Approved changes feed: RSS · Atom
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
part: a version: * update: *
| Vendor | Gitlab (57573e99-56e6-5fad-895e-0ce7fffc5b90) |
|---|---|
| Product | Gitlab (5414fcda-a172-5f72-b6e4-b415a19d21eb) |
| Edition | * |
| Language | * |
| Software edition | community |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:gitlab/gitlab-org/gitlab |
purl2cpe | 2026-06-01 10:14:46.591781 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-8280 |
vulnerable | 2026-06-03 15:27:57.827627 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to cause denial of service through excessive memory consumption due to improper input validation.
Published: 2026-05-14T05:33:22.338Z
Updated: 2026-05-14T13:15:30.549Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-8144 |
vulnerable | 2026-06-03 15:27:57.699226 |
Missing Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with project membership to enumerate private group members due to missing authorization checks.
Published: 2026-05-14T05:33:17.465Z
Updated: 2026-05-14T13:49:09.445Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-6515 |
vulnerable | 2026-06-03 15:27:55.414478 |
Insufficient Session Expiration in GitLab
MEDIUM (5.4)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed a user to use invalidated or incorrectly scoped credentials to access Virtual Registries under certain conditions.
Published: 2026-04-22T16:04:11.611Z
Updated: 2026-04-22T17:51:09.883Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-6335 |
vulnerable | 2026-06-03 15:27:55.138828 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (5.4)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user to execute arbitrary code in another user's browser session due to improper sanitization.
Published: 2026-05-14T05:33:57.334Z
Updated: 2026-05-15T09:58:59.492Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-5816 |
vulnerable | 2026-06-03 15:27:54.258124 |
Improper Resolution of Path Equivalence in GitLab
HIGH (8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions.
Published: 2026-04-22T16:04:26.293Z
Updated: 2026-04-23T03:56:09.061Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-5262 |
vulnerable | 2026-06-03 15:26:26.909853 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an unauthenticated user to access tokens in the Storybook development environment due to improper input validation.
Published: 2026-04-22T16:04:36.550Z
Updated: 2026-04-22T18:08:34.142Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-5173 |
vulnerable | 2026-06-03 15:26:26.638851 |
Exposed Dangerous Method or Function in GitLab
HIGH (8.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper access control.
Published: 2026-04-08T22:25:12.946Z
Updated: 2026-04-09T13:16:53.628Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-4922 |
vulnerable | 2026-06-03 15:26:26.303122 |
Cross-Site Request Forgery (CSRF) in GitLab
HIGH (8.1)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.
Published: 2026-04-22T16:29:38.861Z
Updated: 2026-04-24T03:55:17.281Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-4916 |
vulnerable | 2026-06-03 15:26:26.290557 |
Missing Authorization in GitLab
LOW (2.7)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with custom role permissions to demote or remove higher-privileged group members due to improper authorization checks on member management operations.
Published: 2026-04-08T22:25:22.837Z
Updated: 2026-04-09T13:05:54.501Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-4527 |
vulnerable | 2026-06-03 15:26:25.623638 |
Cross-Site Request Forgery (CSRF) in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to create unauthorized Jira subscriptions for a targeted user's namespace via a specially crafted link due to missing CSRF protection.
Published: 2026-05-14T05:34:32.344Z
Updated: 2026-05-14T13:22:37.251Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-4524 |
vulnerable | 2026-06-03 15:26:25.618855 |
Authentication Bypass Using an Alternate Path or Channel in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to access confidential issue content in public projects without proper authorization due to improper authorization checks.
Published: 2026-05-14T05:34:52.339Z
Updated: 2026-05-14T13:23:21.379Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3988 |
vulnerable | 2026-06-03 15:23:33.844167 |
Inefficient Algorithmic Complexity in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to cause a denial of service by making the GitLab instance unresponsive due to improper input validation in GraphQL request processing.
Published: 2026-03-25T16:33:43.952Z
Updated: 2026-03-25T17:21:53.191Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3857 |
vulnerable | 2026-06-03 15:23:33.628293 |
Cross-Site Request Forgery (CSRF) in GitLab
HIGH (8.1)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.
Published: 2026-03-25T16:33:53.854Z
Updated: 2026-03-26T13:20:03.781Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3848 |
vulnerable | 2026-06-03 15:23:33.615373 |
Improper Neutralization of CRLF Sequences ('CRLF Injection') in GitLab
MEDIUM (5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to improper input validation in import functionality.
Published: 2026-03-11T15:37:11.894Z
Updated: 2026-03-12T14:23:58.017Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3607 |
vulnerable | 2026-06-03 15:23:33.180175 |
Access Control Check Implemented After Asset is Accessed in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass package protection rules due to improper access control.
Published: 2026-05-14T05:35:42.338Z
Updated: 2026-05-14T13:06:45.555Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3160 |
vulnerable | 2026-06-03 15:23:31.570971 |
Unintended Proxy or Intermediary ('Confused Deputy') in GitLab
MEDIUM (5.8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to view Jira issues outside the configured project scope due to an integration filter functioning only as a display control rather than enforcing access boundaries as specified.
Published: 2026-05-14T05:35:57.340Z
Updated: 2026-05-14T13:09:24.780Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3074 |
vulnerable | 2026-06-03 15:22:13.660108 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to download private debugging symbols from inaccessible projects due to improper access control.
Published: 2026-05-14T05:36:02.934Z
Updated: 2026-05-14T13:08:28.045Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3073 |
vulnerable | 2026-06-03 15:22:13.658742 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.6 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass PyPI package protection rules and upload restricted packages due to improper authorization checks.
Published: 2026-05-14T05:36:12.338Z
Updated: 2026-05-14T13:07:50.839Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2973 |
vulnerable | 2026-06-03 15:19:25.515599 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (5.4)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to execute arbitrary JavaScript in a user's browser due to improper sanitization of entity-encoded content in Mermaid diagrams.
Published: 2026-03-25T16:34:03.852Z
Updated: 2026-03-26T17:24:32.440Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2845 |
vulnerable | 2026-06-03 15:19:25.106344 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an authenticated user to cause denial of service by exploiting a Bitbucket Server import endpoint via repeatedly sending large responses.
Published: 2026-02-25T20:04:35.210Z
Updated: 2026-02-26T15:45:14.406Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2745 |
vulnerable | 2026-06-03 15:19:24.908465 |
Authentication Bypass Using an Alternate Path or Channel in GitLab
MEDIUM (6.8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to user accounts due to inconsistent input validation in the authentication process.
Published: 2026-03-25T16:34:18.860Z
Updated: 2026-03-26T03:55:31.559Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2726 |
vulnerable | 2026-06-03 15:19:24.868565 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to perform unauthorized actions on merge requests in other projects due to improper access control during cross-repository operations.
Published: 2026-03-25T16:34:13.838Z
Updated: 2026-03-25T17:14:34.612Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2370 |
vulnerable | 2026-06-03 15:19:24.122210 |
Improper Handling of Parameters in GitLab
HIGH (8.1)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks.
Published: 2026-03-29T23:33:44.410Z
Updated: 2026-03-30T15:02:06.576Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2104 |
vulnerable | 2026-06-03 15:19:23.506761 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient authorization checks.
Published: 2026-04-08T22:25:47.858Z
Updated: 2026-04-09T15:43:25.441Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1751 |
vulnerable | 2026-06-03 15:14:45.261313 |
Missing Authorization in GitLab
LOW (3.1)
A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain conditions.
Published: 2026-02-02T09:04:38.090Z
Updated: 2026-02-02T13:24:44.683Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1747 |
vulnerable | 2026-06-03 15:14:45.254374 |
Authentication Bypass Using an Alternate Path or Channel in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab EE affecting all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make unauthorized modifications to protected Conan packages.
Published: 2026-02-25T20:04:49.893Z
Updated: 2026-02-26T15:39:03.951Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1732 |
vulnerable | 2026-06-03 15:14:45.223705 |
Improper Removal of Sensitive Information Before Storage or Transfer in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose confidential issue titles due to improper filtering under certain circumstances.
Published: 2026-03-11T15:37:26.891Z
Updated: 2026-03-12T16:12:20.254Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1663 |
vulnerable | 2026-06-03 15:14:44.892637 |
Missing Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.4 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user with group import permissions to create labels in private projects due to improper authorization validation in the group import process under certain circumstances.
Published: 2026-03-11T16:04:50.787Z
Updated: 2026-03-12T16:15:41.091Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1662 |
vulnerable | 2026-06-03 15:14:44.891858 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.4 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause Denial of Service by sending specially crafted requests to the Jira events endpoint.
Published: 2026-02-25T20:04:59.913Z
Updated: 2026-02-26T15:10:46.924Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1660 |
vulnerable | 2026-06-03 15:14:44.891178 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to cause denial of service when importing issues due to improper input validation.
Published: 2026-04-22T16:04:51.382Z
Updated: 2026-04-22T17:39:02.958Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1659 |
vulnerable | 2026-06-03 15:14:44.890504 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted requests due to insufficient input validation.
Published: 2026-05-14T05:36:32.362Z
Updated: 2026-05-14T13:00:59.317Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1458 |
vulnerable | 2026-06-03 15:14:44.444051 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service by uploading malicious files.
Published: 2026-02-11T11:04:05.401Z
Updated: 2026-02-11T15:42:58.333Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1456 |
vulnerable | 2026-06-03 15:14:44.438402 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through CPU exhaustion by submitting specially crafted markdown files that trigger exponential processing in markdown preview.
Published: 2026-02-11T11:04:15.246Z
Updated: 2026-02-11T15:40:00.821Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1388 |
vulnerable | 2026-06-03 15:14:44.288001 |
Inefficient Regular Expression Complexity in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge request endpoint under certain conditions.
Published: 2026-02-25T20:05:05.289Z
Updated: 2026-02-26T15:07:56.004Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1338 |
vulnerable | 2026-06-03 15:14:44.195929 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to delete protected container registry tags due to improper authorization checks.
Published: 2026-05-14T05:36:42.333Z
Updated: 2026-05-14T13:05:58.427Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1322 |
vulnerable | 2026-06-03 15:14:44.151843 |
Business Logic Errors in GitLab
MEDIUM (6.8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with a read_api scoped OAuth application to create issues and add comments to issues in private projects due to improper authorization.
Published: 2026-05-14T05:36:47.351Z
Updated: 2026-05-14T13:05:16.129Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1282 |
vulnerable | 2026-06-03 15:14:44.090392 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab
LOW (3.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to inject malicious content into project labels titles.
Published: 2026-02-11T11:04:25.235Z
Updated: 2026-02-11T21:18:14.189Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1230 |
vulnerable | 2026-06-03 15:14:43.968973 |
Use of Incorrectly-Resolved Name or Reference in GitLab
MEDIUM (4.1)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 1.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to cause repository downloads to contain different code than displayed in the web interface due to incorrect validation of branch references under certain circumstances.
Published: 2026-03-11T16:05:00.849Z
Updated: 2026-03-11T19:46:36.143Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1182 |
vulnerable | 2026-06-03 15:14:43.880099 |
Improper Removal of Sensitive Information Before Storage or Transfer in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.14 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to gain unauthorized access to confidential issue title created in public projects under certain circumstances.
Published: 2026-03-12T01:33:23.543Z
Updated: 2026-03-12T13:25:11.338Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1102 |
vulnerable | 2026-06-03 15:14:43.767197 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (5.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication requests.
Published: 2026-01-22T13:33:53.530Z
Updated: 2026-01-22T15:29:45.284Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1094 |
vulnerable | 2026-06-03 15:14:43.753269 |
Improper Validation of Unsafe Equivalence in Input in GitLab
MEDIUM (4.6)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.8 before 18.8.4 that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI.
Published: 2026-02-11T11:04:35.229Z
Updated: 2026-02-11T21:18:35.282Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1092 |
vulnerable | 2026-06-03 15:14:43.748039 |
Improper Validation of Specified Quantity in Input in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service due to improper input validation of JSON payloads.
Published: 2026-04-08T22:26:12.837Z
Updated: 2026-04-09T15:09:51.969Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1090 |
vulnerable | 2026-06-03 15:14:43.747613 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `markdown_placeholders` feature flag was enabled, to inject JavaScript in a browser due to improper sanitization of placeholder content in markdown processing.
Published: 2026-03-11T16:05:05.863Z
Updated: 2026-03-12T13:32:23.694Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1069 |
vulnerable | 2026-06-03 15:14:43.707894 |
Uncontrolled Recursion in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances.
Published: 2026-03-11T16:05:10.674Z
Updated: 2026-03-11T19:39:56.098Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-0958 |
vulnerable | 2026-06-03 15:14:43.288423 |
Interpretation Conflict in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through memory or CPU exhaustion by bypassing JSON validation middleware limits.
Published: 2026-02-11T11:33:46.426Z
Updated: 2026-02-11T15:19:41.414Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-0752 |
vulnerable | 2026-06-03 15:14:42.785251 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that under certain circumstances, could have allowed an unauthenticated user to inject arbitrary scripts into the Mermaid sandbox UI.
Published: 2026-02-25T20:05:19.818Z
Updated: 2026-02-26T14:44:05.136Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-0723 |
vulnerable | 2026-06-03 15:14:42.710837 |
Unchecked Return Value in GitLab
HIGH (7.4)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses.
Published: 2026-01-22T13:34:08.340Z
Updated: 2026-02-26T14:44:33.144Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-0602 |
vulnerable | 2026-06-03 15:14:42.291283 |
Authentication Bypass Using an Alternate Path or Channel in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose metadata from private issues, merge requests, epics, milestones, or commits due to improper filtering in the snippet rendering process under certain circumstances.
Published: 2026-03-11T16:05:20.680Z
Updated: 2026-03-11T19:36:50.673Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-0595 |
vulnerable | 2026-06-03 15:14:42.169050 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (7.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML injection in test case titles.
Published: 2026-02-11T11:33:56.425Z
Updated: 2026-02-26T14:44:28.036Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-9958 |
vulnerable | 2026-06-03 15:14:40.214096 |
Insertion of Sensitive Information Into Sent Data in GitLab
HIGH (7.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that could have allowed Guest users to access sensitive information stored in virtual registry configurations.
Published: 2025-09-26T09:04:41.537Z
Updated: 2025-11-06T17:30:27.285Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-9957 |
vulnerable | 2026-06-03 15:14:40.210683 |
Incorrect Authorization in GitLab
LOW (2.7)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user with project owner permissions to bypass group fork prevention settings due to improper authorization checks.
Published: 2026-04-22T16:05:16.304Z
Updated: 2026-04-22T17:34:06.772Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-9825 |
vulnerable | 2026-06-03 15:14:39.799384 |
Missing Authorization in GitLab
MEDIUM (5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2 that could have allowed authenticated users without project membership to view sensitive manual CI/CD variables by querying the GraphQL API.
Published: 2025-11-21T05:33:31.558Z
Updated: 2025-11-24T18:09:10.207Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-9642 |
vulnerable | 2026-06-03 15:13:46.947114 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could allow an attacker to inject malicious content that may lead to account takeover.
Published: 2025-09-26T09:04:51.532Z
Updated: 2025-09-26T13:15:17.950Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-9222 |
vulnerable | 2026-06-03 15:13:45.720828 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.
Published: 2026-01-09T10:04:36.272Z
Updated: 2026-02-26T15:04:51.985Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-8405 |
vulnerable | 2026-06-03 15:13:43.544700 |
Improper Encoding or Escaping of Output in GitLab
HIGH (7.7)
GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML into vulnerability code flow displays.
Published: 2025-12-11T04:05:07.234Z
Updated: 2026-02-26T16:21:04.264Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-8099 |
vulnerable | 2026-06-03 15:13:42.724416 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.8 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions, could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries.
Published: 2026-02-11T11:35:11.456Z
Updated: 2026-02-11T15:14:09.487Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-8014 |
vulnerable | 2026-06-03 15:13:42.030918 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
Denial of Service issue in GraphQL endpoints in Gitlab EE/CE affecting all versions from 11.10 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 allows unauthenticated users to potentially bypass query complexity limits leading to resource exhaustion and service disruption.
Published: 2025-09-27T16:33:32.601Z
Updated: 2025-09-30T17:27:13.696Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7739 |
vulnerable | 2026-06-03 15:13:41.355483 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 18.2 before 18.2.2 that, under certain conditions, could have allowed authenticated users to achieve stored cross-site scripting by injecting malicious HTML content in scoped label descriptions.
Published: 2025-08-13T17:26:25.490Z
Updated: 2025-08-13T20:36:20.769Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7736 |
vulnerable | 2026-06-03 15:13:41.350077 |
Incorrect Authorization in GitLab
LOW (3.1)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to bypass access control restrictions and view GitLab Pages content intended only for project members by authenticating through OAuth providers.
Published: 2025-11-15T08:04:14.734Z
Updated: 2025-11-17T20:13:18.378Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7734 |
vulnerable | 2026-06-03 15:13:41.344528 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 14.2 before 18.0.6, 18.1 before 18.1.4 and 18.2 before 18.2.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.
Published: 2025-08-13T17:26:20.482Z
Updated: 2025-08-13T20:35:29.997Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7691 |
vulnerable | 2026-06-03 15:13:41.122522 |
Privilege Defined With Unsafe Actions in GitLab
MEDIUM (6.5)
A privilege escalation issue has been discovered in GitLab EE affecting all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 that could have allowed a developer with specific group management permissions to escalate their privileges and obtain unauthorized access to additional system capabilities.
Published: 2025-09-26T09:05:06.532Z
Updated: 2026-02-26T17:47:53.973Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7659 |
vulnerable | 2026-06-03 15:13:40.973616 |
Origin Validation Error in GitLab
HIGH (8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to steal tokens and access private repositories by abusing incomplete validation in the Web IDE.
Published: 2026-02-11T11:35:16.441Z
Updated: 2026-02-26T14:44:27.435Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7449 |
vulnerable | 2026-06-03 15:12:31.286644 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with specific permissions to cause a denial of service condition through HTTP response processing.
Published: 2025-11-26T19:46:32.641Z
Updated: 2025-12-10T23:01:24.555Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7337 |
vulnerable | 2026-06-03 15:12:30.950626 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 7.8 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed an authenticated user with Developer-level access to cause a persistent denial of service affecting all users on a GitLab instance by uploading large files.
Published: 2025-09-12T06:05:35.035Z
Updated: 2025-09-12T16:07:00.708Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7001 |
vulnerable | 2026-06-03 15:12:30.324510 |
Insufficient Granularity of Access Control in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed priviledged users to access certain resource_group information through the API which should have been unavailable.
Published: 2025-07-24T06:05:22.870Z
Updated: 2025-07-24T13:36:37.546Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7000 |
vulnerable | 2026-06-03 15:12:30.323912 |
Insertion of Sensitive Information Into Sent Data in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.6 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that, under specific conditions, could have allowed unauthorized users to view confidential branch names by accessing project issues with related merge requests.
Published: 2025-11-15T08:04:19.745Z
Updated: 2025-11-17T20:14:12.187Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6948 |
vulnerable | 2026-06-03 15:12:29.398146 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.
Published: 2025-07-10T08:30:39.878Z
Updated: 2026-02-26T17:50:48.879Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6769 |
vulnerable | 2026-06-03 15:12:28.891867 |
Exposure of Sensitive System Information to an Unauthorized Control Sphere in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.1 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to view administrator-only maintenance notes by accessing runner details through specific interfaces.
Published: 2025-09-12T06:05:44.797Z
Updated: 2025-09-12T17:18:18.621Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6454 |
vulnerable | 2026-06-03 15:12:27.635804 |
Server-Side Request Forgery (SSRF) in GitLab
HIGH (8.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to make unintended internal requests through proxy environments by injecting crafted sequences.
Published: 2025-09-12T06:05:49.792Z
Updated: 2025-09-12T17:18:59.590Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6186 |
vulnerable | 2026-06-03 15:12:26.938988 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to achieve account takeover by injecting malicious HTML into work item names.
Published: 2025-08-13T17:26:35.507Z
Updated: 2025-08-13T20:36:52.358Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6171 |
vulnerable | 2026-06-03 15:12:26.907968 |
Missing Authorization in GitLab
MEDIUM (5.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even when repository access was disabled.
Published: 2025-11-15T08:04:24.736Z
Updated: 2025-11-17T20:15:16.095Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6016 |
vulnerable | 2026-06-03 15:12:26.319693 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service due to insufficient resource allocation limits when retrieving notes under certain conditions.
Published: 2026-04-22T16:05:26.340Z
Updated: 2026-04-22T17:32:08.602Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-5996 |
vulnerable | 2026-06-03 15:07:55.231609 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 2.1.0 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. A lack of input validation in HTTP responses could allow an authenticated user to cause denial of service.
Published: 2025-06-12T10:02:15.206Z
Updated: 2025-08-01T17:15:41.215Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-5819 |
vulnerable | 2026-06-03 15:07:54.690636 |
Incorrect Permission Assignment for Critical Resource in GitLab
MEDIUM (5)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances.
Published: 2025-08-13T17:26:45.482Z
Updated: 2025-08-29T16:23:04.943Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-5315 |
vulnerable | 2026-06-03 15:06:27.512003 |
Missing Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions.
Published: 2025-06-26T05:31:15.850Z
Updated: 2025-06-26T13:22:43.572Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-5195 |
vulnerable | 2026-06-03 15:06:27.220626 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. It was possible for authenticated users to access arbitrary compliance frameworks, leading to unauthorized data disclosure.
Published: 2025-06-12T10:31:00.372Z
Updated: 2025-06-12T13:25:45.847Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-5121 |
vulnerable | 2026-06-03 15:06:27.044509 |
Missing Authorization in GitLab
HIGH (8.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.4 and 18.0 before 18.0.2. A missing authorization check may have allowed compliance frameworks to be applied to projects outside the compliance framework's group.
Published: 2025-06-20T17:12:39.860Z
Updated: 2025-06-20T17:29:37.340Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-5101 |
vulnerable | 2026-06-03 15:06:26.989772 |
Improper Control of Generation of Code ('Code Injection') in GitLab
MEDIUM (5)
An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appears harmless in the web interface by taking advantage of ambiguity between branches and tags during repository imports.
Published: 2025-08-27T19:33:36.040Z
Updated: 2025-08-27T19:53:36.682Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-5069 |
vulnerable | 2026-06-03 15:06:26.916888 |
Incorrect Ownership Assignment in GitLab
LOW (3.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to gain unauthorized access to confidential issues by creating a project with an identical name to the victim's project.
Published: 2025-09-26T09:11:09.636Z
Updated: 2025-09-26T13:12:27.389Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-4979 |
vulnerable | 2026-06-03 15:01:49.116157 |
Insufficient Granularity of Access Control in GitLab
MEDIUM (4.9)
An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.
Published: 2025-05-22T13:30:28.496Z
Updated: 2025-05-22T14:21:32.253Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-4700 |
vulnerable | 2026-06-03 15:01:48.580559 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that, under specific circumstances, could have potentially allowed a successful attacker to trigger unintended content rendering leading to XSS.
Published: 2025-07-23T17:33:13.646Z
Updated: 2026-02-26T17:50:16.041Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-4439 |
vulnerable | 2026-06-03 15:01:47.673180 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (7.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an authenticated user to perform cross-site scripting attacks when the instance is served through certain content delivery networks.
Published: 2025-07-23T18:09:17.968Z
Updated: 2026-02-26T17:50:15.821Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-4278 |
vulnerable | 2026-06-03 15:01:47.353317 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html injection in new search page could lead to account takeover.
Published: 2025-06-12T10:02:25.006Z
Updated: 2025-06-12T13:43:54.714Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-4225 |
vulnerable | 2026-06-03 15:01:46.981795 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 14.1 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that that under certain conditions could have allowed an unauthenticated attacker to cause a denial-of-service condition affecting all users by sending specially crafted GraphQL requests.
Published: 2025-08-27T19:33:45.928Z
Updated: 2025-08-27T19:52:40.877Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-4097 |
vulnerable | 2026-06-03 15:01:46.738596 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images.
Published: 2025-12-11T04:05:22.190Z
Updated: 2025-12-11T15:00:16.738Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3950 |
vulnerable | 2026-06-03 15:01:06.027638 |
Exposure of Private Personal Information to an Unauthorized Actor in GitLab
LOW (3.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection.
Published: 2026-01-09T10:04:51.264Z
Updated: 2026-01-09T14:42:21.828Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3922 |
vulnerable | 2026-06-03 15:01:05.943410 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.4 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service by overwhelming system resources under certain conditions due to insufficient resource allocation limits in the GraphQL API.
Published: 2026-04-22T16:05:31.304Z
Updated: 2026-04-22T17:28:16.879Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3601 |
vulnerable | 2026-06-03 15:01:05.032711 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 8.15 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have could have allowed an authenticated user to cause a Denial of Service (DoS) condition by submitting URLs that generate excessively large responses.
Published: 2025-08-27T19:33:50.920Z
Updated: 2025-08-27T19:54:21.123Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3525 |
vulnerable | 2026-06-03 15:01:04.793082 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have, under certain circumstances, allowed an authenticated user with certain access to cause Denial of Service by creating specially crafted CI triggers via the API.
Published: 2026-02-25T19:33:56.609Z
Updated: 2026-02-25T20:51:14.590Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3279 |
vulnerable | 2026-06-03 15:01:04.138477 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests.
Published: 2025-06-26T05:31:25.858Z
Updated: 2025-06-26T13:22:27.886Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3111 |
vulnerable | 2026-06-03 15:01:03.675614 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 10.2 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in the Kubernetes integration could allow an authenticated user to cause denial of service..
Published: 2025-05-22T13:30:43.544Z
Updated: 2025-05-22T14:51:11.125Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2938 |
vulnerable | 2026-06-03 15:00:26.887317 |
Business Logic Errors in GitLab
LOW (3.1)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to gain elevated project privileges by requesting access to projects where role modifications during the approval process resulted in unintended permission grants.
Published: 2025-06-26T05:31:30.851Z
Updated: 2026-02-26T17:50:22.974Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2937 |
vulnerable | 2026-06-03 15:00:26.886845 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 13.2 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to create a denial of service condition by sending specially crafted markdown payloads to the Wiki feature.
Published: 2025-08-13T17:26:55.506Z
Updated: 2025-08-13T20:03:48.370Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2934 |
vulnerable | 2026-06-03 15:00:26.884697 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 5.2 prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior to 18.4.2 that could have allowed an authenticated attacker to create a denial of service condition by configuring malicious webhook endpoints that send crafted HTTP responses.
Published: 2025-10-09T11:33:43.956Z
Updated: 2025-10-09T13:48:56.561Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2867 |
vulnerable | 2026-06-03 15:00:26.722984 |
Improper Control of Generation of Code ('Code Injection') in GitLab
MEDIUM (4.4)
An issue has been discovered in the GitLab Duo with Amazon Q affecting all versions from 17.8 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A specifically crafted issue could manipulate AI-assisted development features to potentially expose sensitive project data to unauthorized users.
Published: 2025-03-27T14:02:18.359Z
Updated: 2025-03-27T14:18:32.168Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2853 |
vulnerable | 2026-06-03 15:00:26.676624 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of proper validation in GitLab could allow an authenticated user to cause a denial of service condition.
Published: 2025-05-22T13:30:48.335Z
Updated: 2025-05-22T14:50:36.079Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2615 |
vulnerable | 2026-06-03 15:00:26.101917 |
Insertion of Sensitive Information Into Sent Data in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that could have allowed a blocked user to access sensitive information by establishing GraphQL subscriptions through WebSocket connections.
Published: 2025-11-15T08:04:44.743Z
Updated: 2025-11-17T20:16:30.455Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2614 |
vulnerable | 2026-06-03 15:00:26.101279 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an authenticated user to cause a denial of service condition by creating specially crafted content that consumes excessive server resources when processed.
Published: 2025-08-13T17:27:00.485Z
Updated: 2025-08-13T18:31:35.236Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2469 |
vulnerable | 2026-06-03 15:00:25.515374 |
Debug Messages Revealing Unnecessary Information in GitLab
LOW (3.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.9.6, and 17.10 before 17.10.4. The runtime profiling data of a specific service was accessible to unauthenticated users.
Published: 2025-04-10T13:30:43.136Z
Updated: 2025-04-10T14:13:00.917Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2408 |
vulnerable | 2026-06-03 15:00:25.459397 |
Insufficient Granularity of Access Control in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 13.12 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions users could bypass IP access restrictions and view sensitive information.
Published: 2025-04-10T12:30:48.931Z
Updated: 2025-04-10T13:03:28.479Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2256 |
vulnerable | 2026-06-03 15:00:25.043795 |
Improper Validation of Specified Quantity in Input in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 7.12 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed unauthorized users to render the GitLab instance unresponsive to legitimate users by sending multiple concurrent large SAML responses.
Published: 2025-09-12T06:06:04.796Z
Updated: 2025-09-12T17:19:32.801Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2255 |
vulnerable | 2026-06-03 15:00:25.043209 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in Gitlab EE/CE for AppSec affecting all versions from 13.5.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Certain error messages could allow Cross-Site Scripting attacks (XSS). for AppSec.
Published: 2025-03-27T12:30:47.592Z
Updated: 2025-03-27T13:13:21.218Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2254 |
vulnerable | 2026-06-03 15:00:25.042748 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Improper output encoding in the snipper viewer functionality lead to Cross-Site scripting attacks.
Published: 2025-06-12T10:02:40.003Z
Updated: 2025-06-12T13:42:30.110Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2246 |
vulnerable | 2026-06-03 15:00:25.016227 |
Missing Authorization in GitLab
MEDIUM (5.8)
An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have allowed unauthenticated users to access sensitive manual CI/CD variables by querying the GraphQL API.
Published: 2025-08-27T19:34:00.919Z
Updated: 2025-08-27T19:49:56.554Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2242 |
vulnerable | 2026-06-03 15:00:25.005114 |
Incorrect Authorization in GitLab
HIGH (7.5)
An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to groups and projects.
Published: 2025-03-27T12:30:57.479Z
Updated: 2025-03-27T13:11:00.331Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1908 |
vulnerable | 2026-06-03 14:59:06.798748 |
Business Logic Errors in GitLab
HIGH (7.7)
An issue has been discovered in GitLab EE/CE that could allow an attacker to track users' browsing activities, potentially leading to full account take-over, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.
Published: 2025-04-24T07:30:51.255Z
Updated: 2025-04-24T15:23:23.164Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1763 |
vulnerable | 2026-06-03 14:59:06.447270 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab EE that allows for cross-site-scripting attack and content security policy bypass in a user's browser under specific conditions, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.
Published: 2025-05-30T11:02:36.384Z
Updated: 2025-05-30T12:50:13.554Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1754 |
vulnerable | 2026-06-03 14:59:06.357746 |
Missing Authentication for Critical Function in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed unauthenticated attackers to upload arbitrary files to public projects by sending crafted API requests, potentially leading to resource abuse and unauthorized content storage.
Published: 2025-06-26T05:31:40.856Z
Updated: 2025-06-26T13:19:41.870Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1677 |
vulnerable | 2026-06-03 14:59:06.022893 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all up to 17.8.7, 17.9 prior to 17.9.6 and 17.10 prior to 17.10.4 A denial of service could occur upon injecting oversized payloads into CI pipeline exports.
Published: 2025-04-10T12:30:58.715Z
Updated: 2025-04-10T13:02:54.300Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1540 |
vulnerable | 2026-06-03 14:59:05.729954 |
Incorrect Authorization in GitLab
LOW (3.1)
An issue has been discovered in GitLab CE/EE for Self-Managed and Dedicated instances affecting all versions from 17.5 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. It was possible for a user added as an External to read and clone internal projects under certain circumstances."
Published: 2025-03-06T08:31:07.791Z
Updated: 2025-03-06T16:29:08.261Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1516 |
vulnerable | 2026-06-03 14:59:05.669436 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 8.7 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Improper input validation in Tokens Names could be used to trigger a denial of service.
Published: 2025-06-12T10:02:45.134Z
Updated: 2025-06-12T13:38:08.165Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1478 |
vulnerable | 2026-06-03 14:59:05.560692 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in Board Names could be used to trigger a denial of service.
Published: 2025-06-12T10:02:49.998Z
Updated: 2025-06-12T13:30:42.186Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1477 |
vulnerable | 2026-06-03 14:59:05.560221 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 8.14 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an unauthenticated user to create a denial of service condition by sending specially crafted payloads to specific integration API endpoints.
Published: 2025-08-13T17:27:25.496Z
Updated: 2025-08-13T20:01:32.448Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1299 |
vulnerable | 2026-06-03 14:59:04.988921 |
Missing Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 18.0.5, all versions starting from 18.1 before 18.1.3, all versions starting from 18.2 before 18.2.1 that, under circumstances, could have allowed an unauthorized user to read deployment job logs by sending a crafted request.
Published: 2025-07-24T06:33:28.184Z
Updated: 2025-07-24T13:36:27.415Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1278 |
vulnerable | 2026-06-03 14:58:58.208367 |
Insufficient Granularity of Access Control in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 12.0 before 17.9.8, 17.10 before 17.10.6, and 17.11 before 17.11.2. Under certain conditions users could bypass IP access restrictions and view sensitive information.
Published: 2025-05-09T16:13:14.048Z
Updated: 2025-05-09T20:03:19.786Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1250 |
vulnerable | 2026-06-03 14:58:58.094724 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed an authenticated user to stall background job processing by sending specially crafted commit messages, merge request descriptions, or notes.
Published: 2025-09-12T06:06:14.804Z
Updated: 2025-09-12T17:20:05.685Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1212 |
vulnerable | 2026-06-03 14:58:58.010970 |
Exposure of Sensitive System Information to an Unauthorized Control Sphere in GitLab
MEDIUM (4.3)
An information disclosure vulnerability in GitLab CE/EE affecting all versions from 8.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send a crafted request to a backend server to reveal sensitive information.
Published: 2025-02-12T15:02:07.113Z
Updated: 2025-02-12T21:07:44.561Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1198 |
vulnerable | 2026-06-03 14:58:57.994831 |
Insufficient Session Expiration in GitLab
MEDIUM (4.2)
An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results.
Published: 2025-02-13T00:55:50.295Z
Updated: 2025-02-13T14:57:28.962Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1072 |
vulnerable | 2026-06-03 14:58:57.677752 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14.1 prior to 17.3.7, 17.4 prior to 17.4.4, and 17.5 prior to 17.5.2. A denial of service could occur upon importing maliciously crafted content using the Fogbugz importer.
Published: 2025-02-07T04:05:20.188Z
Updated: 2025-02-07T15:58:01.767Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14870 |
vulnerable | 2026-06-03 14:58:56.070854 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted JSON payloads due to insufficient input validation.
Published: 2026-05-14T05:37:32.535Z
Updated: 2026-05-14T13:03:02.406Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14869 |
vulnerable | 2026-06-03 14:58:56.070432 |
Improper Validation of Specified Quantity in Input in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted payloads on certain API endpoints.
Published: 2026-05-14T05:38:02.894Z
Updated: 2026-05-14T17:44:06.082Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14595 |
vulnerable | 2026-06-03 14:58:55.645020 |
Missing Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that under certain conditions could have allowed an authenticated user with Planner role to view security category metadata and attributes in group security configuration due to improper access control
Published: 2026-03-25T16:34:43.856Z
Updated: 2026-03-27T14:58:40.717Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14594 |
vulnerable | 2026-06-03 14:58:55.644511 |
Authorization Bypass Through User-Controlled Key in GitLab
LOW (3.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to view certain pipeline values by querying the API.
Published: 2026-02-11T11:34:06.815Z
Updated: 2026-02-11T15:17:25.802Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14592 |
vulnerable | 2026-06-03 14:58:55.632578 |
Missing Authorization in GitLab
LOW (3.7)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API endpoint.
Published: 2026-02-11T11:34:01.432Z
Updated: 2026-02-11T15:18:04.995Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14560 |
vulnerable | 2026-06-03 14:58:55.563762 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (7.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by injecting malicious content into vulnerability code flow.
Published: 2026-02-11T11:34:16.431Z
Updated: 2026-02-26T14:44:27.727Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14513 |
vulnerable | 2026-06-03 14:58:55.467071 |
Improper Validation of Specified Quantity in Input in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service condition due to improper input validation when processing specially crafted JSON payloads in the protected branches API.
Published: 2026-03-11T16:05:30.683Z
Updated: 2026-03-11T19:32:33.904Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14511 |
vulnerable | 2026-06-03 14:58:55.462814 |
Improper Validation of Specified Quantity in Input in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted files to the container registry event endpoint under certain conditions.
Published: 2026-02-25T20:05:24.799Z
Updated: 2026-02-26T15:57:25.416Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14157 |
vulnerable | 2026-06-03 14:58:54.670585 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with large content parameters.
Published: 2025-12-11T03:33:18.048Z
Updated: 2025-12-11T15:33:50.064Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14103 |
vulnerable | 2026-06-03 14:58:54.526170 |
Missing Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthorized user with Developer-role permissions to set pipeline variables for manually triggered jobs under certain conditions.
