52.000Z
Updated: 2024-08-04T12:18:17.097Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13330 |
vulnerable | 2026-06-03 14:41:36.540606 |
Details available
MEDIUM (4.4)
An issue has been discovered in GitLab affecting versions prior to 12.10.13. GitLab was vulnerable to a stored XSS in import the Bitbucket project feature.
Published: 2020-09-29T17:41:40.000Z
Updated: 2024-08-04T12:18:17.101Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13329 |
vulnerable | 2026-06-03 14:41:36.540322 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab affecting versions from 12.6.2 prior to 12.10.13. GitLab was vulnerable to a stored XSS by in the blob view feature.
Published: 2020-09-29T16:11:44.000Z
Updated: 2024-08-04T12:18:17.541Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13328 |
vulnerable | 2026-06-03 14:41:36.540026 |
Details available
MEDIUM (4.8)
An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. GitLab was vulnerable to a stored XSS by using the PyPi files API.
Published: 2020-09-29T16:09:37.000Z
Updated: 2024-08-04T12:18:17.584Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13326 |
vulnerable | 2026-06-03 14:41:36.539374 |
Details available
MEDIUM (4.3)
A vulnerability was discovered in GitLab versions prior to 13.1. Under certain conditions the restriction for Github project import could be bypassed.
Published: 2020-09-29T18:45:49.000Z
Updated: 2024-08-04T12:18:17.045Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13325 |
vulnerable | 2026-06-03 14:41:36.539054 |
Details available
HIGH (7.1)
A vulnerability was discovered in GitLab versions prior 13.1. The comment section of the issue page was not restricting the characters properly, potentially resulting in a denial of service.
Published: 2020-09-29T18:33:33.000Z
Updated: 2024-08-04T12:18:17.028Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13324 |
vulnerable | 2026-06-03 14:41:36.538636 |
Details available
MEDIUM (6.5)
A vulnerability was discovered in GitLab versions prior to 13.1. Under certain conditions the private activity of a user could be exposed via the API.
Published: 2020-09-29T18:36:34.000Z
Updated: 2024-08-04T12:18:17.015Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13323 |
vulnerable | 2026-06-03 14:41:36.538321 |
Details available
HIGH (7.7)
A vulnerability was discovered in GitLab versions prior 13.1. Under certain conditions private merge requests could be read via Todos
Published: 2020-09-29T18:29:37.000Z
Updated: 2024-08-04T12:18:17.065Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13322 |
vulnerable | 2026-06-03 14:41:36.538004 |
Details available
HIGH (7.2)
A vulnerability was discovered in GitLab versions after 12.9. Due to improper verification of permissions, an unauthorized user can create and delete deploy tokens.
Published: 2020-09-29T16:01:12.000Z
Updated: 2024-08-04T12:18:17.099Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13321 |
vulnerable | 2026-06-03 14:41:36.537684 |
Details available
HIGH (8.3)
A vulnerability was discovered in GitLab versions prior to 13.1. Username format restrictions could be bypassed allowing for html tags to be added.
Published: 2020-09-29T18:40:43.000Z
Updated: 2024-08-04T12:18:17.095Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13320 |
vulnerable | 2026-06-03 14:41:36.537373 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab before version 12.10.13 that allowed a project member with limited permissions to view the project security dashboard.
Published: 2020-09-29T16:07:52.000Z
Updated: 2024-08-04T12:18:17.019Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13319 |
vulnerable | 2026-06-03 14:41:36.537066 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. Missing permission check for adding time spent on an issue.
Published: 2020-09-29T15:58:06.000Z
Updated: 2024-08-04T12:18:17.073Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13318 |
vulnerable | 2026-06-03 14:41:36.536698 |
Details available
MEDIUM (6.4)
A vulnerability was discovered in GitLab versions before 13.0.12, 13.1.10, 13.2.8 and 13.3.4. GitLabs EKS integration was vulnerable to a cross-account assume role attack.
Published: 2020-09-14T18:50:47.000Z
Updated: 2024-08-04T12:18:17.071Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13317 |
vulnerable | 2026-06-03 14:41:36.536312 |
Details available
MEDIUM (6.5)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8, and 13.3.4. An insufficient check in the GraphQL api allowed a maintainer to delete a repository.
Published: 2020-09-14T19:36:25.000Z
Updated: 2024-08-04T12:18:17.064Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13316 |
vulnerable | 2026-06-03 14:41:36.535905 |
Details available
MEDIUM (5.4)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not validating a Deploy-Token and allowed a disabled repository be accessible via a git command line.