Published: 2026-02-25T19:33:35.698Z
Updated: 2026-02-25T20:52:22.958Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13978 |
vulnerable | 2026-06-03 14:58:54.225636 |
Generation of Error Message Containing Sensitive Information in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests.
Published: 2025-12-11T03:33:22.925Z
Updated: 2025-12-11T15:23:44.385Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13929 |
vulnerable | 2026-06-03 14:58:54.003091 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by issuing specially crafted requests to repository archive endpoints under certain conditions.
Published: 2026-03-11T16:05:35.672Z
Updated: 2026-03-12T16:20:28.038Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13928 |
vulnerable | 2026-06-03 14:58:54.002406 |
Incorrect Authorization in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints.
Published: 2026-01-22T13:34:18.349Z
Updated: 2026-01-22T15:26:44.128Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13927 |
vulnerable | 2026-06-03 14:58:54.001969 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted requests with malformed authentication data.
Published: 2026-01-22T13:34:13.359Z
Updated: 2026-01-22T15:27:56.204Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13874 |
vulnerable | 2026-06-03 14:58:53.870061 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with Guest permissions to view issues in projects they were not authorized to access.
Published: 2026-05-14T05:38:27.341Z
Updated: 2026-05-14T17:45:08.662Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13761 |
vulnerable | 2026-06-03 14:58:53.599312 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage.
Published: 2026-01-09T10:04:01.331Z
Updated: 2026-02-26T15:04:52.291Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13690 |
vulnerable | 2026-06-03 14:58:53.426540 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to cause a denial of service condition due to improper input validation on webhook custom header names under certain conditions.
Published: 2026-03-11T16:05:45.741Z
Updated: 2026-03-12T16:20:22.100Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13611 |
vulnerable | 2026-06-03 14:58:46.577883 |
Insertion of Sensitive Information into Log File in GitLab
LOW (2)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.5.5 and 18.6 before 18.6.3 that could have allowed an authenticated user with access to certain logs to obtain sensitive tokens under specific conditions.
Published: 2025-11-26T19:45:57.778Z
Updated: 2026-03-31T11:46:48.585Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13436 |
vulnerable | 2026-06-03 14:58:46.064781 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when handling certain CI-related inputs.
Published: 2026-03-25T16:34:53.851Z
Updated: 2026-03-25T17:03:54.631Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13335 |
vulnerable | 2026-06-03 14:58:45.913281 |
Loop with Unreachable Exit Condition ('Infinite Loop') in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that under certain circumstances could have allowed an authenticated user to create a denial of service condition by configuring malformed Wiki documents that bypass cycle detection.
Published: 2026-01-22T10:04:27.602Z
Updated: 2026-01-22T14:12:36.778Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13078 |
vulnerable | 2026-06-03 14:58:45.484874 |
Improper Validation of Specified Quantity in Input in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when processing certain webhook configuration inputs.
Published: 2026-03-25T16:35:03.858Z
Updated: 2026-03-25T17:02:57.718Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12983 |
vulnerable | 2026-06-03 14:58:45.375676 |
Memory Allocation with Excessive Size Value in GitLab
LOW (3.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to cause a denial of service condition by submitting specially crafted markdown content with nested formatting patterns.
Published: 2025-11-15T08:13:32.098Z
Updated: 2025-11-17T20:17:39.698Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12734 |
vulnerable | 2026-06-03 14:58:44.786572 |
Improper Encoding or Escaping of Output in GitLab
LOW (3.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to, under certain conditions, render content in dialogs to other users by injecting malicious HTML content into merge request titles.
Published: 2025-12-11T07:32:01.735Z
Updated: 2025-12-16T23:44:05.510Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12716 |
vulnerable | 2026-06-03 14:58:44.773418 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by creating wiki pages with malicious content.
Published: 2025-12-11T03:33:37.916Z
Updated: 2026-02-26T16:21:05.064Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12704 |
vulnerable | 2026-06-03 14:58:44.754132 |
Missing Authorization in GitLab
LOW (3.5)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions.
Published: 2026-03-11T16:05:55.759Z
Updated: 2026-03-12T16:20:13.909Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12697 |
vulnerable | 2026-06-03 14:58:44.750551 |
Improper Encoding or Escaping of Output in GitLab
LOW (2.2)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.5 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user with maintainer-role permissions to reveal Datadog API credentials under certain conditions.
Published: 2026-03-11T16:06:00.688Z
Updated: 2026-03-11T17:23:04.370Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12669 |
vulnerable | 2026-06-03 14:58:44.701987 |
Improper Control of Generation of Code ('Code Injection') in GitLab
MEDIUM (5.4)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to inject HTML and JavaScript into email notifications sent to other users due to improper input sanitization.
Published: 2026-05-14T05:38:37.338Z
Updated: 2026-05-14T17:47:03.748Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12664 |
vulnerable | 2026-06-03 14:58:44.693774 |
Improper Validation of Specified Quantity in Input in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries.
Published: 2026-04-08T22:26:42.854Z
Updated: 2026-04-09T13:03:53.739Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12653 |
vulnerable | 2026-06-03 14:58:44.676383 |
Authentication Bypass by Spoofing in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that under specific conditions could have allowed an unauthenticated user to join arbitrary organizations by changing headers on some requests.
Published: 2025-11-26T19:46:12.641Z
Updated: 2025-12-10T23:01:24.241Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12576 |
vulnerable | 2026-06-03 14:58:44.551212 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that under certain conditions could have allowed an authenticated user to cause a denial of service due to improper handling of webhook response data.
Published: 2026-03-11T16:06:15.686Z
Updated: 2026-03-11T19:36:36.682Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12571 |
vulnerable | 2026-06-03 14:58:44.545582 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing malicious JSON payloads.
Published: 2025-11-26T19:46:17.647Z
Updated: 2025-12-10T23:01:24.090Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12562 |
vulnerable | 2026-06-03 14:58:44.541334 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted GraphQL queries that bypass query complexity limits.
Published: 2025-12-11T03:33:47.966Z
Updated: 2025-12-11T15:17:34.128Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12555 |
vulnerable | 2026-06-03 14:58:44.534161 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that, under certain conditions, could have allowed an authenticated user to access previous pipeline job information on projects with repository and CI/CD disabled due to improper authorization checks.
Published: 2026-03-11T16:07:15.673Z
Updated: 2026-03-12T16:20:07.813Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12073 |
vulnerable | 2026-06-03 14:58:43.748525 |
Server-Side Request Forgery (SSRF) in GitLab
MEDIUM (4.3)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions, could have allowed an authenticated user to perform server-side request forgery against internal services by bypassing protections in the Git repository import functionality.
Published: 2026-02-11T11:34:46.437Z
Updated: 2026-02-11T15:14:53.506Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12029 |
vulnerable | 2026-06-03 14:58:43.674565 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by injecting malicious external scripts into the Swagger UI."
Published: 2025-12-11T07:32:16.477Z
Updated: 2026-02-26T16:21:04.107Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11984 |
vulnerable | 2026-06-03 14:58:43.589573 |
Authentication Bypass Using an Alternate Path or Channel in GitLab
MEDIUM (6.8)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions.
Published: 2025-12-11T04:04:47.302Z
Updated: 2026-02-26T16:21:04.830Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11974 |
vulnerable | 2026-06-03 14:58:43.578062 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.7 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to create a denial of service condition by uploading large files to specific API endpoints.
Published: 2025-10-27T00:05:24.332Z
Updated: 2025-10-28T14:59:56.029Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11447 |
vulnerable | 2026-06-03 14:58:36.071907 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to cause a denial of service condition by sending GraphQL requests with crafted JSON payloads.
Published: 2025-10-27T00:05:19.810Z
Updated: 2025-10-28T14:58:37.798Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11340 |
vulnerable | 2026-06-03 14:58:35.935204 |
Incorrect Authorization in GitLab
HIGH (7.7)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations.
Published: 2025-10-09T12:04:20.127Z
Updated: 2025-10-09T13:43:00.365Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11246 |
vulnerable | 2026-06-03 14:58:35.797682 |
Insufficient Granularity of Access Control in GitLab
MEDIUM (5.4)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations.
Published: 2026-01-09T10:04:21.283Z
Updated: 2026-01-09T19:13:17.900Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11224 |
vulnerable | 2026-06-03 14:58:35.652407 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (7.7)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality.
Published: 2026-01-14T18:58:03.982Z
Updated: 2026-02-26T15:04:08.322Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11042 |
vulnerable | 2026-06-03 14:58:35.292679 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while using specific GraphQL queries.
Published: 2025-09-26T09:18:31.712Z
Updated: 2025-09-26T13:10:33.841Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-10871 |
vulnerable | 2026-06-03 14:58:34.934730 |
Missing Authorization in GitLab
LOW (3.8)
An issue has been discovered in GitLab EE affecting all versions from 16.6 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1. Project Maintainers can exploit a vulnerability where they can assign custom roles to users with permissions exceeding their own, effectively granting themselves elevated privileges.
Published: 2025-09-26T09:04:21.687Z
Updated: 2026-02-26T17:47:54.446Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-10868 |
vulnerable | 2026-06-03 14:58:34.927747 |
Business Logic Errors in GitLab
LOW (3.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.4 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 where certain string conversion methods exhibit performance degradation with large inputs.
Published: 2025-09-26T09:10:49.812Z
Updated: 2025-09-26T13:13:02.624Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-10867 |
vulnerable | 2026-06-03 14:58:34.927220 |
Allocation of Resources Without Limits or Throttling in GitLab
LOW (3.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to create a denial-of-service condition by exploiting an unprotected GraphQL API through repeated requests.
Published: 2025-09-26T09:04:26.530Z
Updated: 2025-09-26T15:33:34.488Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-10858 |
vulnerable | 2026-06-03 14:58:34.920470 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
An issue was discovered in GitLab CE/EE affecting all versions before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that allows unauthenticated users to cause a Denial of Service (DoS) condition while uploading specifically crafted large JSON files.
Published: 2025-09-26T09:04:31.555Z
Updated: 2025-09-26T15:32:55.310Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-10569 |
vulnerable | 2026-06-03 14:58:34.339455 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls.
Published: 2026-01-09T10:04:26.275Z
Updated: 2026-01-09T19:12:12.768Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-10497 |
vulnerable | 2026-06-03 14:58:34.241564 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to cause a denial of service condition by sending specially crafted payloads.
Published: 2025-10-27T00:05:39.306Z
Updated: 2025-10-28T15:02:48.809Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-10094 |
vulnerable | 2026-06-03 14:58:33.534260 |
Improper Validation of Specified Quantity in Input in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to disrupt access to token listings and related administrative operations by creating tokens with excessively large names.
Published: 2025-09-12T04:57:11.650Z
Updated: 2025-09-12T13:05:11.654Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-10004 |
vulnerable | 2026-06-03 14:58:33.389696 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 that could make the GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs.
Published: 2025-10-09T12:04:30.109Z
Updated: 2025-10-09T13:16:38.980Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0993 |
vulnerable | 2026-06-03 14:58:33.374672 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. This could allow an authenticated attacker to cause a denial of service condition by exhausting server resources.
Published: 2025-05-22T14:31:34.239Z
Updated: 2025-05-22T14:46:54.356Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0811 |
vulnerable | 2026-06-03 14:58:32.982414 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Improper rendering of certain file types leads to cross-site scripting.
Published: 2025-03-27T12:31:07.487Z
Updated: 2025-03-27T13:08:11.807Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0765 |
vulnerable | 2026-06-03 14:58:32.927554 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an unauthorized user to access custom service desk email addresses.
Published: 2025-07-24T06:33:38.009Z
Updated: 2025-07-24T13:36:22.397Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0679 |
vulnerable | 2026-06-03 14:58:32.646942 |
Exposure of Private Personal Information to an Unauthorized Actor in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Under certain conditions un-authorised users can view full email addresses that should be partially obscured.
Published: 2025-05-22T14:31:44.104Z
Updated: 2025-05-22T14:46:00.223Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0673 |
vulnerable | 2026-06-03 14:58:32.628468 |
Loop with Unreachable Exit Condition ('Infinite Loop') in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2, allow an attacker to trigger an infinite redirect loop, potentially leading to a denial of service condition.
Published: 2025-06-12T11:03:28.366Z
Updated: 2025-06-12T13:16:12.190Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0652 |
vulnerable | 2026-06-03 14:58:32.580838 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access confidential information intended for internal use only.
Published: 2025-03-13T05:55:59.744Z
Updated: 2025-03-14T18:04:47.874Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0639 |
vulnerable | 2026-06-03 14:58:32.536112 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered affecting service availability via issue preview in GitLab CE/EE affecting all versions from 16.7 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.
Published: 2025-04-24T07:31:06.117Z
Updated: 2025-04-24T15:23:17.586Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0605 |
vulnerable | 2026-06-03 14:58:32.483582 |
Weak Authentication in GitLab
MEDIUM (4.6)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Group access controls could allow certain users to bypass two-factor authentication requirements.
Published: 2025-05-22T14:31:54.105Z
Updated: 2025-05-22T14:45:03.172Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0549 |
vulnerable | 2026-06-03 14:58:32.413030 |
Authentication Bypass Using an Alternate Path or Channel in GitLab
MEDIUM (6.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.3 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. A security vulnerability allows attackers to bypass Device OAuth flow protections, enabling authorization form submission through minimal user interaction.
Published: 2025-05-09T16:13:23.860Z
Updated: 2025-05-09T19:58:30.277Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0516 |
vulnerable | 2026-06-03 14:58:32.358870 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
Improper Authorization in GitLab CE/EE affecting all versions from 17.7 prior to 17.7.4, 17.8 prior to 17.8.2 allow users with limited permissions to perform unauthorized actions on critical project data.
Published: 2025-02-12T15:30:47.995Z
Updated: 2025-02-12T16:00:10.811Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0475 |
vulnerable | 2026-06-03 14:58:32.284150 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. A proxy feature could potentially allow unintended content rendering leading to XSS under specific circumstances.
Published: 2025-03-03T10:30:47.570Z
Updated: 2025-03-03T12:07:55.921Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0376 |
vulnerable | 2026-06-03 14:58:32.152214 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via a change page.
Published: 2025-02-12T15:02:22.215Z
Updated: 2025-02-13T14:14:09.377Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0362 |
vulnerable | 2026-06-03 14:58:32.131308 |
Improper Restriction of Rendered UI Layers or Frames in GitLab
MEDIUM (6.4)
An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions, an attacker could potentially trick users into unintentionally authorizing sensitive actions on their behalf.
Published: 2025-04-10T14:31:17.009Z
Updated: 2025-04-10T14:56:33.843Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0314 |
vulnerable | 2026-06-03 14:58:32.036422 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. Improper rendering of certain file types lead to cross-site scripting.
Published: 2025-01-24T02:30:44.273Z
Updated: 2025-02-12T20:41:30.754Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0290 |
vulnerable | 2026-06-03 14:58:32.000404 |
Loop with Unreachable Exit Condition ('Infinite Loop') in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.0 prior to 17.5.5, from 17.6 prior to 17.6.3, and from 17.7 prior to 17.7.1. Under certain conditions, processing of CI artifacts metadata could cause background jobs to become unresponsive.
Published: 2025-01-28T08:45:09.560Z
Updated: 2025-01-28T14:41:52.667Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0194 |
vulnerable | 2026-06-03 14:58:23.982928 |
Insertion of Sensitive Information into Externally-Accessible File or Directory in GitLab
MEDIUM (6.5)
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. Under certain conditions, access tokens may have been logged when API requests were made in a specific manner.
Published: 2025-01-08T20:02:01.498Z
Updated: 2025-01-09T06:35:12.315Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0186 |
vulnerable | 2026-06-03 14:58:23.969217 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service under certain conditions by exhausting server resources by making crafted requests to a discussions endpoint.
Published: 2026-04-22T16:05:41.343Z
Updated: 2026-04-22T17:25:02.340Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9693 |
vulnerable | 2026-06-03 14:58:22.461002 |
Incorrect Authorization in GitLab
HIGH (8.5)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations.
Published: 2024-11-14T11:02:01.506Z
Updated: 2024-11-15T04:55:40.277Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9633 |
vulnerable | 2026-06-03 14:58:22.274682 |
Incorrect Ownership Assignment in GitLab
LOW (3.1)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.3 before 17.4.2, all versions starting from 17.5 before 17.5.4, all versions starting from 17.6 before 17.6.2. This issue allows an attacker to create a group with a name matching an existing unique Pages domain, potentially leading to domain confusion attacks.
Published: 2024-11-14T13:30:57.385Z
Updated: 2024-12-06T10:34:30.828Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9631 |
vulnerable | 2026-06-03 14:58:22.272452 |
Inefficient Algorithmic Complexity in GitLab
HIGH (7.5)
An issue was discovered in GitLab CE/EE affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, where viewing diffs of MR with conflicts can be slow.
Published: 2025-02-05T10:30:51.252Z
Updated: 2025-02-05T19:26:24.166Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9623 |
vulnerable | 2026-06-03 14:58:22.256884 |
Incorrect Authorization in GitLab
MEDIUM (4.9)
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository.
Published: 2024-10-10T09:30:38.315Z
Updated: 2024-10-10T12:52:37.951Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9512 |
vulnerable | 2026-06-03 14:58:22.030400 |
Time-of-check Time-of-use (TOCTOU) Race Condition in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab EE affecting all versions prior to 17.10.8, 17.11 prior to 17.11.4, and 18.0 prior to 18.0.2. It may have been possible for private repository to be cloned in case of race condition when a secondary node is out of sync.
Published: 2025-06-12T14:02:55.123Z
Updated: 2025-06-12T14:13:37.117Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9387 |
vulnerable | 2026-06-03 14:58:21.134799 |
URL Redirection to Untrusted Site ('Open Redirect') in GitLab
MEDIUM (6.4)
An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint.
Published: 2024-12-12T12:02:39.825Z
Updated: 2024-12-17T04:56:10.278Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9367 |
vulnerable | 2026-06-03 14:58:21.091628 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while parsing templates to generate changelogs.
Published: 2024-12-12T12:02:44.837Z
Updated: 2024-12-12T15:44:25.438Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9183 |
vulnerable | 2026-06-03 14:58:20.688839 |
Time-of-check Time-of-use (TOCTOU) Race Condition in GitLab
HIGH (7.7)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 prior to 18.4.5, 18.5 prior to 18.5.3, and 18.6 prior to 18.6.1 that could have allowed an authenticated user to obtain credentials from higher-privileged users and perform actions in their context under specific conditions.
Published: 2025-12-05T16:34:00.971Z
Updated: 2026-02-26T16:57:29.574Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9164 |
vulnerable | 2026-06-03 14:58:20.657496 |
Missing Authentication for Critical Function in GitLab
CRITICAL (9.6)
An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches.
Published: 2024-10-11T11:30:42.233Z
Updated: 2024-10-11T13:42:39.983Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9163 |
vulnerable | 2026-06-03 14:58:20.654584 |
User Interface (UI) Misrepresentation of Critical Information in GitLab
LOW (3.5)
A business logic error in GitLab CE/EE affecting all versions starting from 12.1 prior to 17.10.7, 17.11 prior to 17.11.3 and 18.0 prior to 18.0.1 where an attacker can cause a branch name confusion in confidential MRs.
Published: 2025-05-23T12:31:11.192Z
Updated: 2025-05-27T14:40:36.623Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8974 |
vulnerable | 2026-06-03 14:58:20.136331 |
Incorrect Provision of Specified Functionality in GitLab
LOW (2.6)
Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project."
Published: 2024-09-26T23:02:00.153Z
Updated: 2024-09-27T15:46:48.041Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8973 |
vulnerable | 2026-06-03 14:58:20.135800 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. It was possible to cause a DoS condition via GitHub import requests using a malicious crafted payload.
Published: 2025-05-09T16:14:45.564Z
Updated: 2025-05-09T19:54:29.190Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8970 |
vulnerable | 2026-06-03 14:58:20.132592 |
Incorrect Authorization in GitLab
HIGH (8.2)
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.
Published: 2024-10-11T12:30:37.109Z
Updated: 2024-10-11T13:37:54.711Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8754 |
vulnerable | 2026-06-03 14:58:19.452536 |
External Control of Critical State Data in GitLab
MEDIUM (6.4)
An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured.
Published: 2024-09-12T17:02:00.988Z
Updated: 2024-09-17T19:36:51.833Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8650 |
vulnerable | 2026-06-03 14:58:19.050759 |
Incorrect Authorization in GitLab
MEDIUM (5.3)
An issue was discovered in GitLab CE/EE affecting all versions from 15.0 prior to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2 that allowed non-member users to view unresolved threads marked as internal notes in public projects merge requests.
Published: 2024-12-16T04:30:58.662Z
Updated: 2024-12-16T16:45:13.671Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8648 |
vulnerable | 2026-06-03 14:58:19.050197 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (6.1)
An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL.
Published: 2024-11-14T13:02:08.724Z
Updated: 2024-11-14T19:29:00.227Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8641 |
vulnerable | 2026-06-03 14:58:19.036147 |
Privilege Context Switching Error in GitLab
MEDIUM (6.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It may have been possible for an attacker with a victim's CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim.
Published: 2024-09-12T18:26:18.243Z
Updated: 2024-09-13T14:10:32.415Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8635 |
vulnerable | 2026-06-03 14:58:19.033424 |
Server-Side Request Forgery (SSRF) in GitLab
HIGH (7.7)
A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL
Published: 2024-09-12T17:01:51.084Z
Updated: 2024-09-13T14:17:39.564Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8631 |
vulnerable | 2026-06-03 14:58:19.029258 |
Privilege Defined With Unsafe Actions in GitLab
MEDIUM (5.5)
A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include other custom roles.
Published: 2024-09-12T17:11:03.832Z
Updated: 2024-09-13T14:17:39.020Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8312 |
vulnerable | 2026-06-03 14:58:18.112759 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. An attacker could inject HTML into the Global Search field on a diff view leading to XSS.
Published: 2024-10-24T09:30:43.270Z
Updated: 2024-10-24T12:57:20.551Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8266 |
vulnerable | 2026-06-03 14:58:17.634211 |
Execution with Unnecessary Privileges in GitLab
MEDIUM (4.4)
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.6.0, which allows an attacker with maintainer role to trigger a pipeline as project owner under certain circumstances.
Published: 2025-02-13T00:54:15.748Z
Updated: 2025-02-13T15:06:49.385Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8237 |
vulnerable | 2026-06-03 14:58:17.552555 |
Inefficient Algorithmic Complexity in GitLab
MEDIUM (6.5)
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 12.6 prior to 17.4.5, 17.5 prior to 17.5.3, and 17.6 prior to 17.6.1. An attacker could cause a denial of service with a crafted cargo.toml file.
Published: 2024-11-26T18:31:00.676Z
Updated: 2024-11-26T18:42:11.715Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8233 |
vulnerable | 2026-06-03 14:58:17.542035 |
Inefficient Algorithmic Complexity in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could cause a denial of service with requests for diff files on a commit or merge request.
Published: 2024-12-12T12:02:59.800Z
Updated: 2024-12-12T15:44:14.399Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8186 |
vulnerable | 2026-06-03 14:58:17.367526 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (5.4)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 before 17.7.6, 17.8 before 17.8.4, and 17.9 before 17.9.1. An attacker could inject HMTL into the child item search potentially leading to XSS in certain situations.
Published: 2025-03-03T10:02:44.912Z
Updated: 2025-03-03T12:32:03.051Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8180 |
vulnerable | 2026-06-03 14:58:17.353508 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (5.4)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. Improper output encoding could lead to XSS if CSP is not enabled.
Published: 2024-11-14T11:02:16.331Z
Updated: 2024-11-14T19:33:35.064Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8179 |
vulnerable | 2026-06-03 14:58:17.352767 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (5.4)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. Improper output encoding could lead to XSS if CSP is not enabled.
Published: 2024-12-12T12:03:04.799Z
Updated: 2024-12-12T15:44:09.211Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8177 |
vulnerable | 2026-06-03 14:58:17.335354 |
Inefficient Algorithmic Complexity in GitLab
MEDIUM (5.3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.4.5, starting from 17.5 prior to 17.5.3, starting from 17.6 prior to 17.6.1 which could cause Denial of Service via integrating a malicious harbor registry.
Published: 2024-11-26T18:31:05.665Z
Updated: 2024-11-26T18:41:50.602Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8124 |
vulnerable | 2026-06-03 14:58:16.995974 |
Inefficient Regular Expression Complexity in GitLab
HIGH (7.5)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service via sending a specific POST request.
Published: 2024-09-12T16:56:33.253Z
Updated: 2024-09-17T11:26:33.391Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8116 |
vulnerable | 2026-06-03 14:58:16.989120 |
Incorrect Authorization in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. By using a specific GraphQL query, under specific conditions an unauthorized user can retrieve branch names.
Published: 2024-12-16T04:31:08.730Z
Updated: 2024-12-16T16:44:50.250Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8114 |
vulnerable | 2026-06-03 14:58:16.986511 |
Missing Authorization in GitLab
HIGH (8.2)
An issue has been discovered in GitLab CE/EE affecting all versions from 8.12 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. This issue allows an attacker with access to a victim's Personal Access Token (PAT) to escalate privileges.
Published: 2024-11-26T18:31:10.674Z
Updated: 2024-11-30T04:55:53.512Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8041 |
vulnerable | 2026-06-03 14:58:08.009798 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1. A denial of service could occur upon importing a maliciously crafted repository using the GitHub importer.
Published: 2024-08-22T15:30:37.643Z
Updated: 2024-08-29T15:05:01.304Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7803 |
vulnerable | 2026-06-03 14:58:07.198758 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A Discord webhook integration may cause DoS.
Published: 2025-05-23T12:31:21.008Z
Updated: 2025-05-27T14:40:07.374Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7610 |
vulnerable | 2026-06-03 14:58:06.523896 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (4.3)
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch.
Published: 2024-08-08T10:30:43.133Z
Updated: 2024-08-29T15:05:01.225Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7586 |
vulnerable | 2026-06-03 14:58:06.452546 |
Insertion of Sensitive Information into Log File in GitLab
MEDIUM (4.1)
An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, where webhook deletion audit log preserved auth credentials.
Published: 2025-06-20T13:58:37.159Z
Updated: 2025-06-20T14:53:39.330Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7554 |
vulnerable | 2026-06-03 14:58:06.351827 |
Exposure of Sensitive Information to an Unauthorized Actor in GitLab
MEDIUM (4.9)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was made in a specific manner.
Published: 2024-08-08T10:30:47.869Z
Updated: 2024-08-29T15:05:01.135Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7404 |
vulnerable | 2026-06-03 14:58:05.830432 |
Improper Restriction of Rendered UI Layers or Frames in GitLab
MEDIUM (6.8)
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow.
Published: 2024-11-14T13:02:23.587Z
Updated: 2024-11-14T15:08:01.260Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7296 |
vulnerable | 2026-06-03 14:58:05.487672 |
Incorrect Authorization in GitLab
LOW (2.7)
An issue was discovered in GitLab EE affecting all versions from 16.5 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2 which allowed a user with a custom permission to approve pending membership requests beyond the maximum number of allowed users.
Published: 2025-03-13T06:00:54.415Z
Updated: 2025-03-14T13:43:35.011Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7110 |
vulnerable | 2026-06-03 14:58:05.062602 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') in GitLab
MEDIUM (6.4)
An issue was discovered in GitLab EE affecting all versions starting 17.0 to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1 allows an attacker to execute arbitrary command in a victim's pipeline through prompt injection.
Published: 2024-08-22T15:30:47.474Z
Updated: 2024-09-17T15:35:37.142Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7102 |
vulnerable | 2026-06-03 14:58:05.054657 |
Execution with Unnecessary Privileges in GitLab
CRITICAL (9.6)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.0 which allows an attacker to trigger a pipeline as another user under certain circumstances.
Published: 2025-02-13T00:54:25.633Z
Updated: 2025-02-13T14:59:00.454Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7091 |
vulnerable | 2026-06-03 14:58:05.012475 |
Exposure of Sensitive Information to an Unauthorized Actor in GitLab
MEDIUM (4.1)
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where it was possible to disclose limited information of an exported group or project to another user.
Published: 2024-07-24T22:07:45.260Z
Updated: 2024-08-29T15:05:00.966Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7060 |
vulnerable | 2026-06-03 14:58:04.942817 |
Exposure of Sensitive Information to an Unauthorized Actor in GitLab
LOW (2.6)
An information disclosure vulnerability in GitLab CE/EE in project/group exports affecting all versions from 15.4 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows unauthorized users to view the resultant export.
Published: 2024-07-24T22:07:50.018Z
Updated: 2024-09-17T16:58:29.528Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7057 |
vulnerable | 2026-06-03 14:58:04.937269 |
Improper Access Control in GitLab
MEDIUM (4.3)
An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where job artifacts can be inappropriately exposed to users lacking the proper authorization level.
Published: 2024-07-25T00:30:55.513Z
Updated: 2024-08-29T15:05:00.782Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7047 |
vulnerable | 2026-06-03 14:58:04.918434 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (7.7)
A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user.
Published: 2024-07-25T00:30:40.657Z
Updated: 2024-08-29T15:05:00.689Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6826 |
vulnerable | 2026-06-03 14:58:04.244301 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. A denial of service could occur via importing a malicious crafted XML manifest file.
Published: 2024-10-24T09:30:58.183Z
Updated: 2024-10-24T12:56:42.887Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6685 |
vulnerable | 2026-06-03 14:58:03.871212 |
Authorization Bypass Through User-Controlled Key in GitLab
LOW (3.1)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, where group runners information was disclosed to unauthorised group members.
Published: 2024-09-16T21:33:58.732Z
Updated: 2024-09-17T15:25:59.042Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6678 |
vulnerable | 2026-06-03 14:58:03.860018 |
Authentication Bypass by Spoofing in GitLab
CRITICAL (9.9)
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.
Published: 2024-09-12T18:26:33.060Z
Updated: 2024-09-13T14:17:37.029Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6595 |
vulnerable | 2026-06-03 14:58:03.641388 |
Uncontrolled Search Path Element in GitLab
LOW (3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to upload an NPM package with conflicting package data.
Published: 2024-07-17T01:30:43.332Z
Updated: 2024-09-17T15:32:29.174Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6530 |
vulnerable | 2026-06-03 14:58:03.419647 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (7.3)
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When adding a authorizing an application, it can be made to render as HTML under specific circumstances.
Published: 2024-10-10T12:02:10.807Z
Updated: 2024-10-10T13:32:29.455Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6502 |
vulnerable | 2026-06-03 14:58:03.335258 |
Incorrect Provision of Specified Functionality in GitLab
MEDIUM (5.7)
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.2 prior to 17.1.6 starting from 17.2 prior to 17.2.4, and starting from 17.3 prior to 17.3.1, which allows an attacker to create a branch with the same name as a deleted tag.
Published: 2024-08-22T15:30:52.480Z
Updated: 2024-08-29T15:05:00.518Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6446 |
vulnerable | 2026-06-03 14:58:03.201009 |
Business Logic Errors in GitLab
LOW (3.5)
An issue has been discovered in GitLab affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. A crafted URL could be used to trick a victim to trust an attacker controlled application.
Published: 2024-09-12T16:56:53.258Z
Updated: 2024-09-13T14:17:36.471Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6389 |
vulnerable | 2026-06-03 14:58:03.071025 |
Exposure of Sensitive System Information to an Unauthorized Control Sphere in GitLab
MEDIUM (4.3)
An issue was discovered in GitLab-CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions.
Published: 2024-09-12T16:56:48.267Z
Updated: 2024-09-13T14:17:35.852Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6385 |
vulnerable | 2026-06-03 14:58:02.969515 |
Improper Access Control in GitLab
CRITICAL (9.6)
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.
Published: 2024-07-11T06:56:54.515Z
Updated: 2024-09-18T13:11:50.553Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6329 |
vulnerable | 2026-06-03 14:58:02.593321 |
Improper Encoding or Escaping of Output in GitLab
MEDIUM (5.7)
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which causes the web interface to fail to render the diff correctly when the path is encoded.
Published: 2024-08-08T10:02:09.817Z
Updated: 2024-08-29T15:05:00.349Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6324 |
vulnerable | 2026-06-03 14:58:02.579254 |
Inefficient Algorithmic Complexity in GitLab
MEDIUM (4.3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. It was possible to trigger a DoS by creating cyclic references between epics.
Published: 2025-01-09T06:02:46.213Z
Updated: 2025-01-09T15:32:34.143Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5655 |
vulnerable | 2026-06-03 14:57:53.658948 |
Improper Access Control in GitLab
CRITICAL (9.6)
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to trigger a pipeline as another user under certain circumstances.
Published: 2024-06-26T23:30:55.421Z
Updated: 2024-09-17T15:33:21.131Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5528 |
vulnerable | 2026-06-03 14:57:53.039557 |
Incomplete Comparison with Missing Factors in GitLab
LOW (3.5)
An issue was discovered in GitLab CE/EE affecting all versions prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows a subdomain takeover in GitLab Pages.
Published: 2025-02-05T10:31:06.106Z
Updated: 2025-02-05T20:13:11.436Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5470 |
vulnerable | 2026-06-03 14:57:52.906267 |
Improper Access Control in GitLab
LOW (3.8)
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Guest user with `admin_push_rules` permission may have been able to create project-level deploy tokens.
Published: 2024-07-11T06:57:04.361Z
Updated: 2024-08-29T15:04:59.607Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5435 |
vulnerable | 2026-06-03 14:57:52.784565 |
Generation of Error Message Containing Sensitive Information in GitLab
MEDIUM (4.5)
An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration.
Published: 2024-09-12T16:56:58.445Z
Updated: 2024-09-13T14:17:35.209Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5430 |
vulnerable | 2026-06-03 14:57:52.768176 |
Improper Access Control in GitLab
MEDIUM (6.8)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows a project maintainer can delete the merge request approval policy via graphQL.
Published: 2024-06-26T23:30:50.436Z
Updated: 2024-08-29T15:04:59.442Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5423 |
vulnerable | 2026-06-03 14:57:52.743681 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2 which allowed an attacker to cause resource exhaustion via banzai pipeline.
Published: 2024-08-08T10:31:02.871Z
Updated: 2024-08-29T15:04:59.365Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5318 |
vulnerable | 2026-06-03 14:57:52.372490 |
Missing Authorization in GitLab
MEDIUM (4)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.11 prior to 16.10.6, starting from 16.11 prior to 16.11.3, and starting from 17.0 prior to 17.0.1. A Guest user can view dependency lists of private projects through job artifacts.
Published: 2024-05-24T12:44:25.720Z
Updated: 2024-10-03T06:23:19.497Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5258 |
vulnerable | 2026-06-03 14:57:52.217999 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (4.4)
An authorization vulnerability exists within GitLab from versions 16.10 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1 where an authenticated attacker could utilize a crafted naming convention to bypass pipeline authorization logic.
Published: 2024-05-23T11:02:06.904Z
Updated: 2024-08-29T15:04:59.201Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5257 |
vulnerable | 2026-06-03 14:57:52.217542 |
Improper Access Control in GitLab
MEDIUM (4.9)
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Developer user with `admin_compliance_framework` custom role may have been able to modify the URL for a group namespace.
Published: 2024-07-11T06:57:09.372Z
Updated: 2024-08-29T15:04:59.125Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5005 |
vulnerable | 2026-06-03 14:57:51.460618 |
Incorrect Provision of Specified Functionality in GitLab
MEDIUM (4.3)
An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the API.
Published: 2024-10-11T11:30:57.104Z
Updated: 2024-10-11T13:41:55.311Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4994 |
vulnerable | 2026-06-03 14:57:16.674025 |
Cross-Site Request Forgery (CSRF) in GitLab
HIGH (8.1)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations.
Published: 2025-06-20T18:14:37.887Z
Updated: 2025-06-23T15:22:37.297Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4901 |
vulnerable | 2026-06-03 14:57:16.455245 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit notes.
Published: 2024-06-26T23:31:05.422Z
Updated: 2024-09-17T17:02:23.803Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4835 |
vulnerable | 2026-06-03 14:57:16.287207 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8)
A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.
Published: 2024-05-23T06:30:50.384Z
Updated: 2024-09-17T15:33:50.607Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4597 |
vulnerable | 2026-06-03 14:57:15.828296 |
Cross-Site Request Forgery (CSRF) in GitLab
MEDIUM (5.7)
An issue has been discovered in GitLab EE affecting all versions from 16.7 before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. An attacker could force a user with an active SAML session to approve an MR via CSRF.
Published: 2024-05-09T01:38:11.850Z
Updated: 2024-08-29T15:04:58.230Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4557 |
vulnerable | 2026-06-03 14:57:15.755648 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an attacker to cause resource exhaustion via banzai pipeline.
Published: 2024-06-26T23:31:10.425Z
Updated: 2024-08-29T15:04:58.095Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4539 |
vulnerable | 2026-06-03 14:57:15.715801 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 where abusing the API to filter branch and tags could lead to Denial of Service.