Published: 2020-09-14T18:41:53.000Z
Updated: 2024-08-04T12:18:17.096Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13315 |
vulnerable | 2026-06-03 14:41:36.535554 |
Details available
LOW (3.7)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The profile activity page was not restricting the amount of results one could request, potentially resulting in a denial of service.
Published: 2020-09-14T21:32:16.000Z
Updated: 2024-08-04T12:18:17.032Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13314 |
vulnerable | 2026-06-03 14:41:36.535176 |
Details available
LOW (3.7)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab Omniauth endpoint allowed a malicious user to submit content to be displayed back to the user within error messages.
Published: 2020-09-14T19:50:28.000Z
Updated: 2024-08-04T12:18:17.069Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13313 |
vulnerable | 2026-06-03 14:41:36.534783 |
Details available
MEDIUM (4.3)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. An unauthorized project maintainer could edit the subgroup badges due to the lack of authorization control.
Published: 2020-09-14T19:40:20.000Z
Updated: 2024-08-04T12:18:17.034Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13312 |
vulnerable | 2026-06-03 14:41:36.534393 |
Details available
MEDIUM (6.5)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab OAuth endpoint was vulnerable to brute-force attacks through a specific parameter.
Published: 2020-09-14T19:44:41.000Z
Updated: 2024-08-04T12:18:17.549Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13311 |
vulnerable | 2026-06-03 14:41:36.533999 |
Details available
MEDIUM (4.3)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Wiki was vulnerable to a parser attack that prohibits anyone from accessing the Wiki functionality through the user interface.
Published: 2020-09-14T19:47:00.000Z
Updated: 2024-08-04T12:18:16.661Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13310 |
vulnerable | 2026-06-03 14:41:36.533650 |
Details available
MEDIUM (6.5)
A vulnerability was discovered in GitLab runner versions before 13.1.3, 13.2.3 and 13.3.1. It was possible to make the gitlab-runner process crash by sending malformed queries, resulting in a denial of service.
Published: 2020-09-14T21:33:50.000Z
Updated: 2024-08-04T12:18:17.028Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13309 |
vulnerable | 2026-06-03 14:41:36.533312 |
Details available
MEDIUM (5.4)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was vulnerable to a blind SSRF attack through the repository mirroring feature.
Published: 2020-09-14T21:36:54.000Z
Updated: 2024-08-04T12:18:17.002Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13308 |
vulnerable | 2026-06-03 14:41:36.532947 |
Details available
LOW (2.7)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. A user without 2 factor authentication enabled could be prohibited from accessing GitLab by being invited into a project that had 2 factor authentication inheritance.
Published: 2020-09-15T12:30:33.000Z
Updated: 2024-08-04T12:18:17.035Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13307 |
vulnerable | 2026-06-03 14:41:36.532546 |
Details available
LOW (3.8)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not revoking current user sessions when 2 factor authentication was activated allowing a malicious user to maintain their access.
Published: 2020-09-15T12:34:43.000Z
Updated: 2024-08-04T12:18:16.643Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13306 |
vulnerable | 2026-06-03 14:41:36.532186 |
Details available
LOW (3.7)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab Webhook feature could be abused to perform denial of service attacks due to the lack of rate limitation.
Published: 2020-09-14T21:28:16.000Z
Updated: 2024-08-04T12:18:17.022Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13305 |
vulnerable | 2026-06-03 14:41:36.531853 |
Details available
LOW (3.5)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not invalidating project invitation link upon removing a user from a project.
Published: 2020-09-14T21:42:54.000Z
Updated: 2024-08-04T12:18:17.023Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13304 |
vulnerable | 2026-06-03 14:41:36.531525 |
Details available
LOW (3.8)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Same 2 factor Authentication secret code was generated which resulted an attacker to maintain access under certain conditions.
Published: 2020-09-14T21:19:55.000Z
Updated: 2024-08-04T12:18:16.662Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13303 |
vulnerable | 2026-06-03 14:41:36.531135 |
Details available
HIGH (7.1)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Due to improper verification of permissions, an unauthorized user can access a private repository within a public project.
Published: 2020-09-15T12:27:32.000Z
Updated: 2024-08-04T12:18:17.068Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13302 |
vulnerable | 2026-06-03 14:41:36.530788 |
Details available
LOW (3.8)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password.
Published: 2020-09-14T21:23:24.000Z
Updated: 2024-08-04T12:18:16.653Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13301 |
vulnerable | 2026-06-03 14:41:36.530459 |
Details available
MEDIUM (5.5)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was vulnerable to a stored XSS on the standalone vulnerability page.
Published: 2020-09-14T21:26:35.000Z
Updated: 2024-08-04T12:11:19.527Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13300 |
vulnerable | 2026-06-03 14:41:36.530076 |
Details available
HIGH (8)
GitLab CE/EE version 13.3 prior to 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow.
Published: 2020-09-14T18:34:29.000Z
Updated: 2024-08-04T12:11:19.601Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13299 |
vulnerable | 2026-06-03 14:41:36.529695 |
Details available
HIGH (8.1)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session.
Published: 2020-09-14T18:36:52.000Z
Updated: 2024-08-04T12:11:19.604Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13298 |
vulnerable | 2026-06-03 14:41:36.529331 |
Details available
HIGH (7.2)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Conan package upload functionality was not properly validating the supplied parameters, which resulted in the limited files disclosure.
Published: 2020-09-14T21:44:42.000Z
Updated: 2024-08-04T12:11:19.559Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13297 |
vulnerable | 2026-06-03 14:41:36.528969 |
Details available
LOW (3.8)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. When 2 factor authentication was enabled for groups, a malicious user could bypass that restriction by sending a specific query to the API endpoint.
Published: 2020-09-14T21:22:03.000Z
Updated: 2024-08-04T12:11:19.550Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13296 |
vulnerable | 2026-06-03 14:41:36.528589 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab affecting versions >=10.7 <13.0.14, >=13.1.0 <13.1.8, >=13.2.0 <13.2.6. Improper Access Control for Deploy Tokens
Published: 2020-09-29T15:54:15.000Z
Updated: 2024-08-04T12:11:19.552Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13294 |
vulnerable | 2026-06-03 14:41:36.522648 |
Details available
MEDIUM (4.2)
In GitLab before 13.0.12, 13.1.6 and 13.2.3, access grants were not revoked when a user revoked access to an application.
Published: 2020-08-10T13:30:12.000Z
Updated: 2024-08-04T12:11:19.494Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13293 |
vulnerable | 2026-06-03 14:41:36.522321 |
Details available
MEDIUM (6.3)
In GitLab before 13.0.12, 13.1.6 and 13.2.3 using a branch with a hexadecimal name could override an existing hash.
Published: 2020-08-10T13:28:58.000Z
Updated: 2024-08-04T12:11:19.491Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13292 |
vulnerable | 2026-06-03 14:41:36.521986 |
Details available
CRITICAL (9.6)
In GitLab before 13.0.12, 13.1.6 and 13.2.3, it is possible to bypass E-mail verification which is required for OAuth Flow.
Published: 2020-08-10T13:33:23.000Z
Updated: 2024-08-04T12:11:19.453Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13291 |
vulnerable | 2026-06-03 14:41:36.521608 |
Details available
HIGH (8.1)
In GitLab before 13.2.3, project sharing could temporarily allow too permissive access.
Published: 2020-08-12T14:15:00.000Z
Updated: 2024-08-04T12:11:19.532Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13290 |
vulnerable | 2026-06-03 14:41:36.521267 |
Details available
HIGH (7.5)
In GitLab before 13.0.12, 13.1.6, and 13.2.3, improper access control was used on the Applications page
Published: 2020-08-12T14:24:24.000Z
Updated: 2024-08-04T12:11:19.547Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13289 |
vulnerable | 2026-06-03 14:41:36.520867 |
Details available
MEDIUM (5.4)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. In certain cases an invalid username could be accepted when 2FA is activated.
Published: 2020-09-14T18:45:54.000Z
Updated: 2024-08-04T12:11:19.459Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13288 |
vulnerable | 2026-06-03 14:41:36.520487 |
Details available
MEDIUM (5.5)
In GitLab before 13.0.12, 13.1.6, and 13.2.3, a stored XSS vulnerability exists in the CI/CD Jobs page
Published: 2020-08-12T14:06:41.000Z
Updated: 2024-08-04T12:11:19.550Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13287 |
vulnerable | 2026-06-03 14:41:36.520087 |
Details available
MEDIUM (4.3)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Project reporters and above could see confidential EPIC attached to confidential issues
Published: 2020-09-14T18:43:44.000Z
Updated: 2024-08-04T12:11:19.555Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13286 |
vulnerable | 2026-06-03 14:41:36.519662 |
Details available
MEDIUM (6.4)
For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery.
Published: 2020-08-13T13:30:55.000Z
Updated: 2024-08-04T12:11:19.556Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13285 |
vulnerable | 2026-06-03 14:41:36.519260 |
Details available
HIGH (7.3)
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting (XSS) vulnerability exists in the issue reference number tooltip.