Published: 2024-05-09T01:38:21.737Z
Updated: 2024-10-03T06:23:19.371Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4472 |
vulnerable | 2026-06-03 14:57:15.537046 |
Insertion of Sensitive Information into Log File in GitLab
MEDIUM (4)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs.
Published: 2024-09-12T18:26:38.059Z
Updated: 2024-09-13T14:17:33.408Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4210 |
vulnerable | 2026-06-03 14:57:14.932581 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 12.6 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause a denial of service using crafted adoc files.
Published: 2024-08-08T10:02:29.806Z
Updated: 2024-08-29T15:04:57.922Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4201 |
vulnerable | 2026-06-03 14:57:14.922249 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (4.4)
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 16.10.7, all versions starting from 16.11 before 16.111.4, all versions starting from 17.0 before 17.0.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances.
Published: 2024-06-12T23:01:56.967Z
Updated: 2024-08-29T15:04:57.749Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4025 |
vulnerable | 2026-06-03 14:57:14.562112 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions from 7.10 prior before 16.11.5, version 17.0 before 17.0.3, and 17.1 before 17.1.1. It is possible for an attacker to cause a denial of service using a crafted markdown page.
Published: 2025-06-20T18:14:33.011Z
Updated: 2025-06-23T15:22:59.976Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4024 |
vulnerable | 2026-06-03 14:57:14.561501 |
Authentication Bypass by Assumed-Immutable Data in GitLab
HIGH (7.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.8 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker with their Bitbucket account credentials may be able to take over a GitLab account linked to another user's Bitbucket account, if Bitbucket is used as an OAuth 2.0 provider on GitLab.
Published: 2024-04-25T13:30:46.597Z
Updated: 2026-06-02T04:14:54.728Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4011 |
vulnerable | 2026-06-03 14:57:14.531775 |
Improper Access Control in GitLab
LOW (3.1)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives.
Published: 2024-06-26T23:31:20.436Z
Updated: 2025-01-09T21:38:32.388Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4006 |
vulnerable | 2026-06-03 14:57:14.476472 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not honored by GraphQL subscriptions
Published: 2024-04-25T13:30:36.721Z
Updated: 2026-06-02T04:14:49.738Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3976 |
vulnerable | 2026-06-03 14:56:32.572365 |
Missing Authorization in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose via the UI the confidential issues title and description from a public project to unauthorised instance users.
Published: 2025-02-05T12:02:27.929Z
Updated: 2025-02-05T20:12:12.955Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3959 |
vulnerable | 2026-06-03 14:56:32.525833 |
Improper Authorization in GitLab
MEDIUM (6.5)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows private job artifacts can be accessed by any user.
Published: 2024-06-26T23:31:25.425Z
Updated: 2024-08-29T15:04:57.412Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3958 |
vulnerable | 2026-06-03 14:56:32.524619 |
Improper Control of Generation of Code ('Code Injection') in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code.
Published: 2024-08-08T10:31:17.868Z
Updated: 2024-09-17T15:31:43.886Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3127 |
vulnerable | 2026-06-03 14:56:23.541326 |
Improper Access Control in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL allowing unauthorised users to perform some actions at the group level.
Published: 2024-08-22T15:31:07.481Z
Updated: 2024-08-29T15:04:57.250Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3115 |
vulnerable | 2026-06-03 14:56:23.511415 |
Exposure of Sensitive Information to an Unauthorized Actor in GitLab
MEDIUM (4.3)
An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to access issues and epics without having an SSO session using Duo Chat.
Published: 2024-06-26T23:31:35.425Z
Updated: 2024-08-30T13:24:42.967Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3114 |
vulnerable | 2026-06-03 14:56:23.510951 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (4.3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server.
Published: 2024-08-08T10:31:22.868Z
Updated: 2024-08-30T13:24:42.884Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3092 |
vulnerable | 2026-06-03 14:56:23.353576 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. A payload may lead to a Stored XSS while using the diff viewer, allowing attackers to perform arbitrary actions on behalf of victims.
Published: 2024-04-12T00:53:11.346Z
Updated: 2026-05-31T04:05:33.433Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3035 |
vulnerable | 2026-06-03 14:56:23.159988 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (6.8)
A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories.
Published: 2024-08-08T10:31:32.879Z
Updated: 2024-09-17T15:29:42.165Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2880 |
vulnerable | 2026-06-03 14:55:36.430341 |
Improper Access Control in GitLab
LOW (2.7)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 in which a user with `admin_group_member` custom role permission could ban group members.
Published: 2024-07-11T06:57:24.360Z
Updated: 2024-09-17T17:00:19.878Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2878 |
vulnerable | 2026-06-03 14:55:36.424657 |
Allocation of Resources Without Limits or Throttling in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible for an attacker to cause a denial of service by crafting unusual search terms for branch names.
Published: 2025-02-05T12:21:10.806Z
Updated: 2025-02-05T20:11:02.837Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2874 |
vulnerable | 2026-06-03 14:55:36.416691 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. A runner registered with a crafted description has the potential to disrupt the loading of targeted GitLab web resources.
Published: 2024-05-23T07:02:35.610Z
Updated: 2024-10-03T06:23:19.176Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2829 |
vulnerable | 2026-06-03 14:55:36.299197 |
Inefficient Regular Expression Complexity in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.5 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. A crafted wildcard filter in FileFinder may lead to a denial of service.
Published: 2024-04-25T11:02:06.060Z
Updated: 2025-11-20T04:12:19.477Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2818 |
vulnerable | 2026-06-03 14:55:36.276293 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. It was possible for an attacker to cause a denial of service using malicious crafted description parameter for labels.
Published: 2024-03-28T07:17:48.930Z
Updated: 2024-10-03T06:23:18.989Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2800 |
vulnerable | 2026-06-03 14:55:36.254402 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking.
Published: 2024-08-08T10:31:37.860Z
Updated: 2024-08-30T13:24:42.805Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2651 |
vulnerable | 2026-06-03 14:55:29.820703 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. It was possible for an attacker to cause a denial of service using maliciously crafted markdown content.
Published: 2024-05-09T01:38:31.730Z
Updated: 2024-10-03T06:23:18.818Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2454 |
vulnerable | 2026-06-03 14:55:29.286738 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. The pins endpoint is susceptible to DoS through a crafted request.
Published: 2024-05-09T01:38:36.737Z
Updated: 2024-10-03T06:23:18.723Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2434 |
vulnerable | 2026-06-03 14:55:29.239177 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in GitLab
HIGH (8.5)
An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to 16.11.1 where path traversal could lead to DoS and restricted file read.
Published: 2024-04-25T11:02:15.928Z
Updated: 2025-11-20T04:12:14.487Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2279 |
vulnerable | 2026-06-03 14:55:28.866593 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. Using the autocomplete for issues references feature a crafted payload may lead to a stored XSS, allowing attackers to perform arbitrary actions on behalf of victims.
Published: 2024-04-12T00:53:21.240Z
Updated: 2026-05-02T04:05:37.944Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2191 |
vulnerable | 2026-06-03 14:55:28.634413 |
Improper Access Control in GitLab
MEDIUM (5.3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members only.
Published: 2024-06-26T23:31:45.431Z
Updated: 2024-09-17T16:01:03.749Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2177 |
vulnerable | 2026-06-03 14:55:28.547018 |
Improper Restriction of Rendered UI Layers or Frames in GitLab
MEDIUM (6.8)
A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload.
Published: 2024-07-09T13:30:57.825Z
Updated: 2024-09-17T16:00:34.552Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1963 |
vulnerable | 2026-06-03 14:54:35.090783 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.
Published: 2024-06-12T23:02:11.841Z
Updated: 2024-08-30T13:24:42.721Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1947 |
vulnerable | 2026-06-03 14:54:35.060717 |
Improper Handling of Highly Compressed Data (Data Amplification) in GitLab
MEDIUM (4.3)
A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls.
Published: 2024-05-23T11:02:21.780Z
Updated: 2024-10-03T06:23:18.622Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1816 |
vulnerable | 2026-06-03 14:54:34.717877 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (5.3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 12.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows for an attacker to cause a denial of service using a crafted OpenAPI file.
Published: 2024-06-26T23:31:50.436Z
Updated: 2024-08-29T15:04:55.560Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1736 |
vulnerable | 2026-06-03 14:54:34.445240 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's CI/CD pipeline editor could allow for denial of service attacks through maliciously crafted configuration files.
Published: 2024-06-12T23:02:21.879Z
Updated: 2024-09-18T13:10:48.392Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1495 |
vulnerable | 2026-06-03 14:54:27.128747 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.1 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. It was possible for an attacker to cause a denial of service using maliciously crafted file.
Published: 2024-06-12T23:02:16.842Z
Updated: 2024-08-30T13:24:42.541Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1493 |
vulnerable | 2026-06-03 14:54:27.126009 |
Uncontrolled Resource Consumption in GitLab
MEDIUM (6.5)
An issue was discovered in GitLab CE/EE affecting all versions starting from 9.2 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, with the processing logic for generating link in dependency files can lead to a regular expression DoS attack on the server
Published: 2024-06-26T23:31:55.434Z
Updated: 2024-08-30T13:24:42.450Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1347 |
vulnerable | 2026-06-03 14:54:26.736607 |
Authentication Bypass by Spoofing in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker through a crafted email address may be able to bypass domain based restrictions on an instance or a group.
Published: 2024-04-25T11:02:25.923Z
Updated: 2025-11-20T04:11:59.475Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1299 |
vulnerable | 2026-06-03 14:54:26.637483 |
Privilege Chaining in GitLab
MEDIUM (6.5)
A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with owner privileges.
Published: 2024-03-07T00:39:45.501Z
Updated: 2024-10-03T06:23:18.349Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1211 |
vulnerable | 2026-06-03 14:54:26.467678 |
Cross-Site Request Forgery (CSRF) in GitLab
MEDIUM (6.4)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 in which cross-site request forgery may have been possible on GitLab instances configured to use JWT as an OmniAuth provider.
Published: 2025-01-30T23:45:00.772Z
Updated: 2025-01-31T20:51:47.207Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-13054 |
vulnerable | 2026-06-03 14:54:23.654204 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
An issue was discovered in GitLab CE/EE affecting all versions before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. where a denial of service vulnerability could allow an attacker to cause a system reboot under certain conditions.
Published: 2025-03-13T05:56:09.637Z
Updated: 2025-03-14T14:36:19.463Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-13041 |
vulnerable | 2026-06-03 14:54:23.631944 |
Incorrect User Management in GitLab
MEDIUM (4.2)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. When a user is created via the SAML provider, the external groups setting overrides the external provider configuration. As a result, the user may not be marked as external thereby giving those users access to internal projects or groups.
Published: 2025-01-09T06:33:13.241Z
Updated: 2025-01-09T15:29:59.641Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12619 |
vulnerable | 2026-06-03 14:54:22.773923 |
Insufficient Granularity of Access Control in GitLab
MEDIUM (5.2)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1, allowing internal users to gain unauthorized access to internal projects.
Published: 2025-03-28T10:02:13.406Z
Updated: 2025-03-28T13:46:51.887Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12570 |
vulnerable | 2026-06-03 14:54:22.669314 |
Privilege Context Switching Error in GitLab
MEDIUM (6.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.4.6, from 17.5 prior to 17.5.4, and from 17.6 prior to 17.6.2. It may have been possible for an attacker with a victim's `CI_JOB_TOKEN` to obtain a GitLab session token belonging to the victim.
Published: 2024-12-12T11:30:44.818Z
Updated: 2024-12-17T04:56:08.962Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12431 |
vulnerable | 2026-06-03 14:54:16.360899 |
Missing Authorization in GitLab
MEDIUM (4.3)
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.5 before 17.5.5, 17.6 before 17.6.3, and 17.7 before 17.7.1, in which unauthorized users could manipulate the status of issues in public projects.
Published: 2025-01-08T20:30:42.896Z
Updated: 2025-02-12T17:12:59.442Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12380 |
vulnerable | 2026-06-03 14:54:16.252796 |
Generation of Error Message Containing Sensitive Information in GitLab
MEDIUM (4.4)
An issue was discovered in GitLab EE/CE affecting all versions starting from 11.5 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. Certain user inputs in repository mirroring settings could potentially expose sensitive authentication information.
Published: 2025-03-13T05:56:14.642Z
Updated: 2025-03-14T14:35:18.525Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12379 |
vulnerable | 2026-06-03 14:54:16.252450 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
A denial of service vulnerability in GitLab CE/EE affecting all versions from 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to impact the availability of GitLab via unbounded symbol creation via the scopes parameter in a Personal Access Token.
Published: 2025-02-12T15:02:32.062Z
Updated: 2025-02-12T21:00:39.234Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12303 |
vulnerable | 2026-06-03 14:54:16.094955 |
Incorrect Privilege Assignment in GitLab
MEDIUM (6.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated users with specific roles and permissions to delete issues including confidential ones by inviting users with a specific role.
Published: 2025-08-13T17:27:45.555Z
Updated: 2025-08-13T20:00:25.961Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12292 |
vulnerable | 2026-06-03 14:54:16.056994 |
Insertion of Sensitive Information into Log File in GitLab
MEDIUM (4)
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.0 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, where sensitive information passed in GraphQL mutations may have been retained in GraphQL logs.
Published: 2024-12-12T11:30:39.823Z
Updated: 2024-12-12T15:44:52.213Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12244 |
vulnerable | 2026-06-03 14:54:15.904383 |
Missing Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in access controls could allow users to view certain restricted project information even when related features are disabled in GitLab EE, affecting all versions from 17.7 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1.
Published: 2025-04-24T07:31:11.125Z
Updated: 2025-04-24T15:23:11.499Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12093 |
vulnerable | 2026-06-03 14:54:15.618085 |
Improper Validation of Consistency within Input in GitLab
MEDIUM (6.8)
An issue has been discovered in GitLab CE/EE affecting all versions from 11.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Improper XPath validation allows modified SAML response to bypass 2FA requirement under specialized conditions.
Published: 2025-05-22T14:32:04.147Z
Updated: 2025-05-22T14:44:03.881Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-11931 |
vulnerable | 2026-06-03 14:54:15.146430 |
Insufficient Granularity of Access Control in GitLab
MEDIUM (6.4)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI variables via CI lint.
Published: 2025-01-24T03:02:16.074Z
Updated: 2025-02-05T20:14:21.196Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-11828 |
vulnerable | 2026-06-03 14:54:14.930118 |
Inefficient Algorithmic Complexity in GitLab
MEDIUM (4.3)
A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls. This was a regression of an earlier patch.
Published: 2024-11-26T18:41:19.280Z
Updated: 2024-11-26T19:53:40.674Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-11669 |
vulnerable | 2026-06-03 14:54:14.643814 |
Incorrect Authorization in GitLab
MEDIUM (6.5)
An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes.
Published: 2024-11-26T18:41:09.488Z
Updated: 2024-11-30T04:55:54.926Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-11668 |
vulnerable | 2026-06-03 14:54:14.640574 |
Insufficient Session Expiration in GitLab
MEDIUM (4.2)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results.
Published: 2024-11-26T18:30:45.846Z
Updated: 2024-11-26T18:42:38.028Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-11274 |
vulnerable | 2026-06-03 14:54:13.807789 |
URL Redirection to Untrusted Site ('Open Redirect') in GitLab
HIGH (8.7)
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, injection of NEL headers in k8s proxy response could lead to session data exfiltration.
Published: 2024-12-12T12:02:20.019Z
Updated: 2024-12-12T15:44:45.428Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-11129 |
vulnerable | 2026-06-03 14:54:13.488578 |
Generation of Error Message Containing Sensitive Information in GitLab
MEDIUM (6.3)
An issue has been discovered in GitLab EE affecting all versions from 17.1 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. This allows attackers to perform targeted searches with sensitive keywords to get the count of issues containing the searched term."
Published: 2025-04-10T13:02:48.148Z
Updated: 2025-04-10T13:16:35.153Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-10383 |
vulnerable | 2026-06-03 14:54:05.466755 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab VSCode Fork
HIGH (8.7)
An issue has been discovered in the gitlab-web-ide-vscode-fork component distributed over CDN affecting all versions prior to 1.89.1-1.0.0-dev-20241118094343and used by all versions of GitLab CE/EE starting from 15.11 prior to 17.3 and which also temporarily affected versions 17.4, 17.5 and 17.6, where a XSS attack was possible when loading .ipynb files in the web IDE
Published: 2025-02-07T14:12:41.757Z
Updated: 2025-02-12T15:17:24.562Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-10307 |
vulnerable | 2026-06-03 14:54:05.314312 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE/CE affecting all versions from 12.10 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A maliciously crafted file can cause uncontrolled CPU consumption when viewing the associated merge request.
Published: 2025-03-28T10:02:23.294Z
Updated: 2025-03-28T13:42:16.490Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-10240 |
vulnerable | 2026-06-03 14:54:05.171207 |
Exposure of Sensitive System Information to an Unauthorized Control Sphere in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances.
Published: 2024-11-26T19:22:52.689Z
Updated: 2024-11-26T20:26:23.503Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-10219 |
vulnerable | 2026-06-03 14:54:05.135200 |
Incorrect Authorization in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 15.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated users to bypass access controls and download private artifacts by accessing specific API endpoints.
Published: 2025-08-13T17:28:00.498Z
Updated: 2025-08-13T19:59:02.008Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-0456 |
vulnerable | 2026-06-03 14:54:02.796085 |
Direct Request ('Forced Browsing') in GitLab
MEDIUM (4.3)
An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project
Published: 2024-01-26T01:02:43.953Z
Updated: 2026-06-05T22:59:50.196Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-0402 |
vulnerable | 2026-06-03 14:54:02.348440 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in GitLab
CRITICAL (9.9)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.
Published: 2024-01-26T01:02:39.052Z
Updated: 2026-06-03T04:08:40.742Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-0231 |
vulnerable | 2026-06-03 14:54:01.941863 |
Improper Control of Resource Identifiers ('Resource Injection') in GitLab
LOW (2.7)
A resource misdirection vulnerability in GitLab CE/EE versions 12.0 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows an attacker to craft a repository import in such a way as to misdirect commits.
Published: 2024-07-24T22:08:20.025Z
Updated: 2024-08-29T15:04:54.292Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-0199 |
vulnerable | 2026-06-03 14:54:01.878830 |
Incorrect Authorization in GitLab
HIGH (7.7)
An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old feature branch to perform malicious actions.
Published: 2024-03-07T00:39:50.159Z
Updated: 2025-04-16T15:53:24.694Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-7045 |
vulnerable | 2026-06-03 14:53:59.814372 |
Cross-Site Request Forgery (CSRF) in GitLab
MEDIUM (5.4)
A CSRF vulnerability exists within GitLab CE/EE from versions 13.11 before 16.10.6, from 16.11 before 16.11.3, from 17.0 before 17.0.1. By leveraging this vulnerability, an attacker could exfiltrate anti-CSRF tokens via the Kubernetes Agent Server (KAS).
Published: 2024-05-23T11:02:26.796Z
Updated: 2024-09-18T13:11:01.842Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-7028 |
vulnerable | 2026-06-03 14:53:59.588597 |
Weak Password Recovery Mechanism for Forgotten Password in GitLab
CRITICAL (10)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
Published: 2024-01-12T13:56:41.726Z
Updated: 2026-05-26T04:05:15.369Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6955 |
vulnerable | 2026-06-03 14:53:59.431277 |
Missing Authorization in GitLab
MEDIUM (6.6)
A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group.
Published: 2024-01-12T13:56:31.881Z
Updated: 2026-05-25T23:00:20.223Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6688 |
vulnerable | 2026-06-03 14:53:58.673464 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.11 prior to 16.11.2. A problem with the processing logic for Google Chat Messages integration may lead to a regular expression DoS attack on the server.
Published: 2024-05-09T01:38:46.718Z
Updated: 2024-10-03T06:23:17.156Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6682 |
vulnerable | 2026-06-03 14:53:58.665276 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. A problem with the processing logic for Discord Integrations Chat Messages can lead to a regular expression DoS attack on the server.
Published: 2024-05-09T01:42:44.606Z
Updated: 2024-10-03T06:23:17.063Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6502 |
vulnerable | 2026-06-03 14:53:52.005770 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (4.3)
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. It is possible for an attacker to cause a denial of service using a crafted wiki page.
Published: 2024-05-23T11:02:31.779Z
Updated: 2024-10-03T06:23:16.789Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6489 |
vulnerable | 2026-06-03 14:53:51.974757 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (4.3)
A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature.
Published: 2024-04-12T00:53:41.230Z
Updated: 2025-11-20T04:11:28.262Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6386 |
vulnerable | 2026-06-03 14:53:51.628801 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
A denial of service vulnerability was identified in GitLab CE/EE, affecting all versions from 15.11 prior to 16.6.7, 16.7 prior to 16.7.5 and 16.8 prior to 16.8.2 which allows an attacker to spike the GitLab instance resource usage resulting in service degradation.
Published: 2025-02-05T09:31:10.106Z
Updated: 2025-02-05T14:45:32.989Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6371 |
vulnerable | 2026-06-03 14:53:51.598433 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. A wiki page with a crafted payload may lead to a Stored XSS, allowing attackers to perform arbitrary actions on behalf of victims.
Published: 2024-03-28T07:18:03.820Z
Updated: 2026-05-08T04:06:58.687Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6195 |
vulnerable | 2026-06-03 14:53:51.086436 |
Server-Side Request Forgery (SSRF) in GitLab
LOW (2.6)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.5 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. GitLab was vulnerable to Server Side Request Forgery when an attacker uses a malicious URL in the markdown image value when importing a GitHub repository.
Published: 2025-01-30T23:45:10.780Z
Updated: 2025-02-18T18:59:19.527Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6159 |
vulnerable | 2026-06-03 14:53:51.032538 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a `Cargo.toml` containing maliciously crafted input.
Published: 2024-01-26T02:02:29.909Z
Updated: 2026-05-06T04:06:19.058Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6051 |
vulnerable | 2026-06-03 14:53:50.231744 |
Improper Control of Generation of Code ('Code Injection') in GitLab
MEDIUM (5.7)
An issue has been discovered in GitLab CE/EE affecting all versions before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when source code or installation packages are pulled from a specific tag.
Published: 2023-12-15T16:02:50.265Z
Updated: 2025-11-20T04:11:13.279Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-6033 |
vulnerable | 2026-06-03 14:53:50.203964 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
HIGH (8.7)
Improper neutralization of input in Jira integration configuration in GitLab CE/EE, affecting all versions from 15.10 prior to 16.6.1, 16.5 prior to 16.5.3, and 16.4 prior to 16.4.3 allows attacker to execute javascript in victim's browser.
Published: 2023-12-01T07:01:38.124Z
Updated: 2025-11-20T04:11:08.273Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5933 |
vulnerable | 2026-06-03 14:53:49.955741 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab
MEDIUM (6.4)
An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests.
Published: 2024-01-26T01:02:58.931Z
Updated: 2026-04-25T04:05:38.198Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5831 |
vulnerable | 2026-06-03 14:53:49.749833 |
Insertion of Sensitive Information Into Sent Data in GitLab
LOW (3.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, and all versions starting from 16.5.0 before 16.5.1 which have the `super_sidebar_logged_out` feature flag enabled. Affected versions with this default-disabled feature flag enabled may unintentionally disclose GitLab version metadata to unauthorized actors.
Published: 2023-11-06T10:30:28.442Z
Updated: 2026-06-02T04:13:27.636Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5825 |
vulnerable | 2026-06-03 14:53:49.730669 |
Loop with Unreachable Exit Condition ('Infinite Loop') in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.2 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A low-privileged attacker can point a CI/CD Component to an incorrect path and cause the server to exhaust all available memory through an infinite loop and cause Denial of Service.
Published: 2023-11-06T10:30:38.334Z
Updated: 2026-04-29T04:05:16.721Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5612 |
vulnerable | 2026-06-03 14:53:49.087743 |
Missing Authorization in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled.
Published: 2024-01-26T02:02:39.783Z
Updated: 2025-11-20T04:10:48.267Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5512 |
vulnerable | 2026-06-03 14:53:48.876540 |
Improper Control of Generation of Code ('Code Injection') in GitLab
MEDIUM (4.8)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when specific HTML encoding is used for file names leading for incorrect representation in the UI.
Published: 2023-12-15T16:03:00.260Z
Updated: 2026-04-28T04:05:20.348Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5356 |
vulnerable | 2026-06-03 14:53:48.393184 |
Incorrect Authorization in GitLab
HIGH (7.3)
Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user.
Published: 2024-01-12T13:56:51.714Z
Updated: 2026-04-28T04:05:15.311Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5226 |
vulnerable | 2026-06-03 14:53:48.017213 |
Improper Control of Generation of Code ('Code Injection') in GitLab
MEDIUM (4.8)
An issue has been discovered in GitLab affecting all versions before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. Under certain circumstances, a malicious actor bypass prohibited branch checks using a specially crafted branch name to manipulate repository content in the UI.
Published: 2023-12-01T07:01:43.131Z
Updated: 2026-04-23T04:05:16.458Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5207 |
vulnerable | 2026-06-03 14:53:47.975435 |
Execution with Unnecessary Privileges in GitLab
HIGH (8.2)
A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user.
Published: 2023-09-30T08:30:30.788Z
Updated: 2025-11-20T04:10:28.256Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5198 |
vulnerable | 2026-06-03 14:53:47.952996 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to protected branches using deploy keys.
Published: 2023-09-29T07:01:42.219Z
Updated: 2026-05-17T04:06:13.122Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5117 |
vulnerable | 2026-06-03 14:53:47.666236 |
Exposure of Sensitive Information Due to Incompatible Policies in GitLab
LOW (3.7)
An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in which users were unaware that files uploaded to comments on confidential issues and epics of public projects could be accessed without authentication via a direct link to the uploaded file URL.
Published: 2024-12-25T14:46:47.927Z
Updated: 2024-12-26T18:10:54.988Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5061 |
vulnerable | 2026-06-03 14:53:46.882108 |
Missing Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 9.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. In certain situations, it may have been possible for developers to override predefined CI variables via the REST API.
Published: 2023-12-15T16:03:05.257Z
Updated: 2026-05-02T04:05:18.070Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4812 |
vulnerable | 2026-06-03 14:53:29.722139 |
Incorrect Authorization in GitLab
HIGH (7.6)
An issue has been discovered in GitLab EE affecting all versions starting from 15.3 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. The required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge request.
Published: 2024-01-12T13:56:56.701Z
Updated: 2026-05-01T04:05:16.393Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4647 |
vulnerable | 2026-06-03 14:53:29.236637 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab affecting all versions starting from 15.2 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which the projects API pagination can be skipped, potentially leading to DoS on certain instances.
Published: 2023-09-01T10:30:27.108Z
Updated: 2026-06-02T04:13:14.397Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4630 |
vulnerable | 2026-06-03 14:53:29.196160 |
Missing Authorization in GitLab
MEDIUM (5)
An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which any user can read limited information about any project's imports.
Published: 2023-09-11T13:01:02.519Z
Updated: 2026-06-02T04:13:09.394Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4532 |
vulnerable | 2026-06-03 14:53:28.447925 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of private projects which they are not a member of.
Published: 2023-09-29T06:02:01.299Z
Updated: 2026-04-26T04:06:54.749Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4378 |
vulnerable | 2026-06-03 14:53:27.887961 |
Insertion of Sensitive Information Into Sent Data in GitLab
MEDIUM (5.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A malicious Maintainer can, under specific circumstances, leak the sentry token by changing the configured URL in the Sentry error tracking settings page. This was as a result of an incomplete fix for CVE-2022-4365.
Published: 2023-09-01T10:30:31.991Z
Updated: 2026-04-24T04:06:57.149Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4317 |
vulnerable | 2026-06-03 14:53:27.822810 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a user with the Developer role to update a pipeline schedule from an unprotected branch to a protected branch.
Published: 2023-12-01T07:02:03.130Z
Updated: 2025-11-20T04:09:33.265Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4018 |
vulnerable | 2026-06-03 14:53:26.930483 |
Direct Request ('Forced Browsing') in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to create model experiments in public projects.
Published: 2023-09-01T10:30:41.985Z
Updated: 2026-04-27T04:06:36.504Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4011 |
vulnerable | 2026-06-03 14:53:26.912640 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE affecting all versions from 15.11 prior to 16.2.2 which allows an attacker to spike the resource consumption resulting in DoS.
Published: 2023-08-02T05:30:35.128Z
Updated: 2024-10-03T06:23:14.085Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4008 |
vulnerable | 2026-06-03 14:53:26.904786 |
Incorrect Ownership Assignment in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to takeover GitLab Pages with unique domain URLs if the random string added was known.
Published: 2023-08-03T06:31:21.677Z
Updated: 2026-06-02T04:12:58.974Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3994 |
vulnerable | 2026-06-03 14:52:42.313947 |
Inefficient Regular Expression Complexity in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 9.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use ProjectReferenceFilter to the preview_markdown endpoint.
Published: 2023-08-02T00:06:50.342Z
Updated: 2026-04-27T04:06:31.406Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3993 |
vulnerable | 2026-06-03 14:52:42.313492 |
Insertion of Sensitive Information into Log File in GitLab
MEDIUM (4.9)
An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Access tokens may have been logged when a query was made to a specific endpoint.
Published: 2023-08-02T00:07:00.242Z
Updated: 2024-10-03T06:23:13.637Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3979 |
vulnerable | 2026-06-03 14:52:42.287393 |
Incorrect Authorization in GitLab
LOW (3.1)
An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collaborate with you on your branch get permission to write to the merge request’s source branch.
Published: 2023-09-29T06:02:06.310Z
Updated: 2026-05-08T04:06:39.092Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3964 |
vulnerable | 2026-06-03 14:52:42.230953 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer packages on public projects that have package registry disabled in the project settings.
Published: 2023-12-01T07:02:18.158Z
Updated: 2026-05-06T04:05:57.591Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3950 |
vulnerable | 2026-06-03 14:52:42.203885 |
Cleartext Storage of Sensitive Information in GitLab
MEDIUM (5.5)
An information disclosure issue in GitLab EE affecting all versions from 16.2 prior to 16.2.5, and 16.3 prior to 16.3.1 allowed other Group Owners to see the Public Key for a Google Cloud Logging audit event streaming destination, if configured. Owners can now only write the key, not read it.
Published: 2023-09-01T10:30:46.990Z
Updated: 2026-05-06T04:05:52.878Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3949 |
vulnerable | 2026-06-03 14:52:42.203414 |
Insertion of Sensitive Information Into Sent Data in GitLab
MEDIUM (5.3)
An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for unauthorized users to view a public projects' release descriptions via an atom endpoint when release access on the public was set to only project members.
Published: 2023-12-01T07:02:13.130Z
Updated: 2025-11-20T04:09:03.271Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3922 |
vulnerable | 2026-06-03 14:52:42.134302 |
URL Redirection to Untrusted Site ('Open Redirect') in GitLab
LOW (3)
An issue has been discovered in GitLab affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons on the GitLab UI to a malicious page.
Published: 2023-09-29T07:30:50.402Z
Updated: 2026-04-25T04:05:19.195Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3920 |
vulnerable | 2026-06-03 14:52:42.133693 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork relationship between existing projects contrary to the documentation.
Published: 2023-09-29T06:02:31.303Z
Updated: 2026-04-25T04:05:14.315Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3917 |
vulnerable | 2026-06-03 14:52:42.133140 |
Improper Validation of Specified Type of Input in GitLab
MEDIUM (4.3)
Denial of Service in pipelines affecting all versions of Gitlab EE and CE prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows attacker to cause pipelines to fail.
Published: 2023-09-29T06:02:26.304Z
Updated: 2026-04-29T04:04:53.712Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3915 |
vulnerable | 2026-06-03 14:52:42.132507 |
Incorrect Execution-Assigned Permissions in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab EE affecting all versions starting from 16.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. If an external user is given an owner role on any group, that external user may escalate their privileges on the instance by creating a service account in that group. This service account is not classified as external and may be used to access internal projects.
Published: 2023-09-01T10:01:16.853Z
Updated: 2026-05-13T04:04:58.023Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3909 |
vulnerable | 2026-06-03 14:52:42.131339 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.3 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A Regular Expression Denial of Service was possible by adding a large string in timeout input in gitlab-ci.yml file.
Published: 2023-11-06T12:08:45.129Z
Updated: 2025-11-20T04:08:28.265Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3906 |
vulnerable | 2026-06-03 14:52:42.130454 |
Improper Validation of Specified Type of Input in GitLab
LOW (3.5)
An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.
Published: 2023-09-29T06:02:16.308Z
Updated: 2025-11-20T04:08:18.260Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3900 |
vulnerable | 2026-06-03 14:52:42.129640 |
Improper Validation of Specified Type of Input in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. An invalid 'start_sha' value on merge requests page may lead to Denial of Service as Changes tab would not load.
Published: 2023-08-02T00:07:05.231Z
Updated: 2025-11-20T04:08:08.254Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3500 |
vulnerable | 2026-06-03 14:52:41.012502 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (4.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A reflected XSS was possible when creating specific PlantUML diagrams that allowed the attacker to perform arbitrary actions on behalf of victims.
Published: 2023-08-02T00:07:15.239Z
Updated: 2025-11-20T04:07:53.323Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3444 |
vulnerable | 2026-06-03 14:52:40.872257 |
Incorrect Authorization in GitLab
MEDIUM (5.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to merge arbitrary code into protected branches.
Published: 2023-07-13T02:08:20.930Z
Updated: 2024-11-05T15:15:46.783Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3443 |
vulnerable | 2026-06-03 14:52:40.869160 |
Incorrect Authorization in GitLab
LOW (3.1)
An issue has been discovered in GitLab affecting all versions starting from 12.1 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a Guest user to add an emoji on confidential work items.
Published: 2023-12-01T07:02:33.126Z
Updated: 2025-11-20T04:07:43.258Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3441 |
vulnerable | 2026-06-03 14:52:40.868396 |
Exposure of Sensitive Information Due to Incompatible Policies in GitLab
MEDIUM (6.6)
An issue has been discovered in GitLab EE/CE affecting all versions starting from 8.0 before 16.4. The product did not sufficiently warn about security implications of granting merge rights to protected branches.
Published: 2024-10-01T09:47:16.444Z
Updated: 2024-10-01T13:28:02.702Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3424 |
vulnerable | 2026-06-03 14:52:40.764235 |
Inefficient Regular Expression Complexity in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.
Published: 2023-07-13T02:08:07.284Z
Updated: 2024-10-30T19:29:27.116Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3413 |
vulnerable | 2026-06-03 14:52:40.751642 |
Insertion of Sensitive Information Into Sent Data in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members.
Published: 2023-09-29T08:30:56.742Z
Updated: 2025-11-20T04:07:38.285Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3399 |
vulnerable | 2026-06-03 14:52:40.729804 |
Insertion of Sensitive Information Into Sent Data in GitLab
HIGH (8.5)
An issue has been discovered in GitLab EE affecting all versions starting from 11.6 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. It was possible for an unauthorised project or group member to read the CI/CD variables using the custom project templates.
Published: 2023-11-06T12:08:54.970Z
Updated: 2025-11-20T04:07:28.274Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3385 |
vulnerable | 2026-06-03 14:52:40.697007 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in GitLab
MEDIUM (6.3)
An issue has been discovered in GitLab affecting all versions starting from 8.10 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Under specific circumstances, a user importing a project 'from export' could access and read unrelated files via uploading a specially crafted file. This was due to a bug in `tar`, fixed in [`tar-1.35`](https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html).
Published: 2023-08-01T23:35:55.776Z
Updated: 2025-11-20T04:07:23.274Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3364 |
vulnerable | 2026-06-03 14:52:40.633177 |
Inefficient Regular Expression Complexity in GitLab
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use AutolinkFilter to the preview_markdown endpoint.
Published: 2023-08-01T23:36:00.662Z
Updated: 2025-11-20T04:07:18.275Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3363 |
vulnerable | 2026-06-03 14:52:40.632705 |
Insertion of Sensitive Information into Log File in GitLab
LOW (3.9)
An information disclosure issue in Gitlab CE/EE affecting all versions from 13.6 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1, resulted in the Sidekiq log including webhook tokens when the log format was set to `default`.
Published: 2023-07-13T02:08:35.069Z
Updated: 2024-11-05T15:14:10.202Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3362 |
vulnerable | 2026-06-03 14:52:40.631079 |
Generation of Error Message Containing Sensitive Information in GitLab
MEDIUM (5.3)
An information disclosure issue in GitLab CE/EE affecting all versions from 16.0 prior to 16.0.6, and version 16.1.0 allows unauthenticated actors to access the import error information if a project was imported from GitHub.
Published: 2023-07-13T02:08:46.856Z
Updated: 2024-11-05T15:10:55.758Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3246 |
vulnerable | 2026-06-03 14:52:40.258512 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab EE/CE affecting all versions starting before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1 which allows an attackers to block Sidekiq job processor.