Published: 2020-08-13T12:45:07.000Z
Updated: 2024-08-04T12:11:19.514Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13284 |
vulnerable | 2026-06-03 14:41:36.518865 |
Details available
MEDIUM (6.5)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token
Published: 2020-09-14T18:48:36.000Z
Updated: 2024-08-04T12:11:19.437Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13283 |
vulnerable | 2026-06-03 14:41:36.518463 |
Details available
HIGH (7.3)
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issues list via milestone title.
Published: 2020-08-13T12:38:29.000Z
Updated: 2024-08-04T12:11:19.430Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13282 |
vulnerable | 2026-06-03 14:41:36.518050 |
Details available
LOW (3.1)
For GitLab before 13.0.12, 13.1.6, 13.2.3 after a group transfer occurs, members from a parent group keep their access level on the subgroup leading to improper access.
Published: 2020-08-13T12:33:52.000Z
Updated: 2024-08-04T12:11:19.525Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13281 |
vulnerable | 2026-06-03 14:41:36.517631 |
Details available
MEDIUM (6.5)
For GitLab before 13.0.12, 13.1.6, 13.2.3 a denial of service exists in the project import feature
Published: 2020-08-13T13:22:23.000Z
Updated: 2024-08-04T12:11:19.554Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13280 |
vulnerable | 2026-06-03 14:41:36.517179 |
Details available
MEDIUM (6.5)
For GitLab before 13.0.12, 13.1.6, 13.2.3 a memory exhaustion flaw exists due to excessive logging of an invite email error message.
Published: 2020-08-13T12:49:19.000Z
Updated: 2024-08-04T12:11:19.553Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13277 |
vulnerable | 2026-06-03 14:41:36.507606 |
Details available
MEDIUM (6.3)
An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5
Published: 2020-06-19T17:20:01.000Z
Updated: 2024-08-04T12:11:19.490Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13276 |
vulnerable | 2026-06-03 14:41:36.507198 |
Details available
HIGH (7.4)
User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1
Published: 2020-06-19T21:37:54.000Z
Updated: 2024-08-04T12:11:19.431Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13275 |
vulnerable | 2026-06-03 14:41:36.506754 |
Details available
HIGH (8)
A user with an unverified email address could request an access to domain restricted groups in GitLab EE 12.2 and later through 13.0.1
Published: 2020-06-19T21:55:32.000Z
Updated: 2024-08-04T12:11:19.491Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13274 |
vulnerable | 2026-06-03 14:41:36.506326 |
Details available
HIGH (7.5)
A security issue allowed achieving Denial of Service attacks through memory exhaustion by uploading malicious artifacts in all previous GitLab versions through 13.0.1
Published: 2020-06-19T21:53:45.000Z
Updated: 2024-08-04T12:11:19.491Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13273 |
vulnerable | 2026-06-03 14:41:36.505938 |
Details available
HIGH (7.5)
A Denial of Service vulnerability allowed exhausting the system resources in GitLab CE/EE 12.0 and later through 13.0.1
Published: 2020-06-19T21:51:37.000Z
Updated: 2024-08-04T12:11:19.428Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13272 |
vulnerable | 2026-06-03 14:41:36.505419 |
Details available
HIGH (7.5)
OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow
Published: 2020-06-19T21:40:04.000Z
Updated: 2024-08-04T12:11:19.447Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13271 |
vulnerable | 2026-06-03 14:41:36.505027 |
Details available
MEDIUM (6.1)
A Stored Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code in the blobs API in all previous GitLab CE/EE versions through 13.0.1
Published: 2020-06-10T14:25:15.000Z
Updated: 2024-08-04T12:11:19.411Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13270 |
vulnerable | 2026-06-03 14:41:36.504619 |
Details available
HIGH (7.5)
Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API
Published: 2020-06-10T14:35:07.000Z
Updated: 2024-08-04T12:11:19.468Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13269 |
vulnerable | 2026-06-03 14:41:36.504225 |
Details available
MEDIUM (6.1)
A Reflected Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code on the Static Site Editor in GitLab CE/EE 12.10 and later through 13.0.1
Published: 2020-06-10T14:38:12.000Z
Updated: 2024-08-04T12:11:19.487Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13268 |
vulnerable | 2026-06-03 14:41:36.503841 |
Details available
MEDIUM (5.3)
A specially crafted request could be used to confirm the existence of files hosted on object storage services, without disclosing their contents. This vulnerability affects GitLab CE/EE 12.10 and later through 13.0.1
Published: 2020-06-10T14:32:13.000Z
Updated: 2024-08-04T12:11:19.488Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13267 |
vulnerable | 2026-06-03 14:41:36.503455 |
Details available
MEDIUM (6.1)
A Stored Cross-Site Scripting vulnerability allowed the execution on Javascript payloads on the Metrics Dashboard in GitLab CE/EE 12.8 and later through 13.0.1
Published: 2020-06-10T14:29:12.000Z
Updated: 2024-08-04T12:11:19.470Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13266 |
vulnerable | 2026-06-03 14:41:36.503079 |
Details available
MEDIUM (4.3)
Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions
Published: 2020-06-09T15:34:39.000Z
Updated: 2024-08-04T12:11:19.473Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13265 |
vulnerable | 2026-06-03 14:41:36.502671 |
Details available
MEDIUM (4.3)
User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification
Published: 2020-06-19T21:42:04.000Z
Updated: 2024-08-04T12:11:19.478Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13264 |
vulnerable | 2026-06-03 14:41:36.502233 |
Details available
MEDIUM (5.3)
Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1 allows other group maintainers to view Kubernetes cluster token
Published: 2020-06-19T22:13:52.000Z
Updated: 2024-08-04T12:11:19.466Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13263 |
vulnerable | 2026-06-03 14:41:36.501783 |
Details available
HIGH (7.5)
An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions.