Published: 2023-11-06T12:01:43.918Z
Updated: 2025-11-20T04:07:13.254Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3210 |
vulnerable | 2026-06-03 14:52:40.188435 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content.
Published: 2023-09-01T10:31:06.983Z
Updated: 2025-11-20T04:07:08.262Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3205 |
vulnerable | 2026-06-03 14:52:40.179874 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content.
Published: 2023-09-01T10:01:26.675Z
Updated: 2025-11-20T04:07:03.335Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3115 |
vulnerable | 2026-06-03 14:52:39.956230 |
Incorrect User Management in GitLab
MEDIUM (5.4)
An issue has been discovered in GitLab EE affecting all versions affecting all versions from 11.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Single Sign On restrictions were not correctly enforced for indirect project members accessing public members-only project repositories.
Published: 2023-09-29T06:02:51.300Z
Updated: 2025-11-20T04:06:58.296Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2620 |
vulnerable | 2026-06-03 14:51:43.512633 |
Insertion of Sensitive Information Into Sent Data in GitLab
MEDIUM (5.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1. A maintainer could modify a webhook URL to leak masked webhook secrets by manipulating other masked portions. This addresses an incomplete fix for CVE-2023-0838.
Published: 2023-07-13T02:11:05.008Z
Updated: 2024-11-06T14:22:24.167Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2589 |
vulnerable | 2026-06-03 14:51:43.456970 |
Details available
MEDIUM (5.9)
An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker can clone a repository from a public project, from a disallowed IP, even after the top-level group has enabled IP restrictions on the group.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T16:25:26.100Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2576 |
vulnerable | 2026-06-03 14:51:43.422841 |
Incorrect Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. This allowed a developer to remove the CODEOWNERS rules and merge to a protected branch.
Published: 2023-07-13T02:08:59.291Z
Updated: 2024-10-30T19:24:40.514Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2485 |
vulnerable | 2026-06-03 14:51:43.219365 |
Incorrect Privilege Assignment in GitLab
MEDIUM (4.4)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A malicious maintainer in a project can escalate other users to Owners in that project if they import members from another project that those other users are Owners of.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T15:44:24.332Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2478 |
vulnerable | 2026-06-03 14:51:43.205240 |
Details available
CRITICAL (9.6)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, all versions starting from 15.11 before 15.11.2. Under certain conditions, a malicious unauthorized GitLab user may use a GraphQL endpoint to attach a malicious runner to any project.
Published: 2023-05-08T00:00:00.000Z
Updated: 2025-01-29T17:16:21.653Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2442 |
vulnerable | 2026-06-03 14:51:43.152000 |
Details available
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A specially crafted merge request could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T16:29:51.039Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2233 |
vulnerable | 2026-06-03 14:51:42.426125 |
Missing Authorization in GitLab
LOW (3.1)
An improper authorization issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.2.8, all versions starting from 16.3 before 16.3.5 and all versions starting from 16.4 before 16.4.1. It allows a project reporter to leak the owner's Sentry instance projects.
Published: 2023-09-29T06:30:51.179Z
Updated: 2025-11-20T04:06:48.254Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2200 |
vulnerable | 2026-06-03 14:51:42.372244 |
Improper Encoding or Escaping of Output in GitLab
MEDIUM (4.1)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to inject HTML in an email address field.
Published: 2023-07-13T02:02:34.411Z
Updated: 2024-10-30T19:31:16.274Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2199 |
vulnerable | 2026-06-03 14:51:42.371831 |
Details available
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T16:45:38.544Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2198 |
vulnerable | 2026-06-03 14:51:42.371420 |
Details available
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T16:46:54.703Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2190 |
vulnerable | 2026-06-03 14:51:42.354500 |
Authorization Bypass Through User-Controlled Key in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public.
Published: 2023-07-13T02:00:02.797Z
Updated: 2024-10-30T19:53:19.973Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2164 |
vulnerable | 2026-06-03 14:51:42.294270 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
MEDIUM (5.4)
An issue has been discovered in GitLab affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to trigger a stored XSS vulnerability via user interaction with a crafted URL in the WebIDE beta.
Published: 2023-08-01T23:36:10.665Z
Updated: 2025-11-20T04:06:43.271Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2132 |
vulnerable | 2026-06-03 14:51:42.235491 |
Details available
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A DollarMathPostFilter Regular Expression Denial of Service in was possible by sending crafted payloads to the preview_markdown endpoint.
Published: 2023-06-06T00:00:00.000Z
Updated: 2025-01-07T21:34:45.492Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2030 |
vulnerable | 2026-06-03 14:51:42.028459 |
Improper Verification of Cryptographic Signature in GitLab
LOW (3.5)
An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits.
Published: 2024-01-12T13:57:06.694Z
Updated: 2025-11-20T04:06:38.255Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2022 |
vulnerable | 2026-06-03 14:51:42.003673 |
Missing Authorization in GitLab
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2, which leads to developers being able to create pipeline schedules on protected branches even if they don't have access to merge
Published: 2023-08-02T08:30:58.187Z
Updated: 2025-11-20T04:06:33.293Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2015 |
vulnerable | 2026-06-03 14:51:41.964652 |
Details available
MEDIUM (4.4)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.8 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A reflected XSS was possible when creating new abuse reports which allows attackers to perform arbitrary actions on behalf of victims.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T16:48:03.485Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2013 |
vulnerable | 2026-06-03 14:51:41.961844 |
Details available
LOW (2.6)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 1.2 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T16:50:56.690Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2001 |
vulnerable | 2026-06-03 14:51:41.915357 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker was able to spoof protected tags, which could potentially lead a victim to download malicious code.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T16:54:05.061Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1936 |
vulnerable | 2026-06-03 14:48:56.729026 |
Exposure of Private Personal Information to an Unauthorized Actor in GitLab
LOW (3.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to leak the email address of a user who created a service desk issue.
Published: 2023-07-11T07:58:27.746Z
Updated: 2024-11-12T16:22:49.564Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1836 |
vulnerable | 2026-06-03 14:48:56.577060 |
Details available
MEDIUM (4.4)
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. When viewing an XML file in a repository in "raw" mode, it can be made to render as HTML if viewed under specific circumstances
Published: 2023-05-03T00:00:00.000Z
Updated: 2025-01-29T21:46:34.969Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1787 |
vulnerable | 2026-06-03 14:48:56.501161 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A search timeout could be triggered if a specific HTML payload was used in the issue description.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T20:42:19.982Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1733 |
vulnerable | 2026-06-03 14:48:56.358226 |
Details available
MEDIUM (5.8)
A denial of service condition exists in the Prometheus server bundled with GitLab affecting all versions from 11.10 to 15.8.5, 15.9 to 15.9.4 and 15.10 to 15.10.1.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T20:48:40.695Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1710 |
vulnerable | 2026-06-03 14:48:56.304093 |
Details available
MEDIUM (5.3)
A sensitive information disclosure vulnerability in GitLab affecting all versions from 15.0 prior to 15.8.5, 15.9 prior to 15.9.4 and 15.10 prior to 15.10.1 allows an attacker to view the count of internal notes for a given issue.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T20:49:48.239Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1708 |
vulnerable | 2026-06-03 14:48:56.295081 |
Details available
MEDIUM (5.7)
An issue was identified in GitLab CE/EE affecting all versions from 1.0 prior to 15.8.5, 15.9 prior to 15.9.4, and 15.10 prior to 15.10.1 where non-printable characters gets copied from clipboard, allowing unexpected commands to be executed on victim machine.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T20:51:52.816Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1555 |
vulnerable | 2026-06-03 14:48:55.734121 |
Missing Authorization in GitLab
LOW (2.7)
An issue has been discovered in GitLab affecting all versions starting from 15.2 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A namespace-level banned user can access the API.
Published: 2023-09-01T10:01:36.711Z
Updated: 2025-11-20T04:06:28.258Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1417 |
vulnerable | 2026-06-03 14:48:55.442236 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to victim's epic in an unrelated group.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-11T15:26:30.751Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1279 |
vulnerable | 2026-06-03 14:48:54.203895 |
URL Redirection to Untrusted Site in GitLab
LOW (2.6)
An issue has been discovered in GitLab affecting all versions starting from 4.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 where it was possible to create a URL that would redirect to a different project.
Published: 2023-09-01T10:01:41.677Z
Updated: 2025-11-20T04:06:18.262Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1178 |
vulnerable | 2026-06-03 14:48:53.941402 |
Details available
MEDIUM (5.7)
An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromised when source code or installation packages are pulled from a tag or from a release containing a ref to another commit.
Published: 2023-05-03T00:00:00.000Z
Updated: 2025-02-12T16:24:29.956Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1098 |
vulnerable | 2026-06-03 14:48:53.730807 |
Details available
MEDIUM (5.8)
An information disclosure vulnerability has been discovered in GitLab EE/CE affecting all versions starting from 11.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 will allow an admin to leak password from repository mirror configuration.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T20:58:02.109Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1084 |
vulnerable | 2026-06-03 14:48:53.689432 |
Details available
LOW (2.7)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A malicious project Maintainer may create a Project Access Token with Owner level privileges using a crafted request.
Published: 2023-03-09T00:00:00.000Z
Updated: 2025-02-28T21:34:19.563Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1072 |
vulnerable | 2026-06-03 14:48:53.638777 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 9.0 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible to trigger a resource depletion attack due to improper filtering for number of requests to read commits details.
Published: 2023-03-09T00:00:00.000Z
Updated: 2025-02-28T21:33:11.787Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1071 |
vulnerable | 2026-06-03 14:48:53.638339 |
Details available
LOW (3.1)
An issue has been discovered in GitLab affecting all versions from 15.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. Due to improper permissions checks it was possible for an unauthorised user to remove an issue from an epic.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T20:58:46.736Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0989 |
vulnerable | 2026-06-03 14:48:53.461251 |
Improper Ownership Management in GitLab
MEDIUM (4.3)
An information disclosure issue in GitLab CE/EE affecting all versions starting from 13.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows an attacker to extract non-protected CI/CD variables by tricking a user to visit a fork with a malicious CI/CD configuration.
Published: 2023-09-29T06:30:56.081Z
Updated: 2025-11-20T04:06:08.264Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0921 |
vulnerable | 2026-06-03 14:48:53.305196 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (4.3)
A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage.
Published: 2023-06-06T00:00:00.000Z
Updated: 2025-01-07T21:51:37.372Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0838 |
vulnerable | 2026-06-03 14:48:52.959633 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab affecting versions starting from 15.1 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. A maintainer could modify a webhook URL to leak masked webhook secrets by adding a new parameter to the url. This addresses an incomplete fix for CVE-2022-4342.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T20:59:42.972Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0632 |
vulnerable | 2026-06-03 14:48:52.284366 |
Inefficient Regular Expression Complexity in GitLab
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 15.2 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible by using crafted payloads to search Harbor Registry.
Published: 2023-08-01T23:36:30.662Z
Updated: 2025-11-20T04:06:03.830Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0523 |
vulnerable | 2026-06-03 14:48:51.968617 |
Details available
MEDIUM (5.4)
An issue has been discovered in GitLab affecting all versions starting from 15.6 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. An XSS was possible via a malicious email address for certain instances.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T21:09:32.085Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0518 |
vulnerable | 2026-06-03 14:48:46.588531 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. It was possible to trigger a DoS attack by uploading a malicious Helm chart.
Published: 2023-02-13T00:00:00.000Z
Updated: 2025-03-21T19:13:59.735Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0508 |
vulnerable | 2026-06-03 14:48:46.577789 |
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in GitLab
LOW (3.1)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the NPM package API.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T16:58:22.665Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0483 |
vulnerable | 2026-06-03 14:48:46.502319 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab affecting all versions starting from 12.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible for a project maintainer to extract a Datadog integration API key by modifying the site.
Published: 2023-03-09T00:00:00.000Z
Updated: 2025-02-28T21:31:41.989Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0450 |
vulnerable | 2026-06-03 14:48:46.337056 |
Details available
LOW (3.7)
An issue has been discovered in GitLab affecting all versions starting from 8.1 to 15.8.5, and from 15.9 to 15.9.4, and from 15.10 to 15.10.1. It was possible to add a branch with an ambiguous name that could be used to social engineer users.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-11T15:29:29.135Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0319 |
vulnerable | 2026-06-03 14:48:46.035061 |
Details available
MEDIUM (5.8)
An issue has been discovered in GitLab affecting all versions starting from 13.6 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1, allowing to read environment names supposed to be restricted to project memebers only.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-11T16:09:27.128Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0223 |
vulnerable | 2026-06-03 14:48:45.867238 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Non-project members could retrieve release descriptions via the API, even if the release visibility is restricted to project members only in the project settings.
Published: 2023-03-09T00:00:00.000Z
Updated: 2025-02-28T21:29:52.818Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0155 |
vulnerable | 2026-06-03 14:48:45.723610 |
Details available
MEDIUM (5.4)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.8.5, 15.9.4, 15.10.1. Open redirects was possible due to framing arbitrary content on any page allowing user controlled markdown
Published: 2023-05-03T00:00:00.000Z
Updated: 2025-02-12T16:06:37.397Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0121 |
vulnerable | 2026-06-03 14:48:45.659706 |
Allocation of Resources Without Limits or Throttling in GitLab
MEDIUM (6.5)
A denial of service issue was discovered in GitLab CE/EE affecting all versions starting from 13.2.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2 which allows an attacker to cause high resource consumption using malicious test report artifacts.
Published: 2023-06-07T00:00:00.000Z
Updated: 2025-01-07T17:00:17.563Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0120 |
vulnerable | 2026-06-03 14:48:45.657469 |
Incorrect Authorization in GitLab
LOW (3.5)
An issue has been discovered in GitLab affecting all versions starting from 10.0 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to edit labels description by an unauthorised user.
Published: 2023-09-01T10:01:51.685Z
Updated: 2025-11-20T04:05:58.275Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0050 |
vulnerable | 2026-06-03 14:48:45.494448 |
Details available
HIGH (8.7)
An issue has been discovered in GitLab affecting all versions starting from 13.7 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A specially crafted Kroki diagram could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims.
Published: 2023-03-09T00:00:00.000Z
Updated: 2025-02-28T21:28:39.137Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0042 |
vulnerable | 2026-06-03 14:48:45.475355 |
Details available
MEDIUM (6.1)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.4 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2. GitLab Pages allows redirection to arbitrary protocols.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-08T13:41:06.344Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4462 |
vulnerable | 2026-06-03 14:48:40.977658 |
Details available
MEDIUM (5)
An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. This vulnerability could allow a user to unmask the Discord Webhook URL through viewing the raw API response.
Published: 2023-03-09T00:00:00.000Z
Updated: 2025-02-28T21:27:23.832Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4365 |
vulnerable | 2026-06-03 14:48:35.588834 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak the sentry token by changing the configured URL in the Sentry error tracking settings page.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-08T13:51:16.139Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4342 |
vulnerable | 2026-06-03 14:48:35.546576 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak masked webhook secrets by changing target URL of the webhook.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-08T16:44:33.383Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4289 |
vulnerable | 2026-06-03 14:48:35.416075 |
Details available
MEDIUM (6.4)
An issue has been discovered in GitLab affecting all versions starting from 15.3 before 15.7.8, versions of 15.8 before 15.8.4, and version 15.9 before 15.9.2. Google IAP details in Prometheus integration were not hidden, could be leaked from instance, group, or project settings to other users.
Published: 2023-03-09T00:00:00.000Z
Updated: 2024-08-03T01:34:50.021Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4255 |
vulnerable | 2026-06-03 14:48:35.341780 |
Details available
MEDIUM (4.3)
An info leak issue was identified in all versions of GitLab EE from 13.7 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which exposes user email id through webhook payload.
Published: 2023-01-27T00:00:00.000Z
Updated: 2025-03-27T20:17:04.693Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4205 |
vulnerable | 2026-06-03 14:48:35.258520 |
Details available
MEDIUM (6.3)
In Gitlab EE/CE before 15.6.1, 15.5.5 and 15.4.6 using a branch with a hexadecimal name could override an existing hash.
Published: 2023-01-27T00:00:00.000Z
Updated: 2025-03-27T20:21:18.593Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4201 |
vulnerable | 2026-06-03 14:48:35.254391 |
Details available
LOW (3.5)
A blind SSRF in GitLab CE/EE affecting all from 11.3 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 allows an attacker to connect to local addresses when configuring a malicious GitLab Runner.
Published: 2023-01-27T00:00:00.000Z
Updated: 2025-03-27T20:20:58.630Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4143 |
vulnerable | 2026-06-03 14:48:35.186546 |
Details available
MEDIUM (6.4)
An issue has been discovered in GitLab affecting all versions starting from 15.7 before 15.8.5, from 15.9 before 15.9.4, and from 15.10 before 15.10.1 that allows for crafted, unapproved MRs to be introduced and merged without authorization
Published: 2023-06-28T00:00:00.000Z
Updated: 2024-12-03T19:59:00.410Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4138 |
vulnerable | 2026-06-03 14:48:35.175353 |
Details available
MEDIUM (6.4)
A Cross Site Request Forgery issue has been discovered in GitLab CE/EE affecting all versions before 15.6.7, all versions starting from 15.7 before 15.7.6, and all versions starting from 15.8 before 15.8.1. An attacker could take over a project if an Owner or Maintainer uploads a file to a malicious project.
Published: 2023-02-13T00:00:00.000Z
Updated: 2025-03-21T19:13:19.474Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4131 |
vulnerable | 2026-06-03 14:48:35.158586 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in how the application parses user agents.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-08T16:27:37.240Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4054 |
vulnerable | 2026-06-03 14:48:35.008411 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to leak a webhook secret token by changing the webhook URL to an endpoint that allows them to capture request headers.
Published: 2023-01-24T00:00:00.000Z
Updated: 2025-04-02T15:15:52.961Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4037 |
vulnerable | 2026-06-03 14:48:34.963276 |
Details available
MEDIUM (6.4)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A race condition can lead to verified email forgery and takeover of third-party accounts when using GitLab as an OAuth provider.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-08T16:22:03.062Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4007 |
vulnerable | 2026-06-03 14:48:34.893816 |
Details available
MEDIUM (5.4)
A issue has been discovered in GitLab CE/EE affecting all versions from 15.3 prior to 15.7.8, version 15.8 prior to 15.8.4, and version 15.9 prior to 15.9.2 A cross-site scripting vulnerability was found in the title field of work items that allowed attackers to perform arbitrary actions on behalf of victims at client side.
Published: 2023-03-08T00:00:00.000Z
Updated: 2025-03-12T19:52:24.294Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3902 |
vulnerable | 2026-06-03 14:47:59.504012 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to unmask webhook secret tokens by reviewing the logs after testing webhooks.
Published: 2023-01-24T00:00:00.000Z
Updated: 2025-04-02T15:00:25.550Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3870 |
vulnerable | 2026-06-03 14:47:59.440193 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. GitLab allows unauthenticated users to download user avatars using the victim's user ID, on private instances that restrict public level visibility.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-09T13:14:42.655Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3820 |
vulnerable | 2026-06-03 14:47:59.336106 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid Deploy Token to misuse it from any location.
Published: 2023-01-24T00:00:00.000Z
Updated: 2025-04-02T15:02:18.005Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3819 |
vulnerable | 2026-06-03 14:47:59.335700 |
Details available
LOW (3.5)
An improper authorization issue in GitLab CE/EE affecting all versions from 15.0 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a malicious users to set emojis on internal notes they don't have access to.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:20:42.132Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3818 |
vulnerable | 2026-06-03 14:47:59.335276 |
Details available
MEDIUM (5.3)
An uncontrolled resource consumption issue when parsing URLs in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to cause performance issues and potentially a denial of service on the GitLab instance.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:21:26.144Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3793 |
vulnerable | 2026-06-03 14:47:59.313871 |
Details available
MEDIUM (4.3)
An improper authorization issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to read variables set directly in a GitLab CI/CD configuration file they don't have access to.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:22:11.846Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3759 |
vulnerable | 2026-06-03 14:47:59.256718 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. An attacker may upload a crafted CI job artifact zip file in a project that uses dynamic child pipelines and make a sidekiq job allocate a lot of memory. In GitLab instances where Sidekiq is memory-limited, this may cause Denial of Service.
Published: 2023-02-13T00:00:00.000Z
Updated: 2025-03-21T18:38:24.181Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3758 |
vulnerable | 2026-06-03 14:47:59.256315 |
Details available
MEDIUM (5.4)
An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Due to improper permissions checks an unauthorised user was able to read, add or edit a users private snippet.
Published: 2023-03-09T00:00:00.000Z
Updated: 2025-02-28T17:30:48.778Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3740 |
vulnerable | 2026-06-03 14:47:58.993343 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. A group owner may be able to bypass External Authorization check, if it is enabled, to access git repositories and package registries by using Deploy tokens or Deploy keys .
Published: 2023-01-24T00:00:00.000Z
Updated: 2025-04-02T15:03:23.934Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3726 |
vulnerable | 2026-06-03 14:47:58.951731 |
Details available
MEDIUM (4.8)
Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions from 12.6 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick a user to click on the Swagger OpenAPI viewer and issue HTTP requests that affect the victim's account.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:23:10.307Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3706 |
vulnerable | 2026-06-03 14:47:58.930316 |
Details available
LOW (3.1)
Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user retrying a job in a downstream pipeline to take ownership of the retried jobs in the upstream pipeline even if the user doesn't have access to that project.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:23:59.790Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3613 |
vulnerable | 2026-06-03 14:47:58.801190 |
Details available
MEDIUM (5.8)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A crafted Prometheus Server query can cause high resource consumption and may lead to Denial of Service.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-08T15:06:58.671Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3573 |
vulnerable | 2026-06-03 14:47:58.721962 |
Details available
MEDIUM (5.4)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. Due to the improper filtering of query parameters in the wiki changes page, an attacker can execute arbitrary JavaScript on the self-hosted instances running without strict CSP.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-08T15:15:38.863Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3572 |
vulnerable | 2026-06-03 14:47:58.721435 |
Details available
CRITICAL (9.3)
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected XSS that allowed attackers to perform arbitrary actions on behalf of victims.
Published: 2023-01-24T00:00:00.000Z
Updated: 2025-04-02T15:03:52.887Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3514 |
vulnerable | 2026-06-03 14:47:58.632877 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 6.6 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in the submodule URL parser.
Published: 2023-01-12T00:00:00.000Z
Updated: 2025-04-08T15:55:39.078Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3513 |
vulnerable | 2026-06-03 14:47:58.632369 |
Details available
MEDIUM (6.1)
An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A specially crafted payload could lead to a reflected XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims on self-hosted instances running without strict CSP.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-11T16:12:28.033Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3486 |
vulnerable | 2026-06-03 14:47:58.588204 |
Details available
MEDIUM (4.7)
An open redirect vulnerability in GitLab EE/CE affecting all versions from 9.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allows an attacker to redirect users to an arbitrary location if they trust the URL.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:28:07.599Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3483 |
vulnerable | 2026-06-03 14:47:58.579690 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 15.3.5, all versions starting from 15.4 before 15.4.4, all versions starting from 15.5 before 15.5.2. A malicious maintainer could exfiltrate a Datadog integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:28:48.167Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3482 |
vulnerable | 2026-06-03 14:47:58.579188 |
Details available
MEDIUM (5.3)
An improper access control issue in GitLab CE/EE affecting all versions from 11.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allowed an unauthorized user to see release names even when releases we set to be restricted to project members only
Published: 2023-01-24T00:00:00.000Z
Updated: 2025-04-02T15:04:21.592Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3478 |
vulnerable | 2026-06-03 14:47:58.499369 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible to trigger a DoS attack by uploading a malicious nuget package.
Published: 2023-01-24T00:00:00.000Z
Updated: 2025-04-02T15:05:04.648Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3411 |
vulnerable | 2026-06-03 14:47:58.292520 |
Details available
MEDIUM (6.5)
A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage.
Published: 2023-02-13T00:00:00.000Z
Updated: 2025-03-21T18:39:31.969Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3381 |
vulnerable | 2026-06-03 14:47:58.233691 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 10.0 to 15.7.8, 15.8 prior to 15.8.4 and 15.9 prior to 15.9.2. A crafted URL could be used to redirect users to arbitrary sites
Published: 2023-03-09T00:00:00.000Z
Updated: 2025-02-28T17:31:41.075Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3375 |
vulnerable | 2026-06-03 14:47:58.214369 |
Details available
LOW (3.1)
An issue has been discovered in GitLab affecting all versions starting from 11.10 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible to disclose the branch names when attacker has a fork of a project that was switched to private.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-10T21:11:02.636Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3330 |
vulnerable | 2026-06-03 14:47:52.904221 |
Details available
MEDIUM (4.3)
It was possible for a guest user to read a todo targeting an inaccessible note in Gitlab CE/EE affecting all versions from 15.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-14T20:17:58.974Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3325 |
vulnerable | 2026-06-03 14:47:52.894530 |
Details available
LOW (2.7)
Improper access control in the GitLab CE/EE API affecting all versions starting from 12.8 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. Allowed for editing the approval rules via the API by an unauthorised user.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T15:37:11.798Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3288 |
vulnerable | 2026-06-03 14:47:52.861499 |
Details available
LOW (3.5)
A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to manipulate pages where the content of the default branch would be expected.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T15:43:38.380Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3285 |
vulnerable | 2026-06-03 14:47:52.857021 |
Details available
MEDIUM (5.3)
Bypass of healthcheck endpoint allow list affecting all versions from 12.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an unauthorized attacker to prevent access to GitLab
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:24:39.816Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3283 |
vulnerable | 2026-06-03 14:47:52.853677 |
Details available
HIGH (7.5)
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 While cloning an issue with special crafted content added to the description could have been used to trigger high CPU usage.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T15:46:08.723Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3280 |
vulnerable | 2026-06-03 14:47:52.749393 |
Details available
LOW (3.5)
An open redirect in GitLab CE/EE affecting all versions from 10.1 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick users into visiting a trustworthy URL and being redirected to arbitrary content.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:25:23.142Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3279 |
vulnerable | 2026-06-03 14:47:52.748958 |
Details available
LOW (2.7)
An unhandled exception in job log parsing in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to prevent access to job logs
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T15:50:02.812Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3265 |
vulnerable | 2026-06-03 14:47:52.583826 |
Details available
HIGH (7.3)
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:26:11.438Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3067 |
vulnerable | 2026-06-03 14:47:51.935209 |
Details available
MEDIUM (6.5)
An issue has been discovered in the Import functionality of GitLab CE/EE affecting all versions starting from 14.4 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an authenticated user to read arbitrary projects' content given the project's ID.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T16:05:44.923Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3060 |
vulnerable | 2026-06-03 14:47:51.922903 |
Details available
HIGH (7.3)
Improper control of a resource identifier in Error Tracking in GitLab CE/EE affecting all versions from 12.7 allows an authenticated attacker to generate content which could cause a victim to make unintended arbitrary requests
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T16:19:52.449Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3031 |
vulnerable | 2026-06-03 14:47:51.897285 |
Details available
LOW (3.7)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It may be possible for an attacker to guess a user's password by brute force by sending crafted requests to a specific endpoint, even if the victim user has 2FA enabled on their account.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T16:20:42.728Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3030 |
vulnerable | 2026-06-03 14:47:51.896720 |
Details available
MEDIUM (4.3)
An improper access control issue in GitLab CE/EE affecting all versions starting before 15.1.6, all versions from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of pipeline status to unauthorized users.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T16:21:50.323Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3018 |
vulnerable | 2026-06-03 14:47:51.872097 |
Details available
MEDIUM (6.8)
An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 9.3 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 allows a project maintainer to access the DataDog integration API key from webhook logs.
Published: 2022-10-28T00:00:00.000Z
Updated: 2025-05-07T14:36:20.373Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2992 |
vulnerable | 2026-06-03 14:47:07.704718 |
Details available
CRITICAL (9.9)
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-14T14:27:30.020Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2931 |
vulnerable | 2026-06-03 14:47:07.594212 |
Details available
HIGH (7.5)
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. Malformed content added to the issue description could have been used to trigger high CPU usage.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T16:25:28.130Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2908 |
vulnerable | 2026-06-03 14:47:07.546635 |
Details available
MEDIUM (4.3)
A potential DoS vulnerability was discovered in Gitlab CE/EE versions starting from 10.7 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1 allowed an attacker to trigger high CPU usage via a special crafted input added in the Commit message field.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T19:10:54.397Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2907 |
vulnerable | 2026-06-03 14:47:07.546184 |
Details available
MEDIUM (5.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It was possible to read repository content by an unauthorised user if a project member used a crafted link.
Published: 2023-01-17T00:00:00.000Z
Updated: 2025-04-04T17:43:37.905Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2904 |
vulnerable | 2026-06-03 14:47:07.539953 |
Details available
HIGH (7.3)
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 It was possible to exploit a vulnerability in the external status checks feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.
Published: 2022-11-02T00:00:00.000Z
Updated: 2025-05-02T18:47:03.811Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2884 |
vulnerable | 2026-06-03 14:47:07.515409 |
Details available
CRITICAL (9.9)
A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-14T14:24:19.300Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2882 |
vulnerable | 2026-06-03 14:47:07.514596 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A malicious maintainer could exfiltrate a GitHub integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server.
Published: 2022-10-28T00:00:00.000Z
Updated: 2025-05-07T15:09:31.479Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2865 |
vulnerable | 2026-06-03 14:47:07.484038 |
Details available
HIGH (7.3)
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4 and 15.3 prior to 15.3.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-14T13:57:18.072Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2761 |
vulnerable | 2026-06-03 14:47:07.271496 |
Details available
MEDIUM (4.3)
An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to use GitLab Flavored Markdown (GFM) references in a Jira issue to disclose the names of resources they don't have access to.
Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T19:35:56.179Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2630 |
vulnerable | 2026-06-03 14:47:06.795535 |
Details available
MEDIUM (4.3)
An improper access control issue in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of confidential information via the Incident timeline events.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T19:13:05.848Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2592 |
vulnerable | 2026-06-03 14:47:06.738958 |
Details available
MEDIUM (6.5)
A lack of length validation in Snippet descriptions in GitLab CE/EE affecting all versions prior to 15.1.6, 15.2 prior to 15.2.4 and 15.3 prior to 15.3.2 allows an authenticated attacker to create a maliciously large Snippet which when requested with or without authentication places excessive load on the server, potential leading to Denial of Service.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T19:16:27.656Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2539 |
vulnerable | 2026-06-03 14:47:06.616751 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.6 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1, allowed a project member to filter issues by contact and organization.
Published: 2022-08-05T15:09:58.000Z
Updated: 2024-08-03T00:39:08.068Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2534 |
vulnerable | 2026-06-03 14:47:06.604325 |
Details available
LOW (2.2)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 9.3 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab was returning contributor emails due to improper data handling in the Datadog integration.
Published: 2022-08-05T15:11:53.000Z
Updated: 2024-08-03T00:39:08.000Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2533 |
vulnerable | 2026-06-03 14:47:06.603884 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 12.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid Deploy Token to misuse it from any location.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T19:32:13.138Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2527 |
vulnerable | 2026-06-03 14:47:06.599334 |
Details available
HIGH (7.3)
An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2.which allowed an authenticated attacker to inject arbitrary content. A victim interacting with this content could lead to arbitrary requests.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T19:34:35.460Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2512 |
vulnerable | 2026-06-03 14:47:06.552331 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. Membership changes are not reflected in TODO for confidential notes, allowing a former project members to read updates via TODOs.
Published: 2022-08-05T15:09:47.000Z
Updated: 2024-08-03T00:39:07.942Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2500 |
vulnerable | 2026-06-03 14:47:06.526679 |
Details available
MEDIUM (4.4)
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1. A stored XSS flaw in job error messages allows attackers to perform arbitrary actions on behalf of victims at client side.
Published: 2022-08-05T15:12:34.000Z
Updated: 2024-08-03T00:39:07.807Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2497 |
vulnerable | 2026-06-03 14:47:06.525514 |
Details available
HIGH (8.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. A malicious developer could exfiltrate an integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server.
Published: 2022-08-05T15:09:19.000Z
Updated: 2024-08-03T00:39:07.794Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2459 |
vulnerable | 2026-06-03 14:47:06.420386 |
Details available
LOW (2.7)
An issue has been discovered in GitLab EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for email invited members to join a project even after the Group Owner has enabled the setting to prevent members from being added to projects in a group, if the invite was sent before the setting was enabled.
Published: 2022-08-05T15:12:45.000Z
Updated: 2024-08-03T00:39:07.815Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2456 |
vulnerable | 2026-06-03 14:47:06.413742 |
Details available
MEDIUM (4.9)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for malicious group or project maintainers to change their corresponding group or project visibility by crafting a malicious POST request.
Published: 2022-08-05T15:10:42.000Z
Updated: 2024-08-03T00:39:07.782Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2455 |
vulnerable | 2026-06-03 14:47:06.413288 |
Details available
MEDIUM (6.5)
A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10.0 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allowed an authenticated and authorized user to exhaust server resources by importing a malicious project.
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T19:41:20.560Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2428 |
vulnerable | 2026-06-03 14:47:06.336676 |
Details available
MEDIUM (6.4)
A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attacker to issue arbitrary HTTP requests
Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T19:48:23.382Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2417 |
vulnerable | 2026-06-03 14:47:06.312403 |
Details available
MEDIUM (6.2)
Insufficient validation in GitLab CE/EE affecting all versions from 12.10 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an authenticated and authorised user to import a project that includes branch names which are 40 hexadecimal characters, which could be abused in supply chain attacks where a victim pinned to a specific Git commit of the project.
Published: 2022-08-05T15:10:27.000Z
Updated: 2024-08-03T00:39:06.949Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2326 |
vulnerable | 2026-06-03 14:47:06.089062 |
Details available
MEDIUM (6.4)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible to gain access to a private project through an email invite by using other user's email address as an unverified secondary email.
Published: 2022-08-05T15:11:26.000Z
Updated: 2024-08-03T00:32:09.623Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2307 |
vulnerable | 2026-06-03 14:47:06.017732 |
Details available
LOW (3.5)
A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited.
Published: 2022-08-05T15:11:12.000Z
Updated: 2024-08-03T00:32:09.596Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2303 |
vulnerable | 2026-06-03 14:47:06.006801 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for group members to bypass 2FA enforcement enabled at the group level by using Resource Owner Password Credentials grant to obtain an access token without using 2FA.
Published: 2022-08-05T15:11:39.000Z
Updated: 2024-08-03T00:32:09.595Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2270 |
vulnerable | 2026-06-03 14:47:05.904802 |
Details available
LOW (3.5)
An issue has been discovered in GitLab affecting all versions starting from 12.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab was leaking Conan packages names due to incorrect permissions verification.
Published: 2022-07-01T16:31:47.000Z
Updated: 2024-08-03T00:32:09.374Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2250 |
vulnerable | 2026-06-03 14:47:05.833298 |
Details available
MEDIUM (4.7)
An open redirect vulnerability in GitLab EE/CE affecting all versions from 11.1 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to redirect users to an arbitrary location if they trust the URL.
Published: 2022-07-01T15:03:14.000Z
Updated: 2024-08-03T00:32:09.428Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2244 |
vulnerable | 2026-06-03 14:47:00.507929 |
Details available
MEDIUM (4.3)
An improper authorization vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows project memebers with reporter role to manage issues in project's error tracking feature.
Published: 2022-07-01T15:04:24.000Z
Updated: 2024-08-03T00:32:09.492Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2243 |
vulnerable | 2026-06-03 14:47:00.507464 |
Details available
MEDIUM (5)
An access control vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows authenticated users to enumerate issues in non-linked sentry projects.
Published: 2022-07-01T15:52:32.000Z
Updated: 2024-08-03T00:32:09.539Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2230 |
vulnerable | 2026-06-03 14:47:00.485260 |
Details available
HIGH (8.1)
A Stored Cross-Site Scripting vulnerability in the project settings page in GitLab CE/EE affecting all versions from 14.4 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf.
Published: 2022-07-01T15:55:13.000Z
Updated: 2024-08-03T00:32:09.532Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2229 |
vulnerable | 2026-06-03 14:47:00.484713 |
Details available
HIGH (7.5)
An improper authorization issue in GitLab CE/EE affecting all versions from 13.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to extract the value of an unprotected variable they know the name of in public projects or private projects they're a member of.
Published: 2022-07-01T16:30:45.000Z
Updated: 2024-08-03T00:32:09.479Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2227 |
vulnerable | 2026-06-03 14:47:00.483879 |
Details available
LOW (3.1)
Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain conditions
Published: 2022-07-01T15:53:58.000Z
Updated: 2024-08-03T00:32:09.371Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2185 |
vulnerable | 2026-06-03 14:47:00.424148 |
Details available
CRITICAL (9.9)
A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution.
Published: 2022-07-01T15:50:03.000Z
Updated: 2024-08-03T00:32:08.558Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2095 |
vulnerable | 2026-06-03 14:47:00.247448 |
Details available
MEDIUM (4.3)
An improper access control check in GitLab CE/EE affecting all versions starting from 13.7 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious authenticated user to view a public project's Deploy Key's public fingerprint and name when that key has write permission. Note that GitLab never asks for nor stores the private key.
Published: 2022-08-05T15:12:59.000Z
Updated: 2024-08-03T00:24:44.172Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1999 |
vulnerable | 2026-06-03 14:46:00.049379 |
Details available
LOW (3.1)
An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. Under certain conditions, using the REST API an unprivileged user was able to change labels description.
Published: 2022-07-01T16:06:59.000Z
Updated: 2024-08-03T00:24:43.699Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1963 |
vulnerable | 2026-06-03 14:45:59.991602 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab reveals if a user has enabled two-factor authentication on their account in the HTML source, to unauthenticated users.
Published: 2022-07-01T17:00:05.000Z
Updated: 2024-08-03T00:24:43.676Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1954 |
vulnerable | 2026-06-03 14:45:59.972180 |
Details available
MEDIUM (4.3)
A Regular Expression Denial of Service vulnerability in GitLab CE/EE affecting all versions from 1.0.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to make a GitLab instance inaccessible via specially crafted web server response headers
Published: 2022-07-01T17:01:14.000Z
Updated: 2024-08-03T00:24:43.630Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1944 |
vulnerable | 2026-06-03 14:45:59.948761 |
Details available
MEDIUM (5.4)
When the feature is configured, improper authorization in the Interactive Web Terminal in GitLab CE/EE affecting all versions from 11.3 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows users with the Developer role to open terminals on other Developers' running jobs
Published: 2022-06-06T16:58:35.000Z
Updated: 2024-08-03T00:24:42.991Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1821 |
vulnerable | 2026-06-03 14:45:59.683150 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for a subgroup member to access the members list of their parent group.
Published: 2022-06-06T16:56:35.000Z
Updated: 2024-08-03T00:17:00.595Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1783 |
vulnerable | 2026-06-03 14:45:59.604777 |
Details available
LOW (2.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for malicious group maintainers to add new members to a project within their group, through the REST API, even after their group owner enabled a setting to prevent members from being added to projects within that group.
Published: 2022-06-06T17:00:32.000Z
Updated: 2024-08-03T00:16:59.907Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1545 |
vulnerable | 2026-06-03 14:45:59.102783 |
Details available
MEDIUM (4.3)
It was possible to disclose details of confidential notes created via the API in Gitlab CE/EE affecting all versions from 13.2 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1 if an unauthorised project member was tagged in the note.
Published: 2022-05-11T14:25:17.000Z
Updated: 2024-08-03T00:10:02.897Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1510 |
vulnerable | 2026-06-03 14:45:59.026185 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 13.9 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly handling malicious text in the CI Editor and CI Pipeline details page allowing the attacker to cause uncontrolled resource consumption.
Published: 2022-05-11T14:48:22.000Z
Updated: 2024-08-03T00:03:06.350Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1460 |
vulnerable | 2026-06-03 14:45:58.932676 |
Details available
MEDIUM (6.1)
An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not performing correct authorizations on scheduled pipelines allowing a malicious user to run a pipeline in the context of another user.
Published: 2022-05-11T14:45:11.000Z
Updated: 2024-08-03T00:03:06.291Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1433 |
vulnerable | 2026-06-03 14:45:58.898343 |
Details available
LOW (2.6)
An issue has been discovered in GitLab affecting all versions starting from 14.4 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. Missing invalidation of Markdown caching causes potential payloads from a previously exploitable XSS vulnerability (CVE-2022-1175) to persist and execute.
Published: 2022-05-11T14:27:44.000Z
Updated: 2024-08-03T00:03:06.378Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1431 |
vulnerable | 2026-06-03 14:45:58.897548 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly handling malicious requests to the PyPi API endpoint allowing the attacker to cause uncontrolled resource consumption.
Published: 2022-05-10T20:27:54.000Z
Updated: 2024-08-03T00:03:06.272Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1428 |
vulnerable | 2026-06-03 14:45:58.890758 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was incorrectly verifying throttling limits for authenticated package requests which resulted in limits not being enforced.
Published: 2022-05-11T14:40:27.000Z
Updated: 2024-08-03T00:03:06.260Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1426 |
vulnerable | 2026-06-03 14:45:58.889875 |
Details available
LOW (2)
An issue has been discovered in GitLab affecting all versions starting from 12.6 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly authenticating a user that had some certain amount of information which allowed an user to authenticate without a personal access token.
Published: 2022-05-11T14:35:42.000Z
Updated: 2024-08-03T00:03:06.238Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1423 |
vulnerable | 2026-06-03 14:45:58.888904 |
Details available
HIGH (7.1)
Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows a malicious actor with Developer privileges to perform cache poisoning leading to arbitrary code execution in protected branches
Published: 2022-05-19T17:12:32.000Z
Updated: 2024-08-03T00:03:06.294Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1417 |
vulnerable | 2026-06-03 14:45:58.881295 |
Details available
MEDIUM (4.3)
Improper access control in GitLab CE/EE affecting all versions starting from 8.12 before 14.8.6, all versions starting from 14.9 before 14.9.4, and all versions starting from 14.10 before 14.10.1 allows non-project members to access contents of Project Members-only Wikis via malicious CI jobs
Published: 2022-05-10T20:30:36.000Z
Updated: 2024-08-03T00:03:06.201Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1416 |
vulnerable | 2026-06-03 14:45:58.880833 |
Details available
MEDIUM (4.3)
Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows for rendering of attacker controlled HTML tags and CSS styling
Published: 2022-05-19T17:10:07.000Z
Updated: 2024-08-03T00:03:06.264Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1413 |
vulnerable | 2026-06-03 14:45:58.874836 |
Details available
MEDIUM (5.4)
Missing input masking in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 causes potentially sensitive integration properties to be disclosed in the web interface
Published: 2022-05-19T17:11:12.000Z
Updated: 2024-08-03T00:03:06.276Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1406 |
vulnerable | 2026-06-03 14:45:58.865503 |
Details available
MEDIUM (6.5)
Improper input validation in GitLab CE/EE affecting all versions from 8.12 prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0 allows a Developer to read protected Group or Project CI/CD variables by importing a malicious project
Published: 2022-05-11T14:42:27.000Z
Updated: 2024-08-03T00:03:06.362Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1352 |
vulnerable | 2026-06-03 14:45:58.598661 |
Details available
MEDIUM (5.3)
Due to an insecure direct object reference vulnerability in Gitlab EE/CE affecting all versions from 11.0 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1, an endpoint may reveal the issue title to a user who crafted an API call with the ID of the issue from a public project that restricts access to issue only to project members.
Published: 2022-05-11T14:30:02.000Z
Updated: 2024-08-03T00:03:05.823Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1193 |
vulnerable | 2026-06-03 14:45:58.226473 |
Details available
MEDIUM (4.3)
Improper access control in GitLab CE/EE versions 10.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows a malicious actor to obtain details of the latest commit in a private project via Merge Requests under certain circumstances
Published: 2022-04-11T19:38:25.000Z
Updated: 2024-08-02T23:55:24.436Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1190 |
vulnerable | 2026-06-03 14:45:58.222765 |
Details available
HIGH (8.7)
Improper handling of user input in GitLab CE/EE versions 8.3 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to exploit a stored XSS by abusing multi-word milestone references in issue descriptions, comments, etc.
Published: 2022-04-04T19:46:15.000Z
Updated: 2024-08-02T23:55:24.448Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1189 |
vulnerable | 2026-06-03 14:45:58.222364 |
Details available
LOW (3.1)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.2 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 that allowed for an unauthorised user to read the the approval rules of a private project.
Published: 2022-04-04T19:46:00.000Z
Updated: 2024-08-02T23:55:24.233Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1188 |
vulnerable | 2026-06-03 14:45:58.221809 |
Details available
LOW (3.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 where a blind SSRF attack through the repository mirroring feature was possible.
Published: 2022-04-04T19:46:05.000Z
Updated: 2024-08-02T23:55:24.446Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1185 |
vulnerable | 2026-06-03 14:45:58.213904 |
Details available
MEDIUM (6.5)
A denial of service vulnerability when rendering RDoc files in GitLab CE/EE versions 10 to 14.7.7, 14.8.0 to 14.8.5, and 14.9.0 to 14.9.2 allows an attacker to crash the GitLab web application with a maliciously crafted RDoc file
Published: 2022-04-04T19:46:09.000Z
Updated: 2024-08-02T23:55:24.257Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1175 |
vulnerable | 2026-06-03 14:45:58.194401 |
Details available
HIGH (8.7)
Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.
Published: 2022-04-04T19:46:15.000Z
Updated: 2024-08-02T23:55:24.361Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1174 |
vulnerable | 2026-06-03 14:45:58.193881 |
Details available
MEDIUM (4.3)
A potential DoS vulnerability was discovered in Gitlab CE/EE versions 13.7 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to trigger high CPU usage via a special crafted input added in Issues, Merge requests, Milestones, Snippets, Wiki pages, etc.
Published: 2022-04-04T19:46:06.000Z
Updated: 2024-08-02T23:55:24.266Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1162 |
vulnerable | 2026-06-03 14:45:58.170388 |
Details available
CRITICAL (9.1)
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
Published: 2022-04-04T19:46:14.000Z
Updated: 2024-08-02T23:55:24.375Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1157 |
vulnerable | 2026-06-03 14:45:58.114177 |
Details available
LOW (2.6)
Missing sanitization of logged exception messages in all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 of GitLab CE/EE causes potential sensitive values in invalid URLs to be logged
Published: 2022-04-11T19:38:26.000Z
Updated: 2024-08-02T23:55:24.358Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1148 |
vulnerable | 2026-06-03 14:45:58.098384 |
Details available
MEDIUM (5.3)
Improper authorization in GitLab Pages included with GitLab CE/EE affecting all versions from 11.5 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to steal a user's access token on an attacker-controlled private GitLab Pages website and reuse that token on the victim's other private websites
Published: 2022-04-04T19:46:13.000Z
Updated: 2024-08-02T23:55:24.266Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1124 |
vulnerable | 2026-06-03 14:45:58.090979 |
Details available
MEDIUM (4.3)
An improper authorization issue has been discovered in GitLab CE/EE affecting all versions prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0, allowing Guest project members to access trace log of jobs when it is enabled
Published: 2022-05-11T14:50:29.000Z
Updated: 2024-08-02T23:55:24.360Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1121 |
vulnerable | 2026-06-03 14:45:58.083718 |
Details available
MEDIUM (5.3)
A lack of appropriate timeouts in GitLab Pages included in GitLab CE/EE all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an attacker to cause unlimited resource consumption.
Published: 2022-04-04T19:46:11.000Z
Updated: 2024-08-02T23:55:23.783Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1120 |
vulnerable | 2026-06-03 14:45:58.081683 |
Details available
MEDIUM (4.8)
Missing filtering in an error message in GitLab CE/EE affecting all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 exposed sensitive information when an include directive fails in the CI/CD configuration.
Published: 2022-04-04T19:46:08.000Z
Updated: 2024-08-02T23:55:23.714Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1111 |
vulnerable | 2026-06-03 14:45:58.063253 |
Details available
LOW (2.4)
A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain conditions caused imported projects to show an incorrect user in the 'Access Granted' column in the project membership pages
Published: 2022-04-04T19:46:10.000Z
Updated: 2024-08-02T23:55:24.171Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1105 |
vulnerable | 2026-06-03 14:45:58.021619 |
Details available
MEDIUM (4.3)
An improper access control vulnerability in GitLab CE/EE affecting all versions from 13.11 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an unauthorized user to access pipeline analytics even when public pipelines are disabled
Published: 2022-04-04T19:46:04.000Z
Updated: 2024-08-02T23:55:22.835Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1100 |
vulnerable | 2026-06-03 14:45:58.012466 |
Details available
MEDIUM (4.3)
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prior to 14.9.2. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage.
Published: 2022-04-04T19:46:02.000Z
Updated: 2024-08-02T23:55:23.609Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1099 |
vulnerable | 2026-06-03 14:45:58.012055 |
Details available
MEDIUM (4.3)
Adding a very large number of tags to a runner in GitLab CE/EE affecting all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an attacker to impact the performance of GitLab
Published: 2022-04-04T19:46:03.000Z
Updated: 2024-08-02T23:55:24.230Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0751 |
vulnerable | 2026-06-03 14:45:56.831139 |
Details available
MEDIUM (6.5)
Inaccurate display of Snippet files containing special characters in all versions of GitLab CE/EE allows an attacker to create Snippets with misleading content which could trick unsuspecting users into executing arbitrary commands
Published: 2022-03-28T18:53:03.000Z
Updated: 2024-08-02T23:40:03.589Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0741 |
vulnerable | 2026-06-03 14:45:56.805981 |
Details available
MEDIUM (5.8)
Improper input validation in all versions of GitLab CE/EE using sendmail to send emails allowed an attacker to steal environment variables via specially crafted email addresses.
Published: 2022-04-01T22:17:40.000Z
Updated: 2024-08-02T23:40:03.552Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0740 |
vulnerable | 2026-06-03 14:45:56.805549 |
Details available
LOW (3.1)
Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 makes it possible to close Asana tasks from unrestricted branches.
Published: 2022-04-04T19:45:59.000Z
Updated: 2024-08-02T23:40:03.563Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0738 |
vulnerable | 2026-06-03 14:45:56.801822 |
Details available
MEDIUM (4.2)
An issue has been discovered in GitLab affecting all versions starting from 14.6 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. GitLab was leaking user passwords when adding mirrors with SSH credentials under specific conditions.
Published: 2022-03-28T18:53:04.000Z
Updated: 2024-08-02T23:40:03.539Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0735 |
vulnerable | 2026-06-03 14:45:56.795653 |
Details available
CRITICAL (10)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorised user was able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands.
Published: 2022-03-28T18:52:59.000Z
Updated: 2024-08-02T23:40:03.557Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0549 |
vulnerable | 2026-06-03 14:45:56.377620 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab CE/EE affecting all versions before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under certain conditions, GitLab REST API may allow unprivileged users to add other users to groups even if that is not possible to do through the Web UI.
Published: 2022-03-28T18:53:00.000Z
Updated: 2024-08-02T23:32:46.433Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0489 |
vulnerable | 2026-06-03 14:45:56.260817 |
Details available
LOW (3.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting with 8.15 . It was possible to trigger a DOS by using the math feature with a specific formula in issue comments.
Published: 2022-04-01T22:17:35.000Z
Updated: 2024-08-02T23:32:45.611Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0488 |
vulnerable | 2026-06-03 14:45:56.260389 |
Details available
LOW (3.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting with version 8.10. It was possible to trigger a timeout on a page with markdown by using a specific amount of block-quotes.
Published: 2022-03-28T18:53:08.000Z
Updated: 2024-08-02T23:32:45.231Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0427 |
vulnerable | 2026-06-03 14:45:56.158962 |
Details available
HIGH (7.7)
Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading to potential account takeover
Published: 2022-03-28T18:53:05.000Z
Updated: 2024-08-02T23:25:40.340Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0425 |
vulnerable | 2026-06-03 14:45:56.156503 |
Details available
MEDIUM (5.4)
A DNS rebinding vulnerability in the Irker IRC Gateway integration in all versions of GitLab CE/EE since version 7.9 allows an attacker to trigger Server Side Request Forgery (SSRF) attacks.
Published: 2022-04-01T22:17:39.000Z
Updated: 2024-08-02T23:25:40.638Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0390 |
vulnerable | 2026-06-03 14:45:56.079317 |
Details available
MEDIUM (4.3)
Improper access control in Gitlab CE/EE versions 12.7 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1 allowed for project non-members to retrieve issue details when it was linked to an item from the vulnerability dashboard.
Published: 2022-04-01T22:17:36.000Z
Updated: 2024-08-02T23:25:40.347Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0373 |
vulnerable | 2026-06-03 14:45:56.047753 |
Details available
MEDIUM (4.3)
Improper access control in GitLab CE/EE versions 12.4 to 14.5.4, 14.5 to 14.6.4, and 12.6 to 14.7.1 allows project non-members to retrieve the service desk email address
Published: 2022-04-01T22:17:37.000Z
Updated: 2024-08-02T23:25:40.164Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0371 |
vulnerable | 2026-06-03 14:45:56.047040 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.4 before 14.5.4, all versions starting from 14.6 before 14.6.4, all versions starting from 14.7 before 14.7.1. GitLab search may allow authenticated users to search other users by their respective private emails even if a user set their email to private.
Published: 2022-03-28T18:53:01.000Z
Updated: 2024-08-02T23:25:40.560Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0244 |
vulnerable | 2026-06-03 14:45:55.780741 |
Details available
HIGH (8.6)
An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group was due to incorrect handling of file.
Published: 2022-01-18T16:52:00.000Z
Updated: 2024-08-02T23:18:42.896Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0172 |
vulnerable | 2026-06-03 14:45:55.577911 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.3. Under certain conditions it was possible to bypass the IP restriction for public projects through GraphQL allowing unauthorised users to read titles of issues, merge requests and milestones.
Published: 2022-01-18T16:51:53.000Z
Updated: 2024-08-02T23:18:41.998Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0167 |
vulnerable | 2026-06-03 14:45:55.564497 |
Details available
LOW (3.1)
An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not disabling the Autocomplete attribute of fields related to sensitive information making it possible to be retrieved under certain conditions.
Published: 2022-07-01T17:02:23.000Z
Updated: 2024-08-02T23:18:41.986Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0154 |
vulnerable | 2026-06-03 14:45:55.530613 |
Details available
HIGH (7.5)
An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account.
Published: 2022-01-18T16:52:04.000Z
Updated: 2024-08-02T23:18:41.740Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0152 |
vulnerable | 2026-06-03 14:45:55.529669 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 13.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to unauthorized access to some particular fields through the GraphQL API.
Published: 2022-01-18T16:51:56.000Z
Updated: 2024-08-02T23:18:42.056Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0151 |
vulnerable | 2026-06-03 14:45:55.529150 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not correctly handling requests to delete existing packages which could result in a Denial of Service under specific conditions.
Published: 2022-01-18T16:51:58.000Z
Updated: 2024-08-02T23:18:41.720Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0125 |
vulnerable | 2026-06-03 14:45:55.443042 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 12.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not verifying that a maintainer of a project had the right access to import members from a target project.
Published: 2022-01-18T16:52:06.000Z
Updated: 2024-08-02T23:18:41.803Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0124 |
vulnerable | 2026-06-03 14:45:55.442495 |
Details available
MEDIUM (4.3)
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. Gitlab's Slack integration is incorrectly validating user input and allows to craft malicious URLs that are sent to slack.
Published: 2022-01-18T16:52:03.000Z
Updated: 2024-08-02T23:18:41.675Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0093 |
vulnerable | 2026-06-03 14:45:55.415773 |
Details available
LOW (3.5)
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab allows a user with an expired password to access sensitive information through RSS feeds.
Published: 2022-01-18T16:52:07.000Z
Updated: 2024-08-02T23:18:41.539Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0090 |
vulnerable | 2026-06-03 14:45:55.414758 |
Details available
MEDIUM (6.5)
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab is configured in a way that it doesn't ignore replacement references with git sub-commands, allowing a malicious user to spoof the contents of their commits in the UI.
Published: 2022-01-18T16:52:09.000Z
Updated: 2024-08-02T23:18:41.713Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-4191 |
vulnerable | 2026-06-03 14:45:47.961725 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API.
Published: 2022-03-28T18:53:12.000Z
Updated: 2024-08-03T17:16:04.293Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39946 |
vulnerable | 2026-06-03 14:45:09.879687 |
Details available
HIGH (8.7)
Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis
Published: 2022-01-18T16:52:11.000Z
Updated: 2024-08-04T02:20:34.213Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39945 |
vulnerable | 2026-06-03 14:45:09.879298 |
Details available
LOW (2.7)
Improper access control in the GitLab CE/EE API affecting all versions starting from 9.4 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an author of a Merge Request to approve the Merge Request even after having their project access revoked
Published: 2021-12-13T15:47:49.000Z
Updated: 2024-08-04T02:20:34.109Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39944 |
vulnerable | 2026-06-03 14:45:09.878910 |
Details available
HIGH (7.1)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they import
Published: 2021-12-13T15:47:48.000Z
Updated: 2024-08-04T02:20:34.148Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39942 |
vulnerable | 2026-06-03 14:45:09.878142 |
Details available
MEDIUM (4.3)
A denial of service vulnerability in GitLab CE/EE affecting all versions starting from 12.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows low-privileged users to bypass file size limits in the NPM package repository to potentially cause denial of service.
Published: 2022-01-18T16:52:12.000Z
Updated: 2024-08-04T02:20:34.141Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39941 |
vulnerable | 2026-06-03 14:45:09.877743 |
Details available
LOW (3.7)
An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members
Published: 2021-12-13T15:48:00.000Z
Updated: 2024-08-04T02:20:34.131Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39940 |
vulnerable | 2026-06-03 14:45:09.877322 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab Maven Package registry is vulnerable to a regular expression denial of service when a specifically crafted string is sent.
Published: 2021-12-13T15:47:47.000Z
Updated: 2024-08-04T02:20:34.190Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39939 |
vulnerable | 2026-06-03 14:45:09.876808 |
Details available
MEDIUM (6.5)
An uncontrolled resource consumption vulnerability in GitLab Runner affecting all versions starting from 13.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker triggering a job with a specially crafted docker image to exhaust resources on runner manager
Published: 2021-12-13T15:48:02.000Z
Updated: 2024-08-04T02:20:34.025Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39938 |
vulnerable | 2026-06-03 14:45:09.869049 |
Details available
LOW (3.1)
A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted deploy Slash commands
Published: 2021-12-13T15:47:52.000Z
Updated: 2024-08-04T02:20:34.129Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39937 |
vulnerable | 2026-06-03 14:45:09.868669 |
Details available
MEDIUM (5.9)
A collision in access memoization logic in all versions of GitLab CE/EE before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, leads to potential elevated privileges in groups and projects under rare circumstances
Published: 2021-12-13T15:47:51.000Z
Updated: 2024-08-04T02:20:34.096Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39936 |
vulnerable | 2026-06-03 14:45:09.868291 |
Details available
LOW (3.5)
Improper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker in possession of a deploy token to access a project's disabled wiki.
Published: 2021-12-13T15:47:50.000Z
Updated: 2024-08-04T02:20:34.197Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39935 |
vulnerable | 2026-06-03 14:45:09.867882 |
Details available
MEDIUM (6.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API
Published: 2021-12-13T15:47:59.000Z
Updated: 2026-02-03T17:20:23.263Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39934 |
vulnerable | 2026-06-03 14:45:09.867215 |
Details available
MEDIUM (4.3)
Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2.
Published: 2021-12-13T15:47:57.000Z
Updated: 2024-08-04T02:20:34.187Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39933 |
vulnerable | 2026-06-03 14:45:09.866833 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression used for handling user input (notes, comments, etc) was susceptible to catastrophic backtracking that could cause a DOS attack.
Published: 2021-12-13T15:47:53.000Z
Updated: 2024-08-04T02:20:34.065Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39932 |
vulnerable | 2026-06-03 14:45:09.866440 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for users reviewing code changes.
Published: 2021-12-13T15:47:58.000Z
Updated: 2024-08-04T02:20:34.203Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39931 |
vulnerable | 2026-06-03 14:45:09.866064 |
Details available
LOW (3.1)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.11 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under specific condition an unauthorised project member was allowed to delete a protected branches due to a business logic error.
Published: 2021-12-13T15:47:50.000Z
Updated: 2024-08-04T02:20:34.167Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39930 |
vulnerable | 2026-06-03 14:45:09.865673 |
Details available
MEDIUM (4.3)
Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates
Published: 2021-12-13T15:48:02.000Z
Updated: 2024-08-04T02:20:34.134Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39927 |
vulnerable | 2026-06-03 14:45:09.864291 |
Details available
LOW (3.5)
Server side request forgery protections in GitLab CE/EE versions between 8.4 and 14.4.4, between 14.5.0 and 14.5.2, and between 14.6.0 and 14.6.1 would fail to protect against attacks sending requests to localhost on port 80 or 443 if GitLab was configured to run on a port other than 80 or 443
Published: 2022-01-18T16:51:55.000Z
Updated: 2024-08-04T02:20:34.234Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39919 |
vulnerable | 2026-06-03 14:45:09.853563 |
Details available
MEDIUM (4.4)
In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure.
Published: 2021-12-13T15:47:55.000Z
Updated: 2024-08-04T02:20:34.231Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39918 |
vulnerable | 2026-06-03 14:45:09.853175 |
Details available
LOW (3.1)
Incorrect Authorization in GitLab EE affecting all versions starting from 11.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows a user to add comments to a vulnerability which cannot be accessed.
Published: 2021-12-13T15:47:46.000Z
Updated: 2024-08-04T02:20:34.144Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39917 |
vulnerable | 2026-06-03 14:45:09.852778 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression related to quick actions features was susceptible to catastrophic backtracking that could cause a DOS attack.
Published: 2021-12-13T15:47:58.000Z
Updated: 2024-08-04T02:20:34.188Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39916 |
vulnerable | 2026-06-03 14:45:09.852362 |
Details available
MEDIUM (4.3)
Lack of an access control check in the External Status Check feature allowed any authenticated user to retrieve the configuration of any External Status Check in GitLab EE starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2.
Published: 2021-12-13T15:47:56.000Z
Updated: 2024-08-04T02:20:33.776Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39915 |
vulnerable | 2026-06-03 14:45:09.851843 |
Details available
MEDIUM (5.3)
Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the names of project access tokens on arbitrary projects
Published: 2021-12-13T15:47:54.000Z
Updated: 2024-08-04T02:20:33.854Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39914 |
vulnerable | 2026-06-03 14:45:09.851431 |
Details available
LOW (3.1)
A regular expression denial of service issue in GitLab versions 8.13 to 14.2.5, 14.3.0 to 14.3.3 and 14.4.0 could cause excessive usage of resources when a specially crafted username was used when provisioning a new user
Published: 2021-11-04T22:39:17.000Z
Updated: 2024-08-04T02:20:33.786Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39913 |
vulnerable | 2026-06-03 14:45:09.851012 |
Details available
MEDIUM (4.4)
Accidental logging of system root password in the migration log in all versions of GitLab CE/EE before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker with local file system access to obtain system root-level privileges
Published: 2021-11-04T23:08:15.000Z
Updated: 2024-08-04T02:20:33.764Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39912 |
vulnerable | 2026-06-03 14:45:09.850642 |
Details available
MEDIUM (5.3)
A potential DoS vulnerability was discovered in GitLab CE/EE starting with version 13.7. Using a malformed TIFF images was possible to trigger memory exhaustion.
Published: 2021-11-04T23:05:49.000Z
Updated: 2024-08-04T02:20:33.680Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39911 |
vulnerable | 2026-06-03 14:45:09.850214 |
Details available
LOW (1.7)
An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers
Published: 2021-11-04T23:16:02.000Z
Updated: 2024-08-04T02:20:33.804Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39910 |
vulnerable | 2026-06-03 14:45:09.849828 |
Details available
LOW (2.6)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature.
Published: 2021-12-13T15:47:46.000Z
Updated: 2024-08-04T02:20:33.691Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39908 |
vulnerable | 2026-06-03 14:45:09.848992 |
Details available
MEDIUM (6.5)
In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 certain Unicode characters can be abused to commit malicious code into projects without being noticed in merge request or source code viewer UI.
Published: 2022-04-01T22:17:38.000Z
Updated: 2024-08-04T02:20:33.693Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39907 |
vulnerable | 2026-06-03 14:45:09.848589 |
Details available
MEDIUM (5.3)
A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 13.7. The stripping of EXIF data from certain images resulted in high CPU usage.
Published: 2021-11-04T23:14:42.000Z
Updated: 2024-08-04T02:20:33.681Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39906 |
vulnerable | 2026-06-03 14:45:09.848189 |
Details available
HIGH (8.7)
Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf.
Published: 2021-11-04T23:04:36.000Z
Updated: 2024-08-04T02:20:33.690Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39905 |
vulnerable | 2026-06-03 14:45:09.847754 |
Details available
MEDIUM (4.3)
An information disclosure vulnerability in the GitLab CE/EE API since version 8.9.6 allows a user to see basic information on private groups that a public project has been shared with
Published: 2021-11-04T23:17:10.000Z
Updated: 2024-08-04T02:20:33.677Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39904 |
vulnerable | 2026-06-03 14:45:09.844717 |
Details available
MEDIUM (4.3)
An Improper Access Control vulnerability in the GraphQL API in all versions of GitLab CE/EE starting from 13.1 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows a Merge Request creator to resolve discussions and apply suggestions after a project owner has locked the Merge Request
Published: 2021-11-04T23:13:11.000Z
Updated: 2024-08-04T02:20:33.680Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39903 |
vulnerable | 2026-06-03 14:45:09.844289 |
Details available
MEDIUM (6.5)
In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings.
Published: 2021-11-04T22:42:01.000Z
Updated: 2024-08-04T02:20:33.686Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39902 |
vulnerable | 2026-06-03 14:45:09.843823 |
Details available
MEDIUM (4.3)
Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident.
Published: 2021-11-04T22:40:34.000Z
Updated: 2024-08-04T02:20:33.778Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39901 |
vulnerable | 2026-06-03 14:45:09.840412 |
Details available
LOW (2.7)
In all versions of GitLab CE/EE since version 11.10, an admin of a group can see the SCIM token of that group by visiting a specific endpoint.
Published: 2021-11-04T23:09:28.000Z
Updated: 2024-08-04T02:20:33.701Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39900 |
vulnerable | 2026-06-03 14:45:09.839973 |
Details available
LOW (2)
Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs.
Published: 2021-10-04T16:45:45.000Z
Updated: 2024-08-04T02:20:33.699Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39899 |
vulnerable | 2026-06-03 14:45:09.839585 |
Details available
LOW (2.9)
In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.
Published: 2021-10-04T16:47:01.000Z
Updated: 2024-08-04T02:20:33.678Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39898 |
vulnerable | 2026-06-03 14:45:09.839119 |
Details available
LOW (3.7)
In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from.
Published: 2021-11-04T23:21:32.000Z
Updated: 2024-08-04T02:20:33.663Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39897 |
vulnerable | 2026-06-03 14:45:09.834877 |
Details available
LOW (2.6)
Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transferred
Published: 2021-11-04T23:07:04.000Z
Updated: 2024-08-04T02:20:33.759Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39896 |
vulnerable | 2026-06-03 14:45:09.834493 |
Details available
LOW (3.8)
In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may lead to repudiation issues.
Published: 2021-10-04T16:44:28.000Z
Updated: 2024-08-04T02:20:33.774Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39895 |
vulnerable | 2026-06-03 14:45:09.834081 |
Details available
MEDIUM (6)
In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source.
Published: 2021-11-04T23:11:51.000Z
Updated: 2024-08-04T02:20:33.884Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39894 |
vulnerable | 2026-06-03 14:45:09.833650 |
Details available
MEDIUM (5.4)
In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks.
Published: 2021-10-05T12:33:05.000Z
Updated: 2024-08-04T02:20:33.670Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39893 |
vulnerable | 2026-06-03 14:45:09.833269 |
Details available
MEDIUM (5.3)
A potential DOS vulnerability was discovered in GitLab starting with version 9.1 that allowed parsing files without authorisation.
Published: 2021-10-05T12:18:22.000Z
Updated: 2024-08-04T02:20:33.763Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39892 |
vulnerable | 2026-06-03 14:45:09.832842 |
Details available
MEDIUM (4.3)
In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users.
Published: 2022-01-18T16:52:13.000Z
Updated: 2024-08-04T02:20:33.593Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39891 |
vulnerable | 2026-06-03 14:45:09.832422 |
Details available
MEDIUM (5.9)
In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure.
Published: 2021-10-05T13:38:07.000Z
Updated: 2024-08-04T02:20:33.670Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39887 |
vulnerable | 2026-06-03 14:45:09.827204 |
Details available
HIGH (7.3)
A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf.
Published: 2021-10-05T11:12:11.000Z
Updated: 2024-08-04T02:20:33.689Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39886 |
vulnerable | 2026-06-03 14:45:09.826814 |
Details available
LOW (2.6)
Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic references.
Published: 2021-10-05T13:39:17.000Z
Updated: 2024-08-04T02:20:33.642Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39884 |
vulnerable | 2026-06-03 14:45:09.826009 |
Details available
MEDIUM (4.3)
In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project.
Published: 2021-10-05T12:27:21.000Z
Updated: 2024-08-04T02:20:33.652Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39882 |
vulnerable | 2026-06-03 14:45:09.818878 |
Details available
MEDIUM (5.3)
In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user.
Published: 2021-10-05T12:22:05.000Z
Updated: 2024-08-04T02:20:33.633Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39881 |
vulnerable | 2026-06-03 14:45:09.818501 |
Details available
LOW (3.5)
In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description.
Published: 2021-10-05T13:40:33.000Z
Updated: 2024-08-04T02:20:33.652Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39880 |
vulnerable | 2026-06-03 14:45:09.818072 |
Details available
MEDIUM (6.5)
A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE all versions starting from 11.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to deny access to all users via specially crafted requests to the apollo_upload_server middleware.
Published: 2021-10-05T14:01:43.000Z
Updated: 2024-08-04T02:20:33.608Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39879 |
vulnerable | 2026-06-03 14:45:09.817652 |
Details available
LOW (2.2)
Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication
Published: 2021-10-04T16:42:11.000Z
Updated: 2024-08-04T02:20:33.644Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39878 |
vulnerable | 2026-06-03 14:45:09.817282 |
Details available
MEDIUM (5.8)
A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code.
Published: 2021-10-05T12:17:08.000Z
Updated: 2024-08-04T02:20:33.708Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39877 |
vulnerable | 2026-06-03 14:45:09.816774 |
Details available
HIGH (7.7)
A vulnerability was discovered in GitLab starting with version 12.2 that allows an attacker to cause uncontrolled resource consumption with a specially crafted file.
Published: 2021-10-04T16:41:04.000Z
Updated: 2024-08-04T02:20:33.679Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39876 |
vulnerable | 2026-06-03 14:45:09.816367 |
Details available
MEDIUM (4.3)
In all versions of GitLab CE/EE since version 11.3, the endpoint for auto-completing Assignee discloses the members of private groups.
Published: 2022-03-28T18:53:09.000Z
Updated: 2024-08-04T02:20:33.669Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39875 |
vulnerable | 2026-06-03 14:45:09.815937 |
Details available
MEDIUM (5.3)
In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint.
Published: 2021-10-05T12:28:28.000Z
Updated: 2024-08-04T02:20:33.568Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39874 |
vulnerable | 2026-06-03 14:45:09.815542 |
Details available
MEDIUM (4.3)
In all versions of GitLab CE/EE since version 11.0, the requirement to enforce 2FA is not honored when using git commands.
Published: 2021-10-04T16:50:47.000Z
Updated: 2024-08-04T02:20:33.620Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39873 |
vulnerable | 2026-06-03 14:45:09.815114 |
Details available
MEDIUM (4.3)
In all versions of GitLab CE/EE, there exists a content spoofing vulnerability which may be leveraged by attackers to trick users into visiting a malicious website by spoofing the content in an error response.
Published: 2021-10-04T16:43:24.000Z
Updated: 2024-08-04T02:20:33.651Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39872 |
vulnerable | 2026-06-03 14:45:09.814695 |
Details available
MEDIUM (6.5)
In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.
Published: 2021-10-05T12:34:28.000Z
Updated: 2024-08-04T02:20:33.624Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39871 |
vulnerable | 2026-06-03 14:45:09.814268 |
Details available
MEDIUM (4.3)
In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker making a crafted API call.
Published: 2021-10-04T16:48:11.000Z
Updated: 2024-08-04T02:20:33.665Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39870 |
vulnerable | 2026-06-03 14:45:09.813882 |
Details available
MEDIUM (4.3)
In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted API call.
Published: 2021-10-05T13:41:53.000Z
Updated: 2024-08-04T02:20:33.659Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39869 |
vulnerable | 2026-06-03 14:45:09.813454 |
Details available
MEDIUM (6.5)
In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project.
Published: 2021-10-05T12:30:52.000Z
Updated: 2024-08-04T02:20:33.663Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39868 |
vulnerable | 2026-06-03 14:45:09.813008 |
Details available
MEDIUM (4.3)
In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export.
Published: 2021-10-04T16:55:29.000Z
Updated: 2024-08-04T02:20:33.614Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39867 |
vulnerable | 2026-06-03 14:45:09.812555 |
Details available
MEDIUM (6.5)
In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks.
Published: 2021-10-05T12:29:39.000Z
Updated: 2024-08-04T02:20:33.672Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-39866 |
vulnerable | 2026-06-03 14:45:09.810387 |
Details available
MEDIUM (5.4)
A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens.