Published: 2020-06-19T22:15:37.000Z
Updated: 2024-08-04T12:11:19.416Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13262 |
vulnerable | 2026-06-03 14:41:36.501303 |
Details available
MEDIUM (6.1)
Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a link
Published: 2020-06-19T21:59:20.000Z
Updated: 2024-08-04T12:11:19.462Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13261 |
vulnerable | 2026-06-03 14:41:36.498873 |
Details available
MEDIUM (5.3)
Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 allows other administrators to view Amazon EKS credentials via HTML source code
Published: 2020-06-19T22:11:59.000Z
Updated: 2024-08-04T12:11:19.551Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-5472 |
vulnerable | 2026-06-03 14:40:30.238590 |
Details available
An authorization issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 that prevented owners and maintainer to delete epic comments.
Published: 2020-01-28T02:52:04.000Z
Updated: 2024-08-04T19:54:53.512Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-5470 |
vulnerable | 2026-06-03 14:40:30.237720 |
Details available
An information disclosure issue was discovered GitLab versions < 12.1.2, < 12.0.4, and < 11.11.6 in the security dashboard which could result in disclosure of vulnerability feedback information.
Published: 2020-01-28T02:49:40.000Z
Updated: 2024-08-04T19:54:53.581Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-8971 |
vulnerable | 2026-06-03 14:39:09.630012 |
Details available
The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x before 10.5.6 has an incorrect omniauth-auth0 configuration, leading to signing in unintended users.
Published: 2018-03-24T21:00:00.000Z
Updated: 2024-08-05T07:10:47.324Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-8778 |
vulnerable | 2026-06-03 14:37:40.583721 |
Details available
GitLab before 8.14.9, 8.15.x before 8.15.6, and 8.16.x before 8.16.5 has XSS via a SCRIPT element in an issue attachment or avatar that is an SVG document.
Published: 2017-05-04T15:00:00.000Z
Updated: 2024-08-05T16:48:22.376Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2014-8540 |
vulnerable | 2026-06-03 14:34:24.267811 |
Details available
The groups API in GitLab 6.x and 7.x before 7.4.3 allows remote authenticated guest users to modify ownership of arbitrary groups by leveraging improper permission checks.
Published: 2018-01-05T16:00:00.000Z
Updated: 2024-08-06T13:18:48.503Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2013-4583 |
vulnerable | 2026-06-03 14:33:18.303888 |
Details available
The parse_cmd function in lib/gitlab_shell.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, and Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote authenticated users to gain privileges and clone arbitrary repositories.
Published: 2020-01-28T15:11:45.000Z
Updated: 2024-08-06T16:45:14.926Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2013-4582 |
vulnerable | 2026-06-03 14:33:18.299396 |
Details available
The (1) create_branch, (2) create_tag, (3) import_project, and (4) fork_project functions in lib/gitlab_projects.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote authenticated users to include information from local files into the metadata of a Git repository via the web interface.
Published: 2020-01-28T15:17:23.000Z
Updated: 2024-08-06T16:45:15.169Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2013-4580 |
vulnerable | 2026-06-03 14:33:18.225108 |
Details available
GitLab before 5.4.2, Community Edition before 6.2.4, and Enterprise Edition before 6.2.1, when using a MySQL backend, allows remote attackers to impersonate arbitrary users and bypass authentication via unspecified API calls.
Published: 2014-05-12T14:00:00.000Z
Updated: 2024-08-06T16:45:14.838Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.