Published: 2021-10-05T12:35:39.000Z
Updated: 2024-08-04T02:20:33.617Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-32823 |
vulnerable | 2026-06-03 14:44:40.375080 |
Potential Denial-of-Service in bindata
LOW (3.7)
In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with <user_input>.constantize there is a potential for a CPU-based DoS. In version 2.4.10 bindata improved the creation time of Bits and Integers.
Published: 2021-06-23T23:40:12.000Z
Updated: 2024-08-03T23:33:55.878Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22264 |
vulnerable | 2026-06-03 14:43:52.390289 |
Details available
MEDIUM (6.8)
An issue has been discovered in GitLab affecting all versions starting from 13.8 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. Under specialized conditions, an invited group member may continue to have access to a project even after the invited group, which the member was part of, is deleted.
Published: 2021-10-05T13:45:31.000Z
Updated: 2024-08-03T18:37:18.500Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22263 |
vulnerable | 2026-06-03 14:43:52.389881 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user account with 'external' status which is granted 'Maintainer' role on any project on the GitLab instance where 'project tokens' are allowed may elevate its privilege to 'Internal' and access Internal projects.
Published: 2021-10-11T16:47:47.000Z
Updated: 2024-08-03T18:37:18.536Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22262 |
vulnerable | 2026-06-03 14:43:52.389487 |
Details available
MEDIUM (5.4)
Missing access control in all GitLab versions starting from 13.12 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page
Published: 2021-10-05T13:48:15.000Z
Updated: 2024-08-03T18:37:18.492Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22261 |
vulnerable | 2026-06-03 14:43:52.389076 |
Details available
HIGH (7.3)
A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses
Published: 2021-10-05T13:59:40.000Z
Updated: 2024-08-03T18:37:18.487Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22260 |
vulnerable | 2026-06-03 14:43:52.388671 |
Details available
HIGH (7.7)
A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf
Published: 2021-11-04T23:10:38.000Z
Updated: 2024-08-03T18:37:18.503Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22258 |
vulnerable | 2026-06-03 14:43:52.387922 |
Details available
MEDIUM (4.3)
The project import/export feature in GitLab 8.9 and greater could be used to obtain otherwise private email addresses
Published: 2021-10-05T13:49:33.000Z
Updated: 2024-08-03T18:37:18.484Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22257 |
vulnerable | 2026-06-03 14:43:52.387513 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. The route for /user.keys is not restricted on instances with public visibility disabled. This allows user enumeration on such instances.
Published: 2021-10-05T13:46:53.000Z
Updated: 2024-08-03T18:37:18.503Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22256 |
vulnerable | 2026-06-03 14:43:52.387099 |
Details available
MEDIUM (5.4)
Improper authorization in GitLab CE/EE affecting all versions since 12.6 allowed guest users to create issues for Sentry errors and track their status
Published: 2021-08-25T18:30:43.000Z
Updated: 2024-08-03T18:37:18.477Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22254 |
vulnerable | 2026-06-03 14:43:52.379668 |
Details available
LOW (3.1)
Under very specific conditions a user could be impersonated using Gitlab shell. This vulnerability affects GitLab CE/EE 13.1 and later through 14.1.2, 14.0.7 and 13.12.9.
Published: 2021-08-20T17:37:29.000Z
Updated: 2024-08-03T18:37:18.539Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22253 |
vulnerable | 2026-06-03 14:43:52.379280 |
Details available
MEDIUM (4.9)
Improper authorization in GitLab EE affecting all versions since 13.4 allowed a user who previously had the necessary access to trigger deployments to protected environments under specific conditions after the access has been removed
Published: 2021-08-23T19:34:47.000Z
Updated: 2024-08-03T18:37:18.258Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22252 |
vulnerable | 2026-06-03 14:43:52.378886 |
Details available
MEDIUM (6.5)
A confusion between tag and branch names in GitLab CE/EE affecting all versions since 13.7 allowed a Developer to access protected CI variables which should only be accessible to Maintainers
Published: 2021-08-23T19:36:39.000Z
Updated: 2024-08-03T18:37:18.277Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22250 |
vulnerable | 2026-06-03 14:43:52.378136 |
Details available
MEDIUM (5.4)
Improper authorization in GitLab CE/EE affecting all versions since 13.3 allowed users to view and delete impersonation tokens that administrators created for their account
Published: 2021-08-25T18:28:30.000Z
Updated: 2024-08-03T18:37:18.267Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22249 |
vulnerable | 2026-06-03 14:43:52.377746 |
Details available
MEDIUM (4.3)
A verbose error message in GitLab EE affecting all versions since 12.2 could disclose the private email address of a user invited to a group
Published: 2021-08-23T19:53:20.000Z
Updated: 2024-08-03T18:37:18.281Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22248 |
vulnerable | 2026-06-03 14:43:52.377345 |
Details available
MEDIUM (5.3)
Improper authorization on the pipelines page in GitLab CE/EE affecting all versions since 13.12 allowed unauthorized users to view some pipeline information for public projects that have access to pipelines restricted to members only
Published: 2021-08-23T19:42:07.000Z
Updated: 2024-08-03T18:37:18.266Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22247 |
vulnerable | 2026-06-03 14:43:52.376963 |
Details available
MEDIUM (4.3)
Improper authorization in GitLab CE/EE affecting all versions since 13.0 allows guests in private projects to view CI/CD analytics
Published: 2021-08-25T18:32:59.000Z
Updated: 2024-08-03T18:37:18.175Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22246 |
vulnerable | 2026-06-03 14:43:52.376572 |
Details available
HIGH (7.7)
A vulnerability was discovered in GitLab versions before 14.0.2, 13.12.6, 13.11.6. GitLab Webhook feature could be abused to perform denial of service attacks.
Published: 2021-08-20T17:38:43.000Z
Updated: 2024-08-03T18:37:18.252Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22245 |
vulnerable | 2026-06-03 14:43:52.376167 |
Details available
LOW (2.7)
Improper validation of commit author in GitLab CE/EE affecting all versions allowed an attacker to make several pages in a project impossible to view
Published: 2021-08-25T18:31:57.000Z
Updated: 2024-08-03T18:37:18.243Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22243 |
vulnerable | 2026-06-03 14:43:52.375395 |
Details available
MEDIUM (5)
Under specialized conditions, GitLab CE/EE versions starting 7.10 may allow existing GitLab users to use an invite URL meant for another email address to gain access into a group.
Published: 2021-08-25T18:36:06.000Z
Updated: 2024-08-03T18:37:18.309Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22242 |
vulnerable | 2026-06-03 14:43:52.374989 |
Details available
HIGH (8.7)
Insufficient input sanitization in Mermaid markdown in GitLab CE/EE version 11.4 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown
Published: 2021-08-25T18:38:24.000Z
Updated: 2024-08-03T18:37:18.232Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22241 |
vulnerable | 2026-06-03 14:43:52.374555 |
Details available
HIGH (8.7)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0. It was possible to exploit a stored cross-site-scripting via a specifically crafted default branch name.
Published: 2021-08-05T19:28:23.000Z
Updated: 2024-08-03T18:37:18.367Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22239 |
vulnerable | 2026-06-03 14:43:52.370068 |
Details available
MEDIUM (5)
An unauthorized user was able to insert metadata when creating new issue on GitLab CE/EE 14.0 and later.
Published: 2021-09-09T14:41:34.000Z
Updated: 2024-08-03T18:37:18.281Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22238 |
vulnerable | 2026-06-03 14:43:52.369691 |
Details available
MEDIUM (6.8)
An issue has been discovered in GitLab affecting all versions starting with 13.3. GitLab was vulnerable to a stored XSS by using the design feature in issues.
Published: 2021-08-20T17:39:54.000Z
Updated: 2024-08-03T18:37:18.293Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22237 |
vulnerable | 2026-06-03 14:43:52.369316 |
Details available
MEDIUM (6.6)
Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. This vulnerability is present in GitLab CE/EE versions before 13.12.9, 14.0.7, 14.1.2
Published: 2021-08-25T18:37:19.000Z
Updated: 2024-08-03T18:37:18.434Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22236 |
vulnerable | 2026-06-03 14:43:52.368919 |
Details available
MEDIUM (5.5)
Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1.
Published: 2021-08-25T18:39:18.000Z
Updated: 2024-08-03T18:37:18.092Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22234 |
vulnerable | 2026-06-03 14:43:52.368083 |
Details available
CRITICAL (9.6)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.11 before 13.11.7, all versions starting from 13.12 before 13.12.8, and all versions starting from 14.0 before 14.0.4. A specially crafted design image allowed attackers to read arbitrary files on the server.
Published: 2021-08-05T20:30:25.000Z
Updated: 2024-08-03T18:37:18.427Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22232 |
vulnerable | 2026-06-03 14:43:52.367335 |
Details available
LOW (3.5)
HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE
Published: 2021-07-06T20:43:43.000Z
Updated: 2024-08-03T18:37:18.237Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22231 |
vulnerable | 2026-06-03 14:43:52.366943 |
Details available
LOW (3.5)
A denial of service in user's profile page is found starting with GitLab CE/EE 8.0 that allows attacker to reject access to their profile page via using a specially crafted username.
Published: 2021-07-07T10:28:23.000Z
Updated: 2024-08-03T18:37:18.497Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22230 |
vulnerable | 2026-06-03 14:43:52.366506 |
Details available
MEDIUM (4.9)
Improper code rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later through 13.11.6, 13.12.6, and 14.0.2.
Published: 2021-07-07T10:47:31.000Z
Updated: 2024-08-03T18:37:18.220Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22226 |
vulnerable | 2026-06-03 14:43:52.363121 |
Details available
MEDIUM (6.5)
Under certain conditions, some users were able to push to protected branches that were restricted to deploy keys in GitLab CE/EE since version 13.9
Published: 2021-07-06T20:56:53.000Z
Updated: 2024-08-03T18:37:17.937Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22223 |
vulnerable | 2026-06-03 14:43:52.362024 |
Details available
MEDIUM (6.1)
Client-Side code injection through Feature Flag name in GitLab CE/EE starting with 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link
Published: 2021-07-06T21:50:25.000Z
Updated: 2024-08-03T18:37:18.268Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22221 |
vulnerable | 2026-06-03 14:43:52.355041 |
Details available
MEDIUM (6.5)
An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2. Insufficient expired password validation in various operations allow user to maintain limited access after their password expired
Published: 2021-06-08T18:52:20.000Z
Updated: 2024-08-03T18:37:18.251Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22219 |
vulnerable | 2026-06-03 14:43:52.354289 |
Details available
MEDIUM (4.4)
All versions of GitLab CE/EE starting from 9.5 before 13.10.5, all versions starting from 13.11 before 13.11.5, and all versions starting from 13.12 before 13.12.2 allow a high privilege user to obtain sensitive information from log files because the sensitive information was not correctly registered for log masking.
Published: 2021-06-08T18:38:17.000Z
Updated: 2024-08-03T18:37:17.702Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22218 |
vulnerable | 2026-06-03 14:43:52.353811 |
Details available
LOW (2.6)
All versions of GitLab CE/EE starting from 12.8 before 13.10.5, all versions starting from 13.11 before 13.11.5, and all versions starting from 13.12 before 13.12.2 were affected by an issue in the handling of x509 certificates that could be used to spoof author of signed commits.
Published: 2021-06-08T15:04:57.000Z
Updated: 2024-08-03T18:37:17.682Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22217 |
vulnerable | 2026-06-03 14:43:52.353409 |
Details available
MEDIUM (6.5)
A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a specially crafted issue or merge request
Published: 2021-06-08T18:25:29.000Z
Updated: 2024-08-03T18:37:17.638Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22216 |
vulnerable | 2026-06-03 14:43:52.353006 |
Details available
MEDIUM (6.5)
A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a very long issue or merge request description
Published: 2021-06-08T19:19:25.000Z
Updated: 2024-08-03T18:37:18.260Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22213 |
vulnerable | 2026-06-03 14:43:52.351905 |
Details available
HIGH (8.8)
A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari
Published: 2021-06-08T18:03:58.000Z
Updated: 2024-08-03T18:37:18.348Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22211 |
vulnerable | 2026-06-03 14:43:52.347895 |
Details available
LOW (3.1)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling.
Published: 2021-05-05T22:03:25.000Z
Updated: 2024-08-03T18:37:18.409Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22210 |
vulnerable | 2026-06-03 14:43:52.347523 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. When querying the repository branches through API, GitLab was ignoring a query parameter and returning a considerable amount of results.
Published: 2021-05-06T13:19:32.000Z
Updated: 2024-08-03T18:37:17.924Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22209 |
vulnerable | 2026-06-03 14:43:52.347125 |
Details available
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.
Published: 2021-05-06T13:37:47.000Z
Updated: 2024-08-03T18:37:18.262Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22208 |
vulnerable | 2026-06-03 14:43:52.346715 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting versions starting with 13.5 up to 13.9.7. Improper permission check could allow the change of timestamp for issue creation or update.
Published: 2021-05-06T13:35:17.000Z
Updated: 2024-08-03T18:37:18.290Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22206 |
vulnerable | 2026-06-03 14:43:52.343279 |
Details available
MEDIUM (6.8)
An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text,
Published: 2021-05-06T13:25:10.000Z
Updated: 2024-08-03T18:37:18.443Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22205 |
vulnerable | 2026-06-03 14:43:52.342833 |
Details available
CRITICAL (10)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
Published: 2021-04-23T17:39:36.000Z
Updated: 2025-10-21T23:25:48.290Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22203 |
vulnerable | 2026-06-03 14:43:52.335771 |
Details available
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions starting from 13.9 before 13.9.5, and all versions starting from 13.10 before 13.10.1. A specially crafted Wiki page allowed attackers to read arbitrary files on the server.
Published: 2021-04-02T16:16:15.000Z
Updated: 2024-08-03T18:37:17.326Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22202 |
vulnerable | 2026-06-03 14:43:52.335363 |
Details available
LOW (2.4)
An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API.
Published: 2021-04-02T16:25:43.000Z
Updated: 2024-08-03T18:37:18.190Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22201 |
vulnerable | 2026-06-03 14:43:52.334959 |
Details available
CRITICAL (9.6)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server.
Published: 2021-04-02T16:17:40.000Z
Updated: 2024-08-03T18:37:18.224Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22200 |
vulnerable | 2026-06-03 14:43:52.331625 |
Details available
MEDIUM (5.9)
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user.
Published: 2021-04-02T16:22:37.000Z
Updated: 2024-08-03T18:37:18.276Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22199 |
vulnerable | 2026-06-03 14:43:52.331239 |
Details available
LOW (3.5)
An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used.
Published: 2021-04-22T21:56:00.000Z
Updated: 2024-08-03T18:37:18.257Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22198 |
vulnerable | 2026-06-03 14:43:52.330835 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects.
Published: 2021-04-02T16:20:10.000Z
Updated: 2024-08-03T18:37:17.882Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22197 |
vulnerable | 2026-06-03 14:43:52.330435 |
Details available
LOW (3.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other
Published: 2021-04-02T16:21:24.000Z
Updated: 2024-08-03T18:37:17.487Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22196 |
vulnerable | 2026-06-03 14:43:52.330007 |
Details available
MEDIUM (6.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name.
Published: 2021-04-02T16:14:37.000Z
Updated: 2024-08-03T18:37:17.698Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22194 |
vulnerable | 2026-06-03 14:43:52.322543 |
Details available
MEDIUM (5.7)
In all versions of GitLab, marshalled session keys were being stored in Redis.
Published: 2021-03-26T19:08:16.000Z
Updated: 2024-08-03T18:37:18.118Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22193 |
vulnerable | 2026-06-03 14:43:52.322159 |
Details available
LOW (3.5)
An issue has been discovered in GitLab affecting all versions starting with 7.1. A member of a private group was able to validate the use of a specific name for private project.
Published: 2021-03-24T16:57:47.000Z
Updated: 2024-08-03T18:37:18.311Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22192 |
vulnerable | 2026-06-03 14:43:52.321551 |
Details available
CRITICAL (9.9)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.
Published: 2021-03-24T16:36:47.000Z
Updated: 2024-08-03T18:37:17.341Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22190 |
vulnerable | 2026-06-03 14:43:52.320645 |
Details available
HIGH (8.5)
A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token
Published: 2021-04-12T14:31:04.000Z
Updated: 2024-08-03T18:37:18.205Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22189 |
vulnerable | 2026-06-03 14:43:52.320244 |
Details available
MEDIUM (5.9)
Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues.
Published: 2021-03-04T14:54:34.000Z
Updated: 2024-08-03T18:37:18.364Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22188 |
vulnerable | 2026-06-03 14:43:52.319858 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab affecting all versions starting with 13.0. Confidential issue titles in Gitlab were readable by an unauthorised user via branch logs.
Published: 2021-03-03T17:56:21.000Z
Updated: 2024-08-03T18:37:18.206Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22187 |
vulnerable | 2026-06-03 14:43:52.319449 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 13.6.7. A potential resource exhaustion issue that allowed running or pending jobs to continue even after project was deleted.
Published: 2021-03-02T18:15:16.000Z
Updated: 2024-08-03T18:37:18.277Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22186 |
vulnerable | 2026-06-03 14:43:52.319063 |
Details available
MEDIUM (4.9)
An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners
Published: 2021-03-24T16:42:06.000Z
Updated: 2024-08-03T18:37:17.915Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22185 |
vulnerable | 2026-06-03 14:43:52.318663 |
Details available
MEDIUM (5.4)
Insufficient input sanitization in wikis in GitLab version 13.8 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted commit to a wiki
Published: 2021-03-24T16:39:21.000Z
Updated: 2024-08-03T18:37:18.297Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22184 |
vulnerable | 2026-06-03 14:43:52.318269 |
Details available
MEDIUM (6.2)
An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted.
Published: 2021-03-26T19:11:39.000Z
Updated: 2024-08-03T18:37:18.076Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22183 |
vulnerable | 2026-06-03 14:43:52.317885 |
Details available
MEDIUM (4.1)
An issue has been discovered in GitLab affecting all versions starting with 11.8. GitLab was vulnerable to a stored XSS in the epics page, which could be exploited with user interactions.
Published: 2021-03-04T14:56:28.000Z
Updated: 2024-08-03T18:37:18.244Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22182 |
vulnerable | 2026-06-03 14:43:52.317484 |
Details available
LOW (3.5)
An issue has been discovered in GitLab affecting all versions starting with 13.7. GitLab was vulnerable to a stored XSS in merge request.
Published: 2021-03-03T17:57:50.000Z
Updated: 2024-08-03T18:37:17.169Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22181 |
vulnerable | 2026-06-03 14:43:52.317082 |
Details available
HIGH (7.7)
A denial of service vulnerability in GitLab CE/EE affecting all versions since 11.8 allows an attacker to create a recursive pipeline relationship and exhaust resources.
Published: 2021-06-11T15:43:20.000Z
Updated: 2024-08-03T18:37:17.999Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22180 |
vulnerable | 2026-06-03 14:43:52.316698 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages.
Published: 2021-03-26T19:09:59.000Z
Updated: 2024-08-03T18:37:17.452Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22179 |
vulnerable | 2026-06-03 14:43:52.316284 |
Details available
MEDIUM (5.4)
A vulnerability was discovered in GitLab versions before 12.2. GitLab was vulnerable to a SSRF attack through the Outbound Requests feature.
Published: 2021-03-24T16:48:30.000Z
Updated: 2024-08-03T18:37:17.689Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22178 |
vulnerable | 2026-06-03 14:43:52.315868 |
Details available
MEDIUM (5)
An issue has been discovered in GitLab affecting all versions starting from 13.2. Gitlab was vulnerable to SRRF attack through the Prometheus integration.
Published: 2021-03-24T16:59:51.000Z
Updated: 2024-08-03T18:37:17.932Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22177 |
vulnerable | 2026-06-03 14:43:52.315473 |
Details available
MEDIUM (4.3)
Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command.
Published: 2021-04-01T14:19:07.000Z
Updated: 2024-08-03T18:37:17.998Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22176 |
vulnerable | 2026-06-03 14:43:52.315051 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting with 3.0.1. Improper access control allows demoted project members to access details on authored merge requests
Published: 2021-03-24T16:46:05.000Z
Updated: 2024-08-03T18:37:17.155Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22175 |
vulnerable | 2026-06-03 14:43:52.314624 |
Details available
MEDIUM (6.8)
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled
Published: 2021-06-11T15:30:12.000Z
Updated: 2026-02-19T04:55:37.221Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22172 |
vulnerable | 2026-06-03 14:43:52.306894 |
Details available
MEDIUM (4.3)
Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page
Published: 2021-03-26T19:06:48.000Z
Updated: 2024-08-03T18:37:17.263Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22171 |
vulnerable | 2026-06-03 14:43:52.306435 |
Details available
HIGH (7.3)
Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link
Published: 2021-01-15T15:10:39.000Z
Updated: 2024-08-03T18:37:18.342Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22168 |
vulnerable | 2026-06-03 14:43:52.305233 |
Details available
MEDIUM (4.3)
A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8.
Published: 2021-01-15T15:05:18.000Z
Updated: 2024-08-03T18:37:17.218Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22167 |
vulnerable | 2026-06-03 14:43:52.304772 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers in specific project page allows attacker to have a temporary read access to the private repository
Published: 2021-01-15T15:12:17.000Z
Updated: 2024-08-03T18:37:18.547Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-22166 |
vulnerable | 2026-06-03 14:43:52.303558 |
Details available
MEDIUM (5.3)
An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method
Published: 2021-01-15T15:13:51.000Z
Updated: 2024-08-03T18:37:17.189Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-8113 |
vulnerable | 2026-06-03 14:43:08.016679 |
Details available
GitLab 10.7 and later through 12.7.2 has Incorrect Access Control.
Published: 2020-03-06T17:20:21.000Z
Updated: 2024-08-04T09:48:25.617Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-7973 |
vulnerable | 2026-06-03 14:43:07.800974 |
Details available
GitLab through 12.7.2 allows XSS.
Published: 2020-02-05T15:52:09.000Z
Updated: 2024-08-04T09:48:25.287Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-7968 |
vulnerable | 2026-06-03 14:43:07.799593 |
Details available
GitLab EE 8.0 through 12.7.2 has Incorrect Access Control.
Published: 2020-02-05T15:56:45.000Z
Updated: 2024-08-04T09:48:25.439Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-6832 |
vulnerable | 2026-06-03 14:42:59.163690 |
Details available
An issue was discovered in GitLab Enterprise Edition (EE) 8.9.0 through 12.6.1. Using the project import feature, it was possible for someone to obtain issues from private projects.
Published: 2020-01-13T19:47:56.000Z
Updated: 2024-08-04T09:11:05.114Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-5197 |
vulnerable | 2026-06-03 14:42:55.253380 |
Details available
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 5.1 through 12.6.1. It has Incorrect Access Control.
Published: 2020-01-13T19:51:41.000Z
Updated: 2024-08-04T08:22:08.908Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-26417 |
vulnerable | 2026-06-03 14:42:16.836541 |
Details available
MEDIUM (5.3)
Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to <13.6.2, >=13.5 to <13.5.5, and >=13.1 to <13.4.7.
Published: 2020-12-11T03:37:36.000Z
Updated: 2024-08-04T15:56:04.584Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-26416 |
vulnerable | 2026-06-03 14:42:16.836156 |
Details available
MEDIUM (4)
Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.
Published: 2020-12-11T03:34:03.000Z
Updated: 2024-08-04T15:56:04.341Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-26415 |
vulnerable | 2026-06-03 14:42:16.835751 |
Details available
MEDIUM (4.3)
Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.
Published: 2020-12-11T03:29:26.000Z
Updated: 2024-08-04T15:56:04.810Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-26414 |
vulnerable | 2026-06-03 14:42:16.835364 |
Details available
MEDIUM (4.3)
An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string.
Published: 2021-01-15T15:15:18.000Z
Updated: 2024-08-04T15:56:04.447Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-26413 |
vulnerable | 2026-06-03 14:42:16.834967 |
Details available
MEDIUM (5.3)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.
Published: 2020-12-11T03:47:34.000Z
Updated: 2024-08-04T15:56:04.703Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-26409 |
vulnerable | 2026-06-03 14:42:16.832002 |
Details available
MEDIUM (4.3)
A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.
Published: 2020-12-11T01:17:28.000Z
Updated: 2024-08-04T15:56:04.626Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-26408 |
vulnerable | 2026-06-03 14:42:16.831567 |
Details available
MEDIUM (5.3)
A limited information disclosure vulnerability exists in Gitlab CE/EE from >= 12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2 that allows an attacker to view limited information in user's private profile
Published: 2020-12-11T04:01:26.000Z
Updated: 2024-08-04T15:56:04.394Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-26407 |
vulnerable | 2026-06-03 14:42:16.831113 |
Details available
MEDIUM (5.5)
A XSS vulnerability exists in Gitlab CE/EE from 12.4 before 13.4.7, 13.5 before 13.5.5, and 13.6 before 13.6.2 that allows an attacker to perform cross-site scripting to other users via importing a malicious project
Published: 2020-12-10T05:16:24.000Z
Updated: 2024-08-04T15:56:04.267Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-26406 |
vulnerable | 2026-06-03 14:42:16.830621 |
Details available
MEDIUM (5.3)
Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
Published: 2020-11-17T00:13:19.000Z
Updated: 2024-08-04T15:56:04.397Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-26405 |
vulnerable | 2026-06-03 14:42:16.828915 |
Details available
HIGH (7.1)
Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are >=12.8, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
Published: 2020-11-17T18:26:50.000Z
Updated: 2024-08-04T15:56:04.586Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-14155 |
vulnerable | 2026-06-03 14:41:38.026269 |
Details available
libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.
Published: 2020-06-15T00:00:00.000Z
Updated: 2024-08-04T12:39:36.025Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13359 |
vulnerable | 2026-06-03 14:41:36.569017 |
Details available
HIGH (7.6)
The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are >=12.10, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
Published: 2020-11-18T23:57:34.000Z
Updated: 2024-08-04T12:18:17.623Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13358 |
vulnerable | 2026-06-03 14:41:36.568591 |
Details available
MEDIUM (4.7)
A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: >=13.4, <13.4.5,>=13.3, <13.3.9,>=13.5, <13.5.2.
Published: 2020-11-17T00:20:25.000Z
Updated: 2024-08-04T12:18:17.461Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13357 |
vulnerable | 2026-06-03 14:41:36.568164 |
Details available
MEDIUM (4.3)
An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.
Published: 2020-12-11T03:55:55.000Z
Updated: 2024-08-04T12:18:17.628Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13356 |
vulnerable | 2026-06-03 14:41:36.567729 |
Details available
HIGH (8.2)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9. A specially crafted request could bypass Multipart protection and read files in certain specific paths on the server. Affected versions are: >=8.8.9, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
Published: 2020-11-18T23:35:05.000Z
Updated: 2024-08-04T12:18:17.540Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13355 |
vulnerable | 2026-06-03 14:41:36.567275 |
Details available
HIGH (7.5)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: >=8.14, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
Published: 2020-11-18T23:30:25.000Z
Updated: 2024-08-04T12:18:17.457Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13354 |
vulnerable | 2026-06-03 14:41:36.566783 |
Details available
MEDIUM (4.3)
A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage. Affected versions are: >=12.6, <13.3.9.
Published: 2020-11-17T00:43:55.000Z
Updated: 2024-08-04T12:18:17.583Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13352 |
vulnerable | 2026-06-03 14:41:36.564285 |
Details available
LOW (3.7)
Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group. Affected versions are: >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
Published: 2020-11-17T00:36:27.000Z
Updated: 2024-08-04T12:18:17.655Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13351 |
vulnerable | 2026-06-03 14:41:36.563790 |
Details available
MEDIUM (6.5)
Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are >=13.0, <13.3.9,>=13.4.0, <13.4.5,>=13.5.0, <13.5.2.
Published: 2020-11-17T17:52:28.000Z
Updated: 2024-08-04T12:18:17.580Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13350 |
vulnerable | 2026-06-03 14:41:36.563253 |
Details available
LOW (3.1)
CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners. Affected versions are >=13.5.0, <13.5.2,>=13.4.0, <13.4.5,<13.3.9.
Published: 2020-11-17T17:55:43.000Z
Updated: 2024-08-04T12:18:17.575Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13347 |
vulnerable | 2026-06-03 14:41:36.556205 |
Details available
CRITICAL (9.1)
A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable.
Published: 2020-10-07T13:14:16.000Z
Updated: 2024-08-04T12:18:17.532Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13346 |
vulnerable | 2026-06-03 14:41:36.555815 |
Details available
MEDIUM (6.5)
Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API.
Published: 2020-10-07T13:21:28.000Z
Updated: 2024-08-04T12:18:17.541Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13345 |
vulnerable | 2026-06-03 14:41:36.555422 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab affecting all versions starting from 10.8. Reflected XSS on Multiple Routes
Published: 2020-10-06T18:26:15.000Z
Updated: 2024-08-04T12:18:17.684Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13344 |
vulnerable | 2026-06-03 14:41:36.555018 |
Details available
MEDIUM (5.7)
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Sessions keys are stored in plain-text in Redis which allows attacker with Redis access to authenticate as any user that has a session stored in Redis
Published: 2020-10-08T13:43:02.000Z
Updated: 2024-08-04T12:18:17.452Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13343 |
vulnerable | 2026-06-03 14:41:36.554646 |
Details available
HIGH (7.5)
An issue has been discovered in GitLab affecting all versions starting from 11.2. Unauthorized Users Can View Custom Project Template
Published: 2020-10-06T18:24:10.000Z
Updated: 2024-08-04T12:18:17.542Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13342 |
vulnerable | 2026-06-03 14:41:36.554305 |
Details available
LOW (2.7)
An issue has been discovered in GitLab affecting versions prior to 13.2.10, 13.3.7 and 13.4.2: Lack of Rate Limiting at Re-Sending Confirmation Email
Published: 2020-10-07T15:57:08.000Z
Updated: 2024-08-04T12:18:17.451Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13341 |
vulnerable | 2026-06-03 14:41:36.553912 |
Details available
MEDIUM (4.9)
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Insufficient permission check allows attacker with developer role to perform various deletions.
Published: 2020-10-12T13:20:07.000Z
Updated: 2024-08-04T12:18:17.524Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13340 |
vulnerable | 2026-06-03 14:41:36.553512 |
Details available
HIGH (8.7)
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2: Stored XSS in CI Job Log
Published: 2020-10-08T13:46:33.000Z
Updated: 2024-08-04T12:18:17.588Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13339 |
vulnerable | 2026-06-03 14:41:36.553145 |
Details available
MEDIUM (5.5)
An issue has been discovered in GitLab affecting all versions before 13.2.10, 13.3.7 and 13.4.2: XSS in SVG File Preview. Overall impact is limited due to the current user only being impacted.
Published: 2020-10-08T13:51:33.000Z
Updated: 2024-08-04T12:18:17.524Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13338 |
vulnerable | 2026-06-03 14:41:36.552770 |
Details available
MEDIUM (5.4)
An issue has been discovered in GitLab affecting versions prior to 12.10.13, 13.0.8, 13.1.2. A stored cross-site scripting vulnerability was discovered when editing references.
Published: 2020-10-02T19:20:06.000Z
Updated: 2024-08-04T12:18:17.515Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13337 |
vulnerable | 2026-06-03 14:41:36.552379 |
Details available
HIGH (7.2)
An issue has been discovered in GitLab affecting versions from 12.10 to 12.10.12 that allowed for a stored XSS payload to be added as a group name.
Published: 2020-10-02T19:15:50.000Z
Updated: 2024-08-04T12:18:17.783Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13336 |
vulnerable | 2026-06-03 14:41:36.552004 |
Details available
MEDIUM (4)
An issue has been discovered in GitLab affecting versions from 11.8 before 12.10.13. GitLab was vulnerable to a stored XSS by in the error tracking feature.
Published: 2020-09-30T20:56:45.000Z
Updated: 2024-08-04T12:18:17.577Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13335 |
vulnerable | 2026-06-03 14:41:36.551657 |
Details available
MEDIUM (4.3)
Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group.
Published: 2020-10-07T13:03:23.000Z
Updated: 2024-08-04T12:18:17.616Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13334 |
vulnerable | 2026-06-03 14:41:36.551221 |
Details available
MEDIUM (5.9)
In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, improper authorization checks allow a non-member of a project/group to change the confidentiality attribute of issue via mutation GraphQL query
Published: 2020-10-07T13:18:20.000Z
Updated: 2024-08-04T12:18:18.242Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13318 |
vulnerable | 2026-06-03 14:41:36.536725 |
Details available
MEDIUM (6.4)
A vulnerability was discovered in GitLab versions before 13.0.12, 13.1.10, 13.2.8 and 13.3.4. GitLabs EKS integration was vulnerable to a cross-account assume role attack.
Published: 2020-09-14T18:50:47.000Z
Updated: 2024-08-04T12:18:17.071Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13317 |
vulnerable | 2026-06-03 14:41:36.536340 |
Details available
MEDIUM (6.5)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8, and 13.3.4. An insufficient check in the GraphQL api allowed a maintainer to delete a repository.
Published: 2020-09-14T19:36:25.000Z
Updated: 2024-08-04T12:18:17.064Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13316 |
vulnerable | 2026-06-03 14:41:36.535937 |
Details available
MEDIUM (5.4)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not validating a Deploy-Token and allowed a disabled repository be accessible via a git command line.
Published: 2020-09-14T18:41:53.000Z
Updated: 2024-08-04T12:18:17.096Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13314 |
vulnerable | 2026-06-03 14:41:36.535208 |
Details available
LOW (3.7)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab Omniauth endpoint allowed a malicious user to submit content to be displayed back to the user within error messages.
Published: 2020-09-14T19:50:28.000Z
Updated: 2024-08-04T12:18:17.069Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13313 |
vulnerable | 2026-06-03 14:41:36.534813 |
Details available
MEDIUM (4.3)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. An unauthorized project maintainer could edit the subgroup badges due to the lack of authorization control.
Published: 2020-09-14T19:40:20.000Z
Updated: 2024-08-04T12:18:17.034Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13312 |
vulnerable | 2026-06-03 14:41:36.534423 |
Details available
MEDIUM (6.5)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab OAuth endpoint was vulnerable to brute-force attacks through a specific parameter.
Published: 2020-09-14T19:44:41.000Z
Updated: 2024-08-04T12:18:17.549Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13311 |
vulnerable | 2026-06-03 14:41:36.534030 |
Details available
MEDIUM (4.3)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Wiki was vulnerable to a parser attack that prohibits anyone from accessing the Wiki functionality through the user interface.
Published: 2020-09-14T19:47:00.000Z
Updated: 2024-08-04T12:18:16.661Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13308 |
vulnerable | 2026-06-03 14:41:36.532976 |
Details available
LOW (2.7)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. A user without 2 factor authentication enabled could be prohibited from accessing GitLab by being invited into a project that had 2 factor authentication inheritance.
Published: 2020-09-15T12:30:33.000Z
Updated: 2024-08-04T12:18:17.035Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13307 |
vulnerable | 2026-06-03 14:41:36.532578 |
Details available
LOW (3.8)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not revoking current user sessions when 2 factor authentication was activated allowing a malicious user to maintain their access.
Published: 2020-09-15T12:34:43.000Z
Updated: 2024-08-04T12:18:16.643Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13303 |
vulnerable | 2026-06-03 14:41:36.531171 |
Details available
HIGH (7.1)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Due to improper verification of permissions, an unauthorized user can access a private repository within a public project.
Published: 2020-09-15T12:27:32.000Z
Updated: 2024-08-04T12:18:17.068Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13300 |
vulnerable | 2026-06-03 14:41:36.530107 |
Details available
HIGH (8)
GitLab CE/EE version 13.3 prior to 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow.
Published: 2020-09-14T18:34:29.000Z
Updated: 2024-08-04T12:11:19.601Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13299 |
vulnerable | 2026-06-03 14:41:36.529729 |
Details available
HIGH (8.1)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session.
Published: 2020-09-14T18:36:52.000Z
Updated: 2024-08-04T12:11:19.604Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13291 |
vulnerable | 2026-06-03 14:41:36.521640 |
Details available
HIGH (8.1)
In GitLab before 13.2.3, project sharing could temporarily allow too permissive access.
Published: 2020-08-12T14:15:00.000Z
Updated: 2024-08-04T12:11:19.532Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13290 |
vulnerable | 2026-06-03 14:41:36.521294 |
Details available
HIGH (7.5)
In GitLab before 13.0.12, 13.1.6, and 13.2.3, improper access control was used on the Applications page
Published: 2020-08-12T14:24:24.000Z
Updated: 2024-08-04T12:11:19.547Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13289 |
vulnerable | 2026-06-03 14:41:36.520895 |
Details available
MEDIUM (5.4)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. In certain cases an invalid username could be accepted when 2FA is activated.
Published: 2020-09-14T18:45:54.000Z
Updated: 2024-08-04T12:11:19.459Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13288 |
vulnerable | 2026-06-03 14:41:36.520518 |
Details available
MEDIUM (5.5)
In GitLab before 13.0.12, 13.1.6, and 13.2.3, a stored XSS vulnerability exists in the CI/CD Jobs page
Published: 2020-08-12T14:06:41.000Z
Updated: 2024-08-04T12:11:19.550Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13287 |
vulnerable | 2026-06-03 14:41:36.520118 |
Details available
MEDIUM (4.3)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Project reporters and above could see confidential EPIC attached to confidential issues
Published: 2020-09-14T18:43:44.000Z
Updated: 2024-08-04T12:11:19.555Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13286 |
vulnerable | 2026-06-03 14:41:36.519696 |
Details available
MEDIUM (6.4)
For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery.
Published: 2020-08-13T13:30:55.000Z
Updated: 2024-08-04T12:11:19.556Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13285 |
vulnerable | 2026-06-03 14:41:36.519289 |
Details available
HIGH (7.3)
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting (XSS) vulnerability exists in the issue reference number tooltip.
Published: 2020-08-13T12:45:07.000Z
Updated: 2024-08-04T12:11:19.514Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13284 |
vulnerable | 2026-06-03 14:41:36.518895 |
Details available
MEDIUM (6.5)
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token
Published: 2020-09-14T18:48:36.000Z
Updated: 2024-08-04T12:11:19.437Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13283 |
vulnerable | 2026-06-03 14:41:36.518498 |
Details available
HIGH (7.3)
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issues list via milestone title.
Published: 2020-08-13T12:38:29.000Z
Updated: 2024-08-04T12:11:19.430Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13282 |
vulnerable | 2026-06-03 14:41:36.518080 |
Details available
LOW (3.1)
For GitLab before 13.0.12, 13.1.6, 13.2.3 after a group transfer occurs, members from a parent group keep their access level on the subgroup leading to improper access.
Published: 2020-08-13T12:33:52.000Z
Updated: 2024-08-04T12:11:19.525Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13281 |
vulnerable | 2026-06-03 14:41:36.517662 |
Details available
MEDIUM (6.5)
For GitLab before 13.0.12, 13.1.6, 13.2.3 a denial of service exists in the project import feature
Published: 2020-08-13T13:22:23.000Z
Updated: 2024-08-04T12:11:19.554Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13280 |
vulnerable | 2026-06-03 14:41:36.517219 |
Details available
MEDIUM (6.5)
For GitLab before 13.0.12, 13.1.6, 13.2.3 a memory exhaustion flaw exists due to excessive logging of an invite email error message.
Published: 2020-08-13T12:49:19.000Z
Updated: 2024-08-04T12:11:19.553Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13277 |
vulnerable | 2026-06-03 14:41:36.507635 |
Details available
MEDIUM (6.3)
An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5
Published: 2020-06-19T17:20:01.000Z
Updated: 2024-08-04T12:11:19.490Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13276 |
vulnerable | 2026-06-03 14:41:36.507229 |
Details available
HIGH (7.4)
User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1
Published: 2020-06-19T21:37:54.000Z
Updated: 2024-08-04T12:11:19.431Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13275 |
vulnerable | 2026-06-03 14:41:36.506786 |
Details available
HIGH (8)
A user with an unverified email address could request an access to domain restricted groups in GitLab EE 12.2 and later through 13.0.1
Published: 2020-06-19T21:55:32.000Z
Updated: 2024-08-04T12:11:19.491Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13274 |
vulnerable | 2026-06-03 14:41:36.506354 |
Details available
HIGH (7.5)
A security issue allowed achieving Denial of Service attacks through memory exhaustion by uploading malicious artifacts in all previous GitLab versions through 13.0.1
Published: 2020-06-19T21:53:45.000Z
Updated: 2024-08-04T12:11:19.491Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13273 |
vulnerable | 2026-06-03 14:41:36.505967 |
Details available
HIGH (7.5)
A Denial of Service vulnerability allowed exhausting the system resources in GitLab CE/EE 12.0 and later through 13.0.1
Published: 2020-06-19T21:51:37.000Z
Updated: 2024-08-04T12:11:19.428Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13272 |
vulnerable | 2026-06-03 14:41:36.505446 |
Details available
HIGH (7.5)
OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow
Published: 2020-06-19T21:40:04.000Z
Updated: 2024-08-04T12:11:19.447Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13271 |
vulnerable | 2026-06-03 14:41:36.505056 |
Details available
MEDIUM (6.1)
A Stored Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code in the blobs API in all previous GitLab CE/EE versions through 13.0.1
Published: 2020-06-10T14:25:15.000Z
Updated: 2024-08-04T12:11:19.411Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13270 |
vulnerable | 2026-06-03 14:41:36.504650 |
Details available
HIGH (7.5)
Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API
Published: 2020-06-10T14:35:07.000Z
Updated: 2024-08-04T12:11:19.468Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13269 |
vulnerable | 2026-06-03 14:41:36.504251 |
Details available
MEDIUM (6.1)
A Reflected Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code on the Static Site Editor in GitLab CE/EE 12.10 and later through 13.0.1
Published: 2020-06-10T14:38:12.000Z
Updated: 2024-08-04T12:11:19.487Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13268 |
vulnerable | 2026-06-03 14:41:36.503868 |
Details available
MEDIUM (5.3)
A specially crafted request could be used to confirm the existence of files hosted on object storage services, without disclosing their contents. This vulnerability affects GitLab CE/EE 12.10 and later through 13.0.1
Published: 2020-06-10T14:32:13.000Z
Updated: 2024-08-04T12:11:19.488Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13267 |
vulnerable | 2026-06-03 14:41:36.503482 |
Details available
MEDIUM (6.1)
A Stored Cross-Site Scripting vulnerability allowed the execution on Javascript payloads on the Metrics Dashboard in GitLab CE/EE 12.8 and later through 13.0.1
Published: 2020-06-10T14:29:12.000Z
Updated: 2024-08-04T12:11:19.470Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13266 |
vulnerable | 2026-06-03 14:41:36.503108 |
Details available
MEDIUM (4.3)
Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions
Published: 2020-06-09T15:34:39.000Z
Updated: 2024-08-04T12:11:19.473Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13265 |
vulnerable | 2026-06-03 14:41:36.502706 |
Details available
MEDIUM (4.3)
User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification
Published: 2020-06-19T21:42:04.000Z
Updated: 2024-08-04T12:11:19.478Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13264 |
vulnerable | 2026-06-03 14:41:36.502262 |
Details available
MEDIUM (5.3)
Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1 allows other group maintainers to view Kubernetes cluster token
Published: 2020-06-19T22:13:52.000Z
Updated: 2024-08-04T12:11:19.466Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13263 |
vulnerable | 2026-06-03 14:41:36.501813 |
Details available
HIGH (7.5)
An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions.
Published: 2020-06-19T22:15:37.000Z
Updated: 2024-08-04T12:11:19.416Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13262 |
vulnerable | 2026-06-03 14:41:36.501342 |
Details available
MEDIUM (6.1)
Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a link
Published: 2020-06-19T21:59:20.000Z
Updated: 2024-08-04T12:11:19.462Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-13261 |
vulnerable | 2026-06-03 14:41:36.498923 |
Details available
MEDIUM (5.3)
Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 allows other administrators to view Amazon EKS credentials via HTML source code
Published: 2020-06-19T22:11:59.000Z
Updated: 2024-08-04T12:11:19.551Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-12277 |
vulnerable | 2026-06-03 14:41:33.639021 |
Details available
GitLab 10.8 through 12.9 has a vulnerability that allows someone to mirror a repository even if the feature is not activated.
Published: 2020-04-29T16:28:18.000Z
Updated: 2024-08-04T11:48:58.764Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-12276 |
vulnerable | 2026-06-03 14:41:33.638568 |
Details available
GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin notification feature.
Published: 2020-04-29T16:28:21.000Z
Updated: 2024-08-04T11:48:58.484Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-12275 |
vulnerable | 2026-06-03 14:41:33.637273 |
Details available
GitLab 12.6 through 12.9 is vulnerable to a privilege escalation that allows an external user to create a personal snippet through the API.
Published: 2020-04-29T16:28:23.000Z
Updated: 2024-08-04T11:48:58.546Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-11649 |
vulnerable | 2026-06-03 14:41:26.432285 |
Details available
An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Members of a group could still have access after the group is deleted.
Published: 2020-04-22T19:52:15.000Z
Updated: 2024-08-04T11:35:13.628Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-11506 |
vulnerable | 2026-06-03 14:41:26.199684 |
Details available
An issue was discovered in GitLab 10.7.0 and later through 12.9.2. A Workhorse bypass could lead to job artifact uploads and file disclosure (Exposure of Sensitive Information) via request smuggling.
Published: 2020-04-22T19:50:39.000Z
Updated: 2024-08-04T11:35:12.403Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-11505 |
vulnerable | 2026-06-03 14:41:26.199270 |
Details available
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 12.7.9, 12.8.x before 12.8.9, and 12.9.x before 12.9.3. A Workhorse bypass could lead to NuGet package and file disclosure (Exposure of Sensitive Information) via request smuggling.
Published: 2020-04-22T19:46:37.000Z
Updated: 2024-08-04T11:35:12.403Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10981 |
vulnerable | 2026-06-03 14:41:00.825384 |
Details available
GitLab EE/CE 9.0 to 12.9 allows a maintainer to modify other maintainers' pipeline trigger descriptions within the same project.
Published: 2020-04-08T18:04:33.000Z
Updated: 2024-08-04T11:21:14.204Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10980 |
vulnerable | 2026-06-03 14:41:00.825076 |
Details available
GitLab EE/CE 8.0.rc1 to 12.9 is vulnerable to a blind SSRF in the FogBugz integration.
Published: 2020-04-08T18:05:33.000Z
Updated: 2024-08-04T11:21:13.825Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10979 |
vulnerable | 2026-06-03 14:41:00.824777 |
Details available
GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pipelines metrics to unauthorized users.
Published: 2020-04-08T18:07:20.000Z
Updated: 2024-08-04T11:21:14.283Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10978 |
vulnerable | 2026-06-03 14:41:00.824457 |
Details available
GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public project and then moved to a private project through Web-UI and GraphQL API.
Published: 2020-04-08T18:08:27.000Z
Updated: 2024-08-04T11:21:14.508Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10977 |
vulnerable | 2026-06-03 14:41:00.824137 |
Details available
GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects.
Published: 2020-04-08T18:09:59.000Z
Updated: 2024-08-04T11:21:13.789Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10976 |
vulnerable | 2026-06-03 14:41:00.823822 |
Details available
GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when querying a merge request widget.
Published: 2020-04-08T18:10:59.000Z
Updated: 2024-08-04T11:21:14.607Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10975 |
vulnerable | 2026-06-03 14:41:00.823480 |
Details available
GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page.
Published: 2020-04-08T18:11:48.000Z
Updated: 2024-08-04T11:21:13.685Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10956 |
vulnerable | 2026-06-03 14:41:00.769405 |
Details available
GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature.
Published: 2020-03-27T18:25:52.000Z
Updated: 2024-08-04T11:21:13.822Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10955 |
vulnerable | 2026-06-03 14:41:00.769067 |
Details available
GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders.
Published: 2020-03-27T18:48:49.000Z
Updated: 2024-08-04T11:21:14.205Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10954 |
vulnerable | 2026-06-03 14:41:00.768728 |
Details available
GitLab through 12.9 is affected by a potential DoS in repository archive download.
Published: 2020-03-27T18:50:15.000Z
Updated: 2024-08-04T11:21:14.044Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10952 |
vulnerable | 2026-06-03 14:41:00.768106 |
Details available
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.
Published: 2020-03-27T18:55:16.000Z
Updated: 2024-08-04T11:21:13.598Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10535 |
vulnerable | 2026-06-03 14:41:00.004523 |
Details available
GitLab 12.8.x before 12.8.6, when sign-up is enabled, allows remote attackers to bypass email domain restrictions within the two-day grace period for an unconfirmed email address.
Published: 2020-03-12T22:25:52.000Z
Updated: 2024-08-04T11:06:09.519Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10092 |
vulnerable | 2026-06-03 14:40:59.038427 |
Details available
GitLab 12.1 through 12.8.1 allows XSS. A cross-site scripting vulnerability was present in a particular view relating to the Grafana integration.
Published: 2020-03-13T16:15:47.000Z
Updated: 2024-08-04T10:50:57.826Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10091 |
vulnerable | 2026-06-03 14:40:59.038118 |
Details available
GitLab 9.3 through 12.8.1 allows XSS. A cross-site scripting vulnerability was found when viewing particular file types.
Published: 2020-03-13T16:18:51.000Z
Updated: 2024-08-04T10:50:57.829Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10090 |
vulnerable | 2026-06-03 14:40:59.037825 |
Details available
GitLab 11.7 through 12.8.1 allows Information Disclosure. Under certain group conditions, group epic information was unintentionally being disclosed.
Published: 2020-03-13T16:24:55.000Z
Updated: 2024-08-04T10:50:57.807Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10089 |
vulnerable | 2026-06-03 14:40:59.037527 |
Details available
GitLab 8.11 through 12.8.1 allows a Denial of Service when using several features to recursively request eachother,
Published: 2020-03-13T16:27:29.000Z
Updated: 2024-08-04T10:50:57.816Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10088 |
vulnerable | 2026-06-03 14:40:59.037229 |
Details available
GitLab 12.5 through 12.8.1 has Insecure Permissions. Depending on particular group settings, it was possible for invited groups to be given the incorrect permission level.
Published: 2020-03-13T16:29:09.000Z
Updated: 2024-08-04T10:50:57.884Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10087 |
vulnerable | 2026-06-03 14:40:59.036917 |
Details available
GitLab before 12.8.2 allows Information Disclosure. Badge images were not being proxied, causing mixed content warnings as well as leaking the IP address of the user.
Published: 2020-03-13T16:34:34.000Z
Updated: 2024-08-04T10:50:57.922Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10086 |
vulnerable | 2026-06-03 14:40:59.036618 |
Details available
GitLab 10.4 through 12.8.1 allows Directory Traversal. A particular endpoint was vulnerable to a directory traversal vulnerability, leading to arbitrary file read.
Published: 2020-03-13T16:40:20.000Z
Updated: 2024-08-04T10:50:57.870Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10085 |
vulnerable | 2026-06-03 14:40:59.036331 |
Details available
GitLab 12.3.5 through 12.8.1 allows Information Disclosure. A particular view was exposing merge private merge request titles.
Published: 2020-03-13T16:44:01.000Z
Updated: 2024-08-04T10:50:57.890Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10083 |
vulnerable | 2026-06-03 14:40:59.035736 |
Details available
GitLab 12.7 through 12.8.1 has Insecure Permissions. Under certain conditions involving groups, project authorization changes were not being applied.
Published: 2020-03-13T16:51:32.000Z
Updated: 2024-08-04T10:50:57.793Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10082 |
vulnerable | 2026-06-03 14:40:59.035435 |
Details available
GitLab 12.2 through 12.8.1 allows Denial of Service. A denial of service vulnerability impacting the designs for public issues was discovered.
Published: 2020-03-13T16:53:49.000Z
Updated: 2024-08-04T10:50:57.945Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10081 |
vulnerable | 2026-06-03 14:40:59.035128 |
Details available
GitLab before 12.8.2 has Incorrect Access Control. It was internally discovered that the LFS import process could potentially be used to incorrectly access LFS objects not owned by the user.
Published: 2020-03-13T16:54:45.000Z
Updated: 2024-08-04T10:50:57.889Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10080 |
vulnerable | 2026-06-03 14:40:59.034822 |
Details available
GitLab 8.3 through 12.8.1 allows Information Disclosure. It was possible for certain non-members to access the Contribution Analytics page of a private group.
Published: 2020-03-13T16:56:12.000Z
Updated: 2024-08-04T10:50:57.883Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10079 |
vulnerable | 2026-06-03 14:40:59.034496 |
Details available
GitLab 7.10 through 12.8.1 has Incorrect Access Control. Under certain conditions where users should have been required to configure two-factor authentication, it was not being required.
Published: 2020-03-13T16:57:52.000Z
Updated: 2024-08-04T10:50:57.852Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10078 |
vulnerable | 2026-06-03 14:40:59.034183 |
Details available
GitLab 12.1 through 12.8.1 allows XSS. The merge request submission form was determined to have a stored cross-site scripting vulnerability.
Published: 2020-03-13T16:59:43.000Z
Updated: 2024-08-04T10:50:57.792Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10076 |
vulnerable | 2026-06-03 14:40:59.033568 |
Details available
GitLab 12.1 through 12.8.1 allows XSS. A stored cross-site scripting vulnerability was discovered when displaying merge requests.
Published: 2020-03-13T17:03:20.000Z
Updated: 2024-08-04T10:50:57.868Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10075 |
vulnerable | 2026-06-03 14:40:59.033233 |
Details available
GitLab 12.5 through 12.8.1 allows HTML Injection. A particular error header was potentially susceptible to injection or potentially other vulnerabilities via unescaped input.
Published: 2020-03-13T17:12:24.000Z
Updated: 2024-08-04T10:50:57.860Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-10074 |
vulnerable | 2026-06-03 14:40:59.032803 |
Details available
GitLab 10.1 through 12.8.1 has Incorrect Access Control. A scenario was discovered in which a GitLab account could be taken over through an expired link.
Published: 2020-03-13T17:13:49.000Z
Updated: 2024-08-04T10:50:57.800Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9890 |
vulnerable | 2026-06-03 14:40:49.969670 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 10.x and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Insecure Permissions.
Published: 2019-04-17T16:34:05.000Z
Updated: 2024-08-04T22:01:55.077Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9866 |
vulnerable | 2026-06-03 14:40:49.935987 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.7.7 and 11.8.x before 11.8.3. It allows Information Disclosure.
Published: 2019-05-29T16:28:16.000Z
Updated: 2024-08-04T22:01:55.126Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9756 |
vulnerable | 2026-06-03 14:40:49.807470 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a different vulnerability than CVE-2019-9732.
Published: 2019-04-17T16:11:22.000Z
Updated: 2024-08-04T22:01:54.216Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9732 |
vulnerable | 2026-06-03 14:40:49.769440 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control.
Published: 2019-05-29T16:18:36.000Z
Updated: 2024-08-04T22:01:53.943Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9485 |
vulnerable | 2026-06-03 14:40:49.010546 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Insecure Permissions.
Published: 2019-05-29T16:08:14.000Z
Updated: 2024-08-04T21:54:43.512Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9225 |
vulnerable | 2026-06-03 14:40:48.870271 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 5 of 5).
Published: 2019-04-17T16:41:57.000Z
Updated: 2024-08-04T21:38:46.656Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9224 |
vulnerable | 2026-06-03 14:40:48.869910 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 4 of 5).
Published: 2019-04-17T16:39:21.000Z
Updated: 2024-08-04T21:38:46.660Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9223 |
vulnerable | 2026-06-03 14:40:48.869564 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure.
Published: 2019-04-17T16:50:14.000Z
Updated: 2024-08-04T21:38:46.567Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9222 |
vulnerable | 2026-06-03 14:40:48.869209 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Insecure Permissions.
Published: 2019-04-17T16:48:38.000Z
Updated: 2024-08-04T21:38:46.619Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9221 |
vulnerable | 2026-06-03 14:40:48.868836 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 3 of 5).
Published: 2019-05-29T16:06:53.000Z
Updated: 2024-08-04T21:38:46.641Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9220 |
vulnerable | 2026-06-03 14:40:48.868504 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Uncontrolled Resource Consumption.
Published: 2019-04-17T16:52:23.000Z
Updated: 2024-08-04T21:38:46.658Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9219 |
vulnerable | 2026-06-03 14:40:48.868143 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 2 of 5).
Published: 2019-04-17T16:43:48.000Z
Updated: 2024-08-04T21:38:46.623Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9218 |
vulnerable | 2026-06-03 14:40:48.867780 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 1 of 5).
Published: 2019-05-29T15:59:30.000Z
Updated: 2024-08-04T21:38:46.600Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9217 |
vulnerable | 2026-06-03 14:40:48.867434 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. Its User Interface has a Misrepresentation of Critical Information.
Published: 2019-04-17T16:46:24.000Z
Updated: 2024-08-04T21:38:46.559Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9179 |
vulnerable | 2026-06-03 14:40:48.810031 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 5 of 5).
Published: 2019-04-17T16:31:20.000Z
Updated: 2024-08-04T21:38:46.561Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9178 |
vulnerable | 2026-06-03 14:40:48.809676 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 4 of 5).
Published: 2019-04-17T16:28:40.000Z
Updated: 2024-08-04T21:38:46.610Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9176 |
vulnerable | 2026-06-03 14:40:48.809257 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows CSRF.
Published: 2019-04-17T16:15:05.000Z
Updated: 2024-08-04T21:38:46.559Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9175 |
vulnerable | 2026-06-03 14:40:48.808905 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 3 of 5).
Published: 2019-04-17T16:26:16.000Z
Updated: 2024-08-04T21:38:46.629Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9174 |
vulnerable | 2026-06-03 14:40:48.808545 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows SSRF.
Published: 2019-04-17T16:17:40.000Z
Updated: 2024-08-04T21:38:46.549Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9172 |
vulnerable | 2026-06-03 14:40:48.808166 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 2 of 5).
Published: 2019-04-17T16:20:09.000Z
Updated: 2024-08-04T21:38:46.502Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9171 |
vulnerable | 2026-06-03 14:40:48.807736 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 1 of 5).
Published: 2019-04-17T16:37:30.000Z
Updated: 2024-08-04T21:38:46.554Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9170 |
vulnerable | 2026-06-03 14:40:48.806705 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control.
Published: 2019-04-17T16:23:38.000Z
Updated: 2024-08-04T21:38:46.605Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-7549 |
vulnerable | 2026-06-03 14:40:41.895661 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 10.x and 11.x before 11.5.10, 11.6.x before 11.6.8, and 11.7.x before 11.7.3. It has Incorrect Access Control. The GitLab pipelines feature is vulnerable to authorization issues that allow unauthorized users to view job information.
Published: 2019-05-29T15:42:42.000Z
Updated: 2024-08-04T20:54:27.656Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-7353 |
vulnerable | 2026-06-03 14:40:41.683555 |
Details available
An Incorrect Access Control issue was discovered in GitLab Community and Enterprise Edition 11.7.x before 11.7.4. GitLab Releases were vulnerable to an authorization issue that allowed users to view confidential issue and merge request titles of other projects.
Published: 2019-05-17T16:04:12.000Z
Updated: 2024-08-04T20:46:46.320Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-7176 |
vulnerable | 2026-06-03 14:40:41.418823 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 8.x (starting in 8.9), 9.x, 10.x, and 11.x before 11.5.9, 11.6.x before 11.6.7, and 11.7.x before 11.7.2. It has Incorrect Access Control. Guest users are able to add reaction emojis on comments to which they have no visibility.
Published: 2019-09-09T20:02:30.000Z
Updated: 2024-08-04T20:38:33.523Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-7155 |
vulnerable | 2026-06-03 14:40:41.341097 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. A user retains their role within a project in a private group after being removed from the group, if their privileges within the project are different from the group.
Published: 2019-04-16T21:47:56.000Z
Updated: 2024-08-04T20:38:33.436Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6997 |
vulnerable | 2026-06-03 14:40:41.125977 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting in 10.7) and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. System notes contain an access control issue that permits a guest user to view merge request titles.
Published: 2019-09-09T19:57:45.000Z
Updated: 2024-08-04T20:38:32.696Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6996 |
vulnerable | 2026-06-03 14:40:41.125621 |
Details available
An issue was discovered in GitLab Enterprise Edition 10.x (starting in 10.6) and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. The merge request approvers section has an access control issue that permits project maintainers to view membership of private groups.
Published: 2019-09-09T19:56:09.000Z
Updated: 2024-08-04T20:38:32.949Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6995 |
vulnerable | 2026-06-03 14:40:41.125251 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 8.x, 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. Users are able to comment on locked project issues.
Published: 2019-09-09T19:54:33.000Z
Updated: 2024-08-04T20:38:32.605Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6960 |
vulnerable | 2026-06-03 14:40:41.050740 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. Access to the internal wiki is permitted when an external wiki service is enabled.
Published: 2019-09-09T19:52:48.000Z
Updated: 2024-08-04T20:31:04.389Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6796 |
vulnerable | 2026-06-03 14:40:40.646711 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows XSS (issue 2 of 2). The user status field contains a lack of input validation and output encoding that results in a persistent XSS.
Published: 2019-04-11T19:51:41.000Z
Updated: 2024-08-04T20:31:04.247Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6795 |
vulnerable | 2026-06-03 14:40:40.646341 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Insufficient Visual Distinction of Homoglyphs Presented to a User. IDN homographs and RTLO characters are rendered to unicode, which could be used for social engineering.
Published: 2019-09-09T19:43:18.000Z
Updated: 2024-08-04T20:31:04.389Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6794 |
vulnerable | 2026-06-03 14:40:40.646015 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 5 of 6). A project guest user can view the last commit status of the default branch.
Published: 2019-09-09T19:41:20.000Z
Updated: 2024-08-04T20:31:04.238Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6792 |
vulnerable | 2026-06-03 14:40:40.645396 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Path Disclosure. When an error is encountered on project import, the error message will display instance internal information.
Published: 2019-09-09T19:37:13.000Z
Updated: 2024-08-04T20:31:04.253Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6791 |
vulnerable | 2026-06-03 14:40:40.645059 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control (issue 3 of 3). When a project with visibility more permissive than the target group is imported, it will retain its prior visibility.
Published: 2019-09-09T20:25:04.000Z
Updated: 2024-08-04T20:31:04.241Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6790 |
vulnerable | 2026-06-03 14:40:40.644754 |
Details available
An Incorrect Access Control (issue 2 of 3) issue was discovered in GitLab Community and Enterprise Edition 8.14 and later but before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. Guest users were able to view the list of a group's merge requests.
Published: 2019-05-17T15:53:27.000Z
Updated: 2024-08-04T20:31:04.242Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6789 |
vulnerable | 2026-06-03 14:40:40.644437 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 4 of 6). In some cases, users without project permissions will receive emails after a project move. For private projects, this will disclose the new project namespace to an unauthorized user.
Published: 2019-09-09T19:32:53.000Z
Updated: 2024-08-04T20:31:04.279Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6788 |
vulnerable | 2026-06-03 14:40:40.644099 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 3 of 6). For installations using GitHub or Bitbucket OAuth integrations, it is possible to use a covert redirect to obtain the user OAuth token for those services.
Published: 2019-09-09T19:30:25.000Z
Updated: 2024-08-04T20:31:04.337Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6787 |
vulnerable | 2026-06-03 14:40:40.643752 |
Details available
An Incorrect Access Control issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. The GitLab API allowed project Maintainers and Owners to view the trigger tokens of other project users.
Published: 2019-05-17T15:49:11.000Z
Updated: 2024-08-04T20:31:04.314Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6786 |
vulnerable | 2026-06-03 14:40:40.643418 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control (issue 1 of 3). The contents of an LFS object can be accessed by an unauthorized user, if the file size and OID are known.
Published: 2019-09-09T19:28:06.000Z
Updated: 2024-08-04T20:31:04.246Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6785 |
vulnerable | 2026-06-03 14:40:40.643082 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Denial of Service. Inputting an overly long string into a Markdown field could cause a denial of service.
Published: 2019-09-09T19:26:05.000Z
Updated: 2024-08-04T20:31:04.114Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6784 |
vulnerable | 2026-06-03 14:40:40.642742 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows XSS (issue 1 of 2). Markdown fields contain a lack of input validation and output encoding when processing KaTeX that results in a persistent XSS.
Published: 2019-09-09T19:21:45.000Z
Updated: 2024-08-04T20:31:04.104Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6783 |
vulnerable | 2026-06-03 14:40:40.642414 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. GitLab Pages contains a directory traversal vulnerability that could lead to remote command execution.
Published: 2019-09-09T19:19:45.000Z
Updated: 2024-08-04T20:31:04.083Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6782 |
vulnerable | 2026-06-03 14:40:40.642038 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 1 of 6). An authorization issue allows the contributed project information of a private profile to be viewed.
Published: 2019-09-09T19:17:09.000Z
Updated: 2024-08-04T20:31:04.248Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6781 |
vulnerable | 2026-06-03 14:40:40.641664 |
Details available
An Improper Input Validation issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It was possible to use the profile name to inject a potentially malicious link into notification emails.
Published: 2019-05-17T15:42:39.000Z
Updated: 2024-08-04T20:31:04.245Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-6240 |
vulnerable | 2026-06-03 14:40:38.258678 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.4. It allows Directory Traversal.
Published: 2019-03-25T16:45:45.000Z
Updated: 2024-08-04T20:16:24.843Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-5883 |
vulnerable | 2026-06-03 14:40:36.127996 |
Details available
An Incorrect Access Control issue was discovered in GitLab Community and Enterprise Edition 6.0 and later but before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. The issue comments feature could allow a user to comment on an issue which they shouldn't be allowed to.
Published: 2019-05-17T15:30:47.000Z
Updated: 2024-08-04T20:09:23.697Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-5486 |
vulnerable | 2026-06-03 14:40:30.321090 |
Details available
A authentication bypass vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.10 in the Salesforce login integration that could be used by an attacker to create an account that bypassed domain restrictions and email verification requirements.
Published: 2019-12-18T20:58:42.000Z
Updated: 2024-08-04T19:54:53.485Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-5472 |
vulnerable | 2026-06-03 14:40:30.238619 |
Details available
An authorization issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 that prevented owners and maintainer to delete epic comments.
Published: 2020-01-28T02:52:04.000Z
Updated: 2024-08-04T19:54:53.512Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-5471 |
vulnerable | 2026-06-03 14:40:30.238216 |
Details available
An input validation and output encoding issue was discovered in the GitLab email notification feature which could result in a persistent XSS. This was addressed in GitLab 12.1.2, 12.0.4, and 11.11.6.
Published: 2019-09-09T17:47:02.000Z
Updated: 2024-08-04T19:54:53.486Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-5470 |
vulnerable | 2026-06-03 14:40:30.237768 |
Details available
An information disclosure issue was discovered GitLab versions < 12.1.2, < 12.0.4, and < 11.11.6 in the security dashboard which could result in disclosure of vulnerability feedback information.
Published: 2020-01-28T02:49:40.000Z
Updated: 2024-08-04T19:54:53.581Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-5469 |
vulnerable | 2026-06-03 14:40:30.236404 |
Details available
An IDOR vulnerability exists in GitLab <v12.1.2, <v12.0.4, and <v11.11.6 that allowed uploading files from project archive to replace other users files potentially allowing an attacker to replace project binaries or other uploaded assets.
Published: 2019-12-18T20:59:50.000Z
Updated: 2024-08-04T19:54:53.479Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-5468 |
vulnerable | 2026-06-03 14:40:30.235012 |
Details available
An privilege escalation issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 when Mattermost slash commands are used with a blocked account.
Published: 2020-01-28T02:44:12.000Z
Updated: 2024-08-04T19:54:53.594Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-5467 |
vulnerable | 2026-06-03 14:40:30.231989 |
Details available
An input validation and output encoding issue was discovered in the GitLab CE/EE wiki pages feature which could result in a persistent XSS. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6.
Published: 2019-09-09T17:45:19.000Z
Updated: 2024-08-04T19:54:53.501Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-5466 |
vulnerable | 2026-06-03 14:40:30.231621 |
Details available
An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names.
Published: 2020-01-28T02:39:28.000Z
Updated: 2024-08-04T19:54:53.587Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-5465 |
vulnerable | 2026-06-03 14:40:30.231245 |
Details available
An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID.
Published: 2020-01-28T02:28:00.000Z
Updated: 2024-08-04T19:54:53.509Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-5464 |
vulnerable | 2026-06-03 14:40:30.230810 |
Details available
A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized.
Published: 2020-01-28T02:23:14.000Z
Updated: 2024-08-04T19:54:53.478Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-5463 |
vulnerable | 2026-06-03 14:40:30.229487 |
Details available
An authorization issue was discovered in the GitLab CE/EE CI badge images endpoint which could result in disclosure of the build status. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6.
Published: 2019-09-09T17:44:00.000Z
Updated: 2024-08-04T19:54:53.488Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-5462 |
vulnerable | 2026-06-03 14:40:30.228104 |
Details available
A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed.
Published: 2020-01-28T02:17:12.000Z
Updated: 2024-08-04T19:54:53.486Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-5461 |
vulnerable | 2026-06-03 14:40:30.225413 |
Details available
An input validation problem was discovered in the GitHub service integration which could result in an attacker being able to make arbitrary POST requests in a GitLab instance's internal network. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6.
Published: 2019-09-09T16:57:15.000Z
Updated: 2024-08-04T19:54:53.487Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-20148 |
vulnerable | 2026-06-03 14:40:11.504733 |
Details available
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 8.13 through 12.6.1. It has Incorrect Access Control.
Published: 2020-01-13T19:52:52.000Z
Updated: 2024-08-05T02:39:09.117Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-20147 |
vulnerable | 2026-06-03 14:40:11.504296 |
Details available
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 9.1 through 12.6.1. It has Incorrect Access Control.
Published: 2020-01-13T19:56:40.000Z
Updated: 2024-08-05T02:39:08.743Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-20146 |
vulnerable | 2026-06-03 14:40:11.503978 |
Details available
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.0 through 12.6. It allows Uncontrolled Resource Consumption.
Published: 2020-01-13T19:59:11.000Z
Updated: 2024-08-05T02:39:09.325Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-20145 |
vulnerable | 2026-06-03 14:40:11.503662 |
Details available
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.4 through 12.6.1. It has Incorrect Access Control.
Published: 2020-01-13T20:00:39.000Z
Updated: 2024-08-05T02:39:08.524Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-20144 |
vulnerable | 2026-06-03 14:40:11.503323 |
Details available
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 10.8 through 12.6.1. It has Incorrect Access Control.
Published: 2020-01-13T20:01:45.000Z
Updated: 2024-08-05T02:39:08.114Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-20142 |
vulnerable | 2026-06-03 14:40:11.500878 |
Details available
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 12.3 through 12.6.1. It allows Denial of Service.
Published: 2020-01-13T20:04:21.000Z
Updated: 2024-08-05T02:39:07.955Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-19260 |
vulnerable | 2026-06-03 14:40:04.191673 |
Details available
GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 2 of 2).
Published: 2020-01-03T16:32:54.000Z
Updated: 2024-08-05T02:09:39.576Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-19257 |
vulnerable | 2026-06-03 14:40:04.190784 |
Details available
GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 1 of 2).
Published: 2020-01-03T16:26:28.000Z
Updated: 2024-08-05T02:09:39.558Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-19254 |
vulnerable | 2026-06-03 14:40:04.189739 |
Details available
GitLab Community Edition (CE) and Enterprise Edition (EE). 9.6 and later through 12.5 has Incorrect Access Control.
Published: 2020-01-03T15:51:57.000Z
Updated: 2024-08-05T02:09:39.588Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18463 |
vulnerable | 2026-06-03 14:39:57.357206 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition through 12.4. It has Insecure Permissions (issue 4 of 4).
Published: 2019-11-26T14:39:15.000Z
Updated: 2024-08-05T01:54:14.379Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18462 |
vulnerable | 2026-06-03 14:39:57.356910 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4. It has Insecure Permissions.
Published: 2019-11-26T14:44:02.000Z
Updated: 2024-08-05T01:54:14.413Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18461 |
vulnerable | 2026-06-03 14:39:57.356609 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.3 when a sub group epic is added to a public group. It has Incorrect Access Control.
Published: 2019-11-26T14:44:48.000Z
Updated: 2024-08-05T01:54:14.361Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18460 |
vulnerable | 2026-06-03 14:39:57.356317 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.4 in the Comments Search feature provided by the Elasticsearch integration. It has Incorrect Access Control.
Published: 2019-11-26T14:47:52.000Z
Updated: 2024-08-05T01:54:14.296Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18459 |
vulnerable | 2026-06-03 14:39:57.356023 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.3 to 12.3 in the protected environments feature. It has Insecure Permissions (issue 3 of 4).
Published: 2019-11-26T15:24:35.000Z
Updated: 2024-08-05T01:54:14.372Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18458 |
vulnerable | 2026-06-03 14:39:57.355735 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition through 12.4. It has Insecure Permissions (issue 2 of 4).
Published: 2019-11-26T15:40:29.000Z
Updated: 2024-08-05T01:54:14.412Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18457 |
vulnerable | 2026-06-03 14:39:57.355442 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.8 through 12.4 when handling Security tokens.. It has Insecure Permissions.
Published: 2019-11-26T15:43:07.000Z
Updated: 2024-08-05T01:54:14.149Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18456 |
vulnerable | 2026-06-03 14:39:57.355140 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 8.17 through 12.4 in the Search feature provided by Elasticsearch integration.. It has Insecure Permissions (issue 1 of 4).
Published: 2019-11-26T16:04:44.000Z
Updated: 2024-08-05T01:54:14.413Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18455 |
vulnerable | 2026-06-03 14:39:57.354847 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11 through 12.4 when building Nested GraphQL queries. It has a large or infinite loop.
Published: 2019-11-26T16:26:48.000Z
Updated: 2024-08-05T01:54:14.450Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18454 |
vulnerable | 2026-06-03 14:39:57.354563 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 10.5 through 12.4 in link validation for RDoc wiki pages feature. It has XSS.
Published: 2019-11-26T16:31:19.000Z
Updated: 2024-08-05T01:54:14.374Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18453 |
vulnerable | 2026-06-03 14:39:57.354275 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.6 through 12.4 in the add comments via email feature. It has Insecure Permissions.
Published: 2019-11-26T16:35:36.000Z
Updated: 2024-08-05T01:54:14.295Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18452 |
vulnerable | 2026-06-03 14:39:57.353975 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4 when moving an issue to a public project from a private one. It has Insecure Permissions.
Published: 2019-11-26T16:41:12.000Z
Updated: 2024-08-05T01:54:14.365Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18451 |
vulnerable | 2026-06-03 14:39:57.353670 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 10.7.4 through 12.4 in the InternalRedirect filtering feature. It has an Open Redirect.
Published: 2019-11-26T16:43:03.000Z
Updated: 2024-08-05T01:54:14.296Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18450 |
vulnerable | 2026-06-03 14:39:57.353368 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the Project labels feature. It has Insecure Permissions.
Published: 2019-11-26T16:44:33.000Z
Updated: 2024-08-05T01:54:14.347Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18449 |
vulnerable | 2026-06-03 14:39:57.353066 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the autocomplete feature. It has Insecure Permissions (issue 2 of 2).
Published: 2019-11-26T16:47:20.000Z
Updated: 2024-08-05T01:54:14.298Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18448 |
vulnerable | 2026-06-03 14:39:57.352762 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Incorrect Access Control.
Published: 2019-11-26T16:48:36.000Z
Updated: 2024-08-05T01:54:14.471Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18447 |
vulnerable | 2026-06-03 14:39:57.352449 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Insecure Permissions.
Published: 2019-11-26T16:49:30.000Z
Updated: 2024-08-05T01:54:14.391Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18446 |
vulnerable | 2026-06-03 14:39:57.352106 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.4. It has Insecure Permissions (issue 1 of 2).
Published: 2019-11-26T16:50:38.000Z
Updated: 2024-08-05T01:54:14.373Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-16170 |
vulnerable | 2026-06-03 14:39:53.961966 |
Details available
An issue was discovered in GitLab Enterprise Edition 11.x and 12.x before 12.0.9, 12.1.x before 12.1.9, and 12.2.x before 12.2.5. It has Incorrect Access Control.
Published: 2019-09-16T11:59:41.000Z
Updated: 2024-08-05T01:10:41.119Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15740 |
vulnerable | 2026-06-03 14:39:48.188644 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 7.9 through 12.2.1. EXIF Geolocation data was not being removed from certain image uploads.
Published: 2019-09-16T17:05:15.000Z
Updated: 2024-08-05T00:56:22.453Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15739 |
vulnerable | 2026-06-03 14:39:48.188296 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 8.1 through 12.2.1. Certain areas displaying Markdown were not properly sanitizing some XSS payloads.
Published: 2019-09-16T17:04:23.000Z
Updated: 2024-08-05T00:56:22.299Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15738 |
vulnerable | 2026-06-03 14:39:48.187964 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. Under certain conditions, merge request IDs were being disclosed via email.
Published: 2019-09-16T17:03:36.000Z
Updated: 2024-08-05T00:56:22.289Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15737 |
vulnerable | 2026-06-03 14:39:48.187617 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition through 12.2.1. Certain account actions needed improved authentication and session management.
Published: 2019-09-16T17:02:54.000Z
Updated: 2024-08-05T00:56:22.435Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15736 |
vulnerable | 2026-06-03 14:39:48.187161 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition through 12.2.1. Under certain circumstances, CI pipelines could potentially be used in a denial of service attack.
Published: 2019-09-16T17:02:11.000Z
Updated: 2024-08-05T00:56:22.358Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15734 |
vulnerable | 2026-06-03 14:39:48.186822 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 8.6 through 12.2.1. Under very specific conditions, commit titles and team member comments could become viewable to users who did not have permission to access these.
Published: 2019-09-16T17:01:20.000Z
Updated: 2024-08-05T00:56:22.385Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15733 |
vulnerable | 2026-06-03 14:39:48.186485 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 7.12 through 12.2.1. The specified default branch name could be exposed to unauthorized users.
Published: 2019-09-16T17:00:24.000Z
Updated: 2024-08-05T00:56:22.313Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15732 |
vulnerable | 2026-06-03 14:39:48.186164 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 12.2 through 12.2.1. The project import API could be used to bypass project visibility restrictions.
Published: 2019-09-16T16:59:34.000Z
Updated: 2024-08-05T00:56:22.384Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15731 |
vulnerable | 2026-06-03 14:39:48.185862 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. Non-members were able to comment on merge requests despite the repository being set to allow only project members to do so.
Published: 2019-09-16T16:58:39.000Z
Updated: 2024-08-05T00:56:22.447Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15730 |
vulnerable | 2026-06-03 14:39:48.185540 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 8.14 through 12.2.1. The Jira integration contains a SSRF vulnerability as a result of a bypass of the current protection mechanisms against this type of attack, which would allow sending requests to any resources accessible in the local network by the GitLab server.
Published: 2019-09-16T16:57:33.000Z
Updated: 2024-08-05T00:56:22.364Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15729 |
vulnerable | 2026-06-03 14:39:48.185196 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 8.18 through 12.2.1. An internal endpoint unintentionally disclosed information about the last pipeline that ran for a merge request.
Published: 2019-09-17T14:34:48.000Z
Updated: 2024-08-05T00:56:22.383Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15728 |
vulnerable | 2026-06-03 14:39:48.184868 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 10.1 through 12.2.1. Protections against SSRF attacks on the Kubernetes integration are insufficient, which could have allowed an attacker to request any local network resource accessible from the GitLab server.
Published: 2019-09-16T16:54:28.000Z
Updated: 2024-08-05T00:56:22.323Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15727 |
vulnerable | 2026-06-03 14:39:48.184539 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.2 through 12.2.1. Insufficient permission checks were being applied when displaying CI results, potentially exposing some CI metrics data to unauthorized users.
Published: 2019-09-16T16:53:03.000Z
Updated: 2024-08-05T00:56:22.426Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15726 |
vulnerable | 2026-06-03 14:39:48.184193 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition through 12.2.1. Embedded images and media files in markdown could be pointed to an arbitrary server, which would reveal the IP address of clients requesting the file from that server.
Published: 2019-09-16T16:51:43.000Z
Updated: 2024-08-05T00:56:22.607Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15725 |
vulnerable | 2026-06-03 14:39:48.183849 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. An IDOR in the epic notes API that could result in disclosure of private milestones, labels, and other information.
Published: 2019-09-16T16:50:18.000Z
Updated: 2024-08-05T00:56:22.433Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15724 |
vulnerable | 2026-06-03 14:39:48.183515 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.2.1. Label descriptions are vulnerable to HTML injection.
Published: 2019-09-16T16:48:53.000Z
Updated: 2024-08-05T00:56:22.211Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15723 |
vulnerable | 2026-06-03 14:39:48.183180 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.9.x and 11.10.x before 11.10.1. Merge requests created by email could be used to bypass push rules in certain situations.
Published: 2019-09-16T16:46:46.000Z
Updated: 2024-08-05T00:56:22.421Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15722 |
vulnerable | 2026-06-03 14:39:48.182846 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.2.1. Particular mathematical expressions in GitLab Markdown can exhaust client resources.
Published: 2019-09-16T16:45:27.000Z
Updated: 2024-08-05T00:56:22.310Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15721 |
vulnerable | 2026-06-03 14:39:48.182477 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 10.8 through 12.2.1. An internal endpoint unintentionally allowed group maintainers to view and edit group runner settings.
Published: 2019-09-16T16:43:56.000Z
Updated: 2024-08-05T00:56:22.267Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15592 |
vulnerable | 2026-06-03 14:39:47.923172 |
Details available
GitLab 12.2.2 and below contains a security vulnerability that allows a guest user in a private project to see the merge request ID associated to an issue via the activity timeline.
Published: 2020-02-14T21:27:56.000Z
Updated: 2024-08-05T00:49:13.674Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15591 |
vulnerable | 2026-06-03 14:39:47.922724 |
Details available
An improper access control vulnerability exists in GitLab <12.3.3 that allows an attacker to obtain container and dependency scanning reports through the merge request widget even though public pipelines were disabled.
Published: 2019-12-18T20:51:27.000Z
Updated: 2024-08-05T00:49:13.787Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15590 |
vulnerable | 2026-06-03 14:39:47.920626 |
Details available
An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration
Published: 2020-01-28T02:31:05.000Z
Updated: 2024-08-05T00:49:13.635Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15589 |
vulnerable | 2026-06-03 14:39:47.920230 |
Details available
An improper access control vulnerability exists in Gitlab <v12.3.2, <v12.2.6, <v12.1.12 which would allow a blocked user would be able to use GIT clone and pull if he had obtained a CI/CD token before.
Published: 2019-12-18T21:00:39.000Z
Updated: 2024-08-05T00:49:13.715Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15586 |
vulnerable | 2026-06-03 14:39:47.913368 |
Details available
A XSS exists in Gitlab CE/EE < 12.1.10 in the Mermaid plugin.
Published: 2020-01-28T02:14:59.000Z
Updated: 2024-08-05T00:49:13.628Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15585 |
vulnerable | 2026-06-03 14:39:47.913060 |
Details available
Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user's account.
Published: 2020-01-28T02:21:16.000Z
Updated: 2024-08-05T00:49:13.654Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15584 |
vulnerable | 2026-06-03 14:39:47.912693 |
Details available
A denial of service exists in gitlab <v12.3.2, <v12.2.6, and <v12.1.10 that would let an attacker bypass input validation in markdown fields take down the affected page.
Published: 2019-12-20T21:02:40.000Z
Updated: 2024-08-05T00:49:13.651Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15583 |
vulnerable | 2026-06-03 14:39:47.912352 |
Details available
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). When an issue was moved to a public project from a private one, the associated private labels and the private project namespace would be disclosed through the GitLab API.
Published: 2020-01-28T02:24:38.000Z
Updated: 2024-08-05T00:49:13.753Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15582 |
vulnerable | 2026-06-03 14:39:47.911957 |
Details available
An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment.
Published: 2020-01-28T02:36:05.000Z
Updated: 2024-08-05T00:49:13.762Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15581 |
vulnerable | 2026-06-03 14:39:47.911515 |
Details available
An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules.
Published: 2020-01-28T02:43:00.000Z
Updated: 2024-08-05T00:49:13.763Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15580 |
vulnerable | 2026-06-03 14:39:47.909550 |
Details available
An information exposure vulnerability exists in gitlab.com <v12.3.2, <v12.2.6, and <v12.1.10 when using the blocking merge request feature, it was possible for an unauthenticated user to see the head pipeline data of a public project even though pipeline visibility was restricted.
Published: 2019-12-18T20:59:15.000Z
Updated: 2024-08-05T00:49:13.790Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15579 |
vulnerable | 2026-06-03 14:39:47.907388 |
Details available
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) where the assignee(s) of a confidential issue in a private project would be disclosed to a guest via milestones.
Published: 2020-01-28T02:45:42.000Z
Updated: 2024-08-05T00:49:13.633Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15578 |
vulnerable | 2026-06-03 14:39:47.906934 |
Details available
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge requests.
Published: 2020-01-28T02:46:55.000Z
Updated: 2024-08-05T00:49:13.672Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15577 |
vulnerable | 2026-06-03 14:39:47.904083 |
Details available
An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed project milestones to be disclosed via groups browsing.
Published: 2019-12-18T21:00:00.000Z
Updated: 2024-08-05T00:49:13.757Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15576 |
vulnerable | 2026-06-03 14:39:47.903724 |
Details available
An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to view private system notes from a GraphQL endpoint.
Published: 2019-12-18T21:00:08.000Z
Updated: 2024-08-05T00:49:13.643Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-15575 |
vulnerable | 2026-06-03 14:39:47.903297 |
Details available
A command injection exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to inject commands via the API through the blobs scope.
Published: 2019-12-18T21:00:16.000Z
Updated: 2024-08-05T00:49:13.586Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-14944 |
vulnerable | 2026-06-03 14:39:46.873204 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Gitaly allows injection of command-line flags. This sometimes leads to privilege escalation or remote code execution.
Published: 2023-04-15T00:00:00.000Z
Updated: 2025-02-06T17:04:10.243Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-14943 |
vulnerable | 2026-06-03 14:39:46.872775 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.1.4. It uses Hard-coded Credentials.
Published: 2019-08-29T11:58:32.000Z
Updated: 2024-08-05T00:34:52.693Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-14942 |
vulnerable | 2026-06-03 14:39:46.871783 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Cookies for GitLab Pages (which have access control) could be sent over cleartext HTTP.
Published: 2023-04-15T00:00:00.000Z
Updated: 2025-02-06T17:07:36.472Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-13009 |
vulnerable | 2026-06-03 14:39:36.388851 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 9.2 through 12.0.2. Uploaded files associated with unsaved personal snippets were accessible to unauthorized users due to improper permission settings. It has Incorrect Access Control.
Published: 2020-03-10T17:06:14.000Z
Updated: 2024-08-04T23:41:10.099Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-13007 |
vulnerable | 2026-06-03 14:39:36.388458 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.11 through 12.0.2. When an admin enabled one of the service templates, it was triggering an action that leads to resource depletion. It allows Uncontrolled Resource Consumption.
Published: 2020-03-10T17:03:04.000Z
Updated: 2024-08-04T23:41:10.098Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-13006 |
vulnerable | 2026-06-03 14:39:36.387981 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 9.0 and through 12.0.2. Users with access to issues, but not the repository were able to view the number of related merge requests on an issue. It has Incorrect Access Control.
Published: 2020-03-10T16:57:39.000Z
Updated: 2024-08-04T23:41:09.224Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-13005 |
vulnerable | 2026-06-03 14:39:36.387594 |
Details available
An issue was discovered in GitLab Enterprise Edition and Community Edition 1.10 through 12.0.2. The GitLab graphql service was vulnerable to multiple authorization issues that disclosed restricted user, group, and repository metadata to unauthorized users. It has Incorrect Access Control.
Published: 2020-03-10T14:57:24.000Z
Updated: 2024-08-04T23:41:10.042Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-13004 |
vulnerable | 2026-06-03 14:39:36.387198 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.0.2. When specific encoded characters were added to comments, the comments section would become inaccessible. It has Incorrect Access Control (issue 1 of 2).
Published: 2020-03-10T14:54:59.000Z
Updated: 2024-08-04T23:41:10.180Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-13003 |
vulnerable | 2026-06-03 14:39:36.386679 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 12.0.3. One of the parsers used by Gilab CI was vulnerable to a resource exhaustion attack. It allows Uncontrolled Resource Consumption.
Published: 2020-03-10T14:53:30.000Z
Updated: 2024-08-04T23:41:09.223Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-13002 |
vulnerable | 2026-06-03 14:39:36.386242 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.0.2. Unauthorized users were able to read pipeline information of the last merge request. It has Incorrect Access Control.
Published: 2020-03-10T14:51:46.000Z
Updated: 2024-08-04T23:41:10.108Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-13001 |
vulnerable | 2026-06-03 14:39:36.385787 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.9 and later through 12.0.2. GitLab Snippets were vulnerable to an authorization issue that allowed unauthorized users to add comments to a private snippet. It allows authentication bypass.
Published: 2020-03-10T14:49:10.000Z
Updated: 2024-08-04T23:41:09.235Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-12446 |
vulnerable | 2026-06-03 14:39:34.870752 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 8.3 through 11.11. It allows Information Exposure through an Error Message.
Published: 2020-03-10T14:47:10.000Z
Updated: 2024-08-04T23:17:40.246Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-12445 |
vulnerable | 2026-06-03 14:39:34.870452 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 8.4 through 11.11. A malicious user could execute JavaScript code on notes by importing a specially crafted project file. It allows XSS.
Published: 2020-03-10T14:45:16.000Z
Updated: 2024-08-04T23:17:40.180Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-12444 |
vulnerable | 2026-06-03 14:39:34.870137 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 8.9 through 11.11. Wiki Pages contained a lack of input validation which resulted in a persistent XSS vulnerability.
Published: 2020-03-10T14:42:32.000Z
Updated: 2024-08-04T23:17:40.008Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-12443 |
vulnerable | 2026-06-03 14:39:34.869827 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 10.2 through 11.11. Multiple features contained Server-Side Request Forgery (SSRF) vulnerabilities caused by an insufficient validation to prevent DNS rebinding attacks.
Published: 2020-03-10T14:41:01.000Z
Updated: 2024-08-04T23:17:40.125Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-12442 |
vulnerable | 2026-06-03 14:39:34.869501 |
Details available
An issue was discovered in GitLab Enterprise Edition 11.7 through 11.11. The epic details page contained a lack of input validation and output encoding issue which resulted in a persistent XSS vulnerability on child epics.
Published: 2020-03-10T14:38:37.000Z
Updated: 2024-08-04T23:17:40.087Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-12441 |
vulnerable | 2026-06-03 14:39:34.869150 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 8.4 through 11.11. The protected branches feature contained a access control issue which resulted in a bypass of the protected branches restriction rules. It has Incorrect Access Control.
Published: 2020-03-10T14:36:45.000Z
Updated: 2024-08-04T23:17:40.128Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-12434 |
vulnerable | 2026-06-03 14:39:34.861234 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 10.6 through 11.11. Users could guess the URL slug of private projects through the contrast of the destination URLs of issues linked in comments. It allows Information Disclosure.
Published: 2020-03-10T13:48:07.000Z
Updated: 2024-08-04T23:17:40.260Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-12433 |
vulnerable | 2026-06-03 14:39:34.860919 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.7 through 11.11. It has Improper Input Validation. Restricted visibility settings allow creating internal projects in private groups, leading to multiple permission issues.
Published: 2020-03-10T13:45:50.000Z
Updated: 2024-08-04T23:17:40.132Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-12432 |
vulnerable | 2026-06-03 14:39:34.860590 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 8.13 through 11.11. Non-member users who subscribed to issue notifications could access the title of confidential issues through the unsubscription page. It allows Information Disclosure.
Published: 2020-03-10T13:43:24.000Z
Updated: 2024-08-04T23:17:40.116Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-12431 |
vulnerable | 2026-06-03 14:39:34.860237 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 8.13 through 11.11. Restricted users could access the metadata of private milestones through the Search API. It has Improper Access Control.
Published: 2020-03-10T13:41:50.000Z
Updated: 2024-08-04T23:17:40.069Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-12429 |
vulnerable | 2026-06-03 14:39:34.857148 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.9 through 11.11. Unprivileged users were able to access labels, status and merge request counts of confidential issues via the milestone details page. It has Improper Access Control.
Published: 2020-03-10T13:10:16.000Z
Updated: 2024-08-04T23:17:40.003Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-12428 |
vulnerable | 2026-06-03 14:39:34.856785 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 6.8 through 11.11. Users could bypass the mandatory external authentication provider sign-in restrictions by sending a specially crafted request. It has Improper Authorization.
Published: 2020-03-10T13:08:16.000Z
Updated: 2024-08-04T23:17:40.006Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-11605 |
vulnerable | 2026-06-03 14:39:33.474603 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.8.x before 11.8.10, 11.9.x before 11.9.11, and 11.10.x before 11.10.3. It allows Information Disclosure. A small number of GitLab API endpoints would disclose project information when using a read_user scoped token.
Published: 2019-09-09T18:22:03.000Z
Updated: 2024-08-04T22:55:41.036Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-11549 |
vulnerable | 2026-06-03 14:39:33.388272 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. Gitaly has allows an information disclosure issue where HTTP/GIT credentials are included in logs on connection errors.
Published: 2019-09-09T18:54:19.000Z
Updated: 2024-08-04T22:55:40.960Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-11548 |
vulnerable | 2026-06-03 14:39:33.387900 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9. It has Incorrect Access Control. Unprivileged members of a project are able to post comments on confidential issues through an authorization issue in the note endpoint.
Published: 2019-09-09T18:52:14.000Z
Updated: 2024-08-04T22:55:40.958Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-11547 |
vulnerable | 2026-06-03 14:39:33.387585 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has Improper Encoding or Escaping of Output. The branch name on new merge request notification emails isn't escaped, which could potentially lead to XSS issues.
Published: 2019-09-09T18:49:01.000Z
Updated: 2024-08-04T22:55:40.934Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-11546 |
vulnerable | 2026-06-03 14:39:33.387227 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has a Race Condition which could allow users to approve a merge request multiple times and potentially reach the approval count required to merge.
Published: 2019-09-09T18:34:19.000Z
Updated: 2024-08-04T22:55:41.020Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-11545 |
vulnerable | 2026-06-03 14:39:33.386827 |
Details available
An issue was discovered in GitLab Community Edition 11.9.x before 11.9.10 and 11.10.x before 11.10.2. It allows Information Disclosure. When an issue is moved to a private project, the private project namespace is leaked to unauthorized users with access to the original issue.
Published: 2019-09-09T18:32:02.000Z
Updated: 2024-08-04T22:55:40.932Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-11544 |
vulnerable | 2026-06-03 14:39:33.385644 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 8.x, 9.x, 10.x, and 11.x before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It allows Information Disclosure. Non-member users who subscribe to notifications of an internal project with issue and repository restrictions will receive emails about restricted events.
Published: 2019-09-09T18:28:54.000Z
Updated: 2024-08-04T22:55:41.038Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-10640 |
vulnerable | 2026-06-03 14:39:23.976656 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.10, 11.8.x before 11.8.6, and 11.9.x before 11.9.4. A regex input validation issue for the .gitlab-ci.yml refs value allows Uncontrolled Resource Consumption.
Published: 2019-05-15T18:58:17.000Z
Updated: 2024-08-04T22:31:59.943Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-10117 |
vulnerable | 2026-06-03 14:39:21.448141 |
Details available
An Open Redirect issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. A redirect is triggered after successful authentication within the Oauth/:GeoAuthController for the secondary Geo node.
Published: 2019-05-16T15:00:18.000Z
Updated: 2024-08-04T22:10:09.944Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-10116 |
vulnerable | 2026-06-03 14:39:21.447790 |
Details available
An Insecure Permissions issue (issue 3 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. Guests of a project were allowed to see Related Branches created for an issue.
Published: 2019-05-16T14:55:14.000Z
Updated: 2024-08-04T22:10:09.893Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-10115 |
vulnerable | 2026-06-03 14:39:21.447438 |
Details available
An Insecure Permissions issue (issue 2 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The GitLab Releases feature could allow guest users access to private information like release details and code information.
Published: 2019-05-16T14:46:46.000Z
Updated: 2024-08-04T22:10:09.914Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-10114 |
vulnerable | 2026-06-03 14:39:21.447049 |
Details available
An Information Exposure issue (issue 2 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. During the OAuth authentication process, the application attempts to validate a parameter in an insecure way, potentially exposing data.
Published: 2019-05-16T14:39:43.000Z
Updated: 2024-08-04T22:10:09.924Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-10113 |
vulnerable | 2026-06-03 14:39:21.446566 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. Making concurrent GET /api/v4/projects/<id>/languages requests may allow Uncontrolled Resource Consumption.
Published: 2019-05-16T14:27:59.000Z
Updated: 2024-08-04T22:10:09.810Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-10112 |
vulnerable | 2026-06-03 14:39:21.446203 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The construction of the HMAC key was insecurely derived.
Published: 2019-05-16T15:11:45.000Z
Updated: 2024-08-04T22:10:09.925Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-10111 |
vulnerable | 2026-06-03 14:39:21.445833 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allows persistent XSS in the merge request "resolve conflicts" page.
Published: 2019-05-15T19:28:49.000Z
Updated: 2024-08-04T22:10:09.774Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-10110 |
vulnerable | 2026-06-03 14:39:21.445467 |
Details available
An Insecure Permissions issue (issue 1 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The "move issue" feature may allow a user to create projects under any namespace on any GitLab instance on which they hold credentials.
Published: 2019-05-15T19:23:36.000Z
Updated: 2024-08-04T22:10:09.889Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-10109 |
vulnerable | 2026-06-03 14:39:21.445076 |
Details available
An Information Exposure issue (issue 1 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. EXIF geolocation data were not removed from images when uploaded to GitLab. As a result, anyone with access to the uploaded image could obtain its geolocation, device, and software version data (if present).
Published: 2019-05-15T19:14:55.000Z
Updated: 2024-08-04T22:10:09.797Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-10108 |
vulnerable | 2026-06-03 14:39:21.444014 |
Details available
An Incorrect Access Control (issue 1 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allowed non-members of a private project/group to add and read labels.
Published: 2019-05-15T19:06:26.000Z
Updated: 2024-08-04T22:10:09.770Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-9244 |
vulnerable | 2026-06-03 14:39:10.732993 |
Details available
GitLab Community and Enterprise Editions version 9.2 up to 10.4 are vulnerable to XSS because a lack of input validation in the milestones component leads to cross site scripting (specifically, data-milestone-id in the milestone dropdown feature). This is fixed in 10.6.3, 10.5.7, and 10.4.7.
Published: 2018-04-05T14:00:00.000Z
Updated: 2024-08-05T07:17:52.059Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-9243 |
vulnerable | 2026-06-03 14:39:10.732618 |
Details available
GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request component leads to cross site scripting (specifically, filenames in changes tabs of merge requests). This is fixed in 10.6.3, 10.5.7, and 10.4.7.
Published: 2018-04-05T14:00:00.000Z
Updated: 2024-08-05T07:17:51.809Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-8801 |
vulnerable | 2026-06-03 14:39:09.352716 |
Details available
GitLab Community and Enterprise Editions version 8.3 up to 10.x before 10.3 are vulnerable to SSRF in the Services and webhooks component.
Published: 2018-04-25T09:00:00.000Z
Updated: 2024-08-05T07:02:26.093Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-3710 |
vulnerable | 2026-06-03 14:38:50.280457 |
Details available
Gitlab Community and Enterprise Editions version 10.3.3 is vulnerable to an Insecure Temporary File in the project import component resulting remote code execution.
Published: 2018-03-21T20:00:00.000Z
Updated: 2024-08-05T04:50:30.417Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-20507 |
vulnerable | 2026-06-03 14:38:39.292403 |
Details available
An issue was discovered in GitLab Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
Published: 2019-12-30T21:24:28.000Z
Updated: 2024-08-05T12:05:16.898Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-20501 |
vulnerable | 2026-06-03 14:38:39.280105 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
Published: 2019-12-30T21:24:28.000Z
Updated: 2024-08-05T12:05:16.903Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-20500 |
vulnerable | 2026-06-03 14:38:39.279764 |
Details available
An insecure permissions issue was discovered in GitLab Community and Enterprise Edition 9.4 and later but before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. The runner registration token in the CI/CD settings could not be reset. This was a security risk if one of the maintainers leaves the group and they know the token.
Published: 2019-05-17T15:18:18.000Z
Updated: 2024-08-05T12:05:16.987Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-20499 |
vulnerable | 2026-06-03 14:38:39.279419 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF.
Published: 2019-12-30T21:24:28.000Z
Updated: 2024-08-05T12:05:16.867Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-20498 |
vulnerable | 2026-06-03 14:38:39.278953 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
Published: 2019-12-30T21:24:28.000Z
Updated: 2024-08-05T12:05:17.355Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-20497 |
vulnerable | 2026-06-03 14:38:39.278623 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF.
Published: 2019-12-30T21:24:28.000Z
Updated: 2024-08-05T12:05:17.181Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-20496 |
vulnerable | 2026-06-03 14:38:39.278297 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
Published: 2019-12-30T21:24:28.000Z
Updated: 2024-08-05T12:05:16.917Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-20495 |
vulnerable | 2026-06-03 14:38:39.277957 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure.
Published: 2019-12-30T21:24:28.000Z
Updated: 2024-08-05T12:05:16.894Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-20494 |
vulnerable | 2026-06-03 14:38:39.277608 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
Published: 2019-12-30T21:24:28.000Z
Updated: 2024-08-05T12:05:17.009Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-20493 |
vulnerable | 2026-06-03 14:38:39.277275 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
Published: 2019-12-30T21:24:28.000Z
Updated: 2024-08-05T12:05:17.305Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-20492 |
vulnerable | 2026-06-03 14:38:39.276935 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control (issue 2 of 6).
Published: 2019-12-26T16:44:43.000Z
Updated: 2024-08-05T12:05:17.013Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-20491 |
vulnerable | 2026-06-03 14:38:39.276600 |
Details available
An issue was discovered in GitLab Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
Published: 2019-12-30T21:24:28.000Z
Updated: 2024-08-05T12:05:16.911Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-20490 |
vulnerable | 2026-06-03 14:38:39.276252 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
Published: 2019-12-30T21:24:28.000Z
Updated: 2024-08-05T12:05:16.920Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-20489 |
vulnerable | 2026-06-03 14:38:39.275892 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
Published: 2019-12-30T21:24:28.000Z
Updated: 2024-08-05T12:05:17.136Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-20488 |
vulnerable | 2026-06-03 14:38:39.275516 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure.
Published: 2019-12-30T21:24:28.000Z
Updated: 2024-08-05T12:05:16.987Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-20229 |
vulnerable | 2026-06-03 14:38:38.783365 |
Details available
GitLab Community and Enterprise Edition before 11.3.14, 11.4.x before 11.4.12, and 11.5.x before 11.5.5 allows Directory Traversal.
Published: 2019-04-04T16:54:07.000Z
Updated: 2024-08-05T11:58:18.635Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-20144 |
vulnerable | 2026-06-03 14:38:38.637338 |
Details available
GitLab Community and Enterprise Edition 11.x before 11.3.13, 11.4.x before 11.4.11, and 11.5.x before 11.5.4 has Incorrect Access Control.
Published: 2019-03-28T14:53:12.000Z
Updated: 2024-08-05T11:51:19.278Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19856 |
vulnerable | 2026-06-03 14:38:29.655429 |
Details available
GitLab CE/EE before 11.3.12, 11.4.x before 11.4.10, and 11.5.x before 11.5.3 allows Directory Traversal in Templates API.
Published: 2019-03-26T15:50:42.000Z
Updated: 2024-08-05T11:44:20.685Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19585 |
vulnerable | 2026-06-03 14:38:29.418823 |
Details available
GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 have CRLF Injection in Project Mirroring when using the Git protocol.
Published: 2019-05-17T15:09:53.000Z
Updated: 2024-08-05T11:37:11.532Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19583 |
vulnerable | 2026-06-03 14:38:29.418165 |
Details available
GitLab CE/EE, versions 8.0 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, would log access tokens in the Workhorse logs, permitting administrators with access to the logs to see another user's token.
Published: 2019-07-10T16:43:45.000Z
Updated: 2024-08-05T11:37:11.533Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19580 |
vulnerable | 2026-06-03 14:38:29.417105 |
Details available
All versions of GitLab prior to 11.5.1, 11.4.8, and 11.3.11 do not send an email to the old email address when an email address change is made.
Published: 2019-07-10T16:04:39.000Z
Updated: 2024-08-05T11:37:11.605Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19577 |
vulnerable | 2026-06-03 14:38:29.416224 |
Details available
Gitlab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an incorrect access control vulnerability that displays to an unauthorized user the title and namespace of a confidential issue.
Published: 2019-07-10T14:59:19.000Z
Updated: 2024-08-05T11:37:11.599Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19576 |
vulnerable | 2026-06-03 14:38:29.415855 |
Details available
GitLab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an access control issue that allows a Guest user to make changes to or delete their own comments on an issue, after the issue was made Confidential.
Published: 2019-07-10T15:35:53.000Z
Updated: 2024-08-05T11:37:11.642Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19575 |
vulnerable | 2026-06-03 14:38:29.415514 |
Details available
GitLab CE/EE, versions 10.1 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an insecure direct object reference issue that allows a user to make comments on a locked issue.
Published: 2019-07-10T15:52:43.000Z
Updated: 2024-08-05T11:37:11.524Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19574 |
vulnerable | 2026-06-03 14:38:29.415176 |
Details available
GitLab CE/EE, versions 7.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in the OAuth authorization page.
Published: 2019-07-10T15:59:40.000Z
Updated: 2024-08-05T11:37:11.519Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19573 |
vulnerable | 2026-06-03 14:38:29.414824 |
Details available
GitLab CE/EE, versions 10.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via Mermaid.
Published: 2019-07-10T15:01:19.000Z
Updated: 2024-08-05T11:37:11.525Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19572 |
vulnerable | 2026-06-03 14:38:29.414514 |
Details available
GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-time-of-use race condition that would allow unauthorized access to files in the GitLab Pages chroot environment. This is fixed in versions 11.5.1, 11.4.8, and 11.3.11.
Published: 2019-07-10T15:32:11.000Z
Updated: 2024-08-05T11:37:11.524Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19571 |
vulnerable | 2026-06-03 14:38:29.414135 |
Details available
GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks.
Published: 2019-07-10T16:01:50.000Z
Updated: 2024-08-05T11:37:11.656Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19570 |
vulnerable | 2026-06-03 14:38:29.413771 |
Details available
GitLab CE/EE, versions 11.3 before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via unrecognized HTML tags.
Published: 2019-07-10T15:28:42.000Z
Updated: 2024-08-05T11:37:11.526Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19569 |
vulnerable | 2026-06-03 14:38:29.413429 |
Details available
GitLab CE/EE, versions 8.8 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an authorization vulnerability that allows access to the web-UI as a user using a Personal Access Token of any scope.
Published: 2019-07-10T15:56:27.000Z
Updated: 2024-08-05T11:37:11.503Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19496 |
vulnerable | 2026-06-03 14:38:29.338311 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 10.x and 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. There is an incorrect access control vulnerability that permits a user with insufficient privileges to promote a project milestone to a group milestone.
Published: 2019-07-10T14:50:43.000Z
Updated: 2024-08-05T11:37:11.503Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19495 |
vulnerable | 2026-06-03 14:38:29.337950 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. There is an SSRF vulnerability in the Prometheus integration.
Published: 2019-07-10T14:48:50.000Z
Updated: 2024-08-05T11:37:11.480Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19494 |
vulnerable | 2026-06-03 14:38:29.337593 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. There is an incorrect access vulnerability that allows an unauthorized user to view private group names.
Published: 2019-07-10T14:46:44.000Z
Updated: 2024-08-05T11:37:11.527Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19493 |
vulnerable | 2026-06-03 14:38:29.337236 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. There is a persistent XSS vulnerability in the environment pages due to a lack of input validation and output encoding.
Published: 2019-07-10T14:44:47.000Z
Updated: 2024-08-05T11:37:11.520Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-19359 |
vulnerable | 2026-06-03 14:38:29.218735 |
Details available
GitLab Community and Enterprise Edition 8.9 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 has Incorrect Access Control.
Published: 2019-04-25T20:58:09.000Z
Updated: 2024-08-05T11:37:09.957Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-18649 |
vulnerable | 2026-06-03 14:38:28.161103 |
Details available
An issue was discovered in the wiki API in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for remote code execution.
Published: 2018-11-29T15:00:00.000Z
Updated: 2024-08-05T11:15:59.964Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-18648 |
vulnerable | 2026-06-03 14:38:28.160770 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Information Exposure Through an Error Message.
Published: 2018-12-04T23:00:00.000Z
Updated: 2024-08-05T11:15:59.841Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-18647 |
vulnerable | 2026-06-03 14:38:28.160412 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Missing Authorization.
Published: 2018-12-04T23:00:00.000Z
Updated: 2024-08-05T11:16:00.187Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-18646 |
vulnerable | 2026-06-03 14:38:28.160037 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows SSRF.
Published: 2018-12-04T23:00:00.000Z
Updated: 2024-08-05T11:15:59.991Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-18645 |
vulnerable | 2026-06-03 14:38:28.159695 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for Information Exposure via unsubscribe links in email replies.
Published: 2018-12-04T23:00:00.000Z
Updated: 2024-08-05T11:16:00.191Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-18644 |
vulnerable | 2026-06-03 14:38:28.159306 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows Information Exposure via a Gitlab Prometheus integration.
Published: 2018-12-04T23:00:00.000Z
Updated: 2024-08-05T11:16:00.254Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-18643 |
vulnerable | 2026-06-03 14:38:28.145941 |
Details available
GitLab CE & EE 11.2 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 have Persistent XSS.
Published: 2019-04-25T20:17:10.000Z
Updated: 2024-08-05T11:15:59.932Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-18642 |
vulnerable | 2026-06-03 14:38:28.145476 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has XSS.
Published: 2018-12-04T23:00:00.000Z
Updated: 2024-08-05T11:16:00.101Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-18641 |
vulnerable | 2026-06-03 14:38:28.145103 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Cleartext Storage of Sensitive Information.
Published: 2018-12-04T23:00:00.000Z
Updated: 2024-08-05T11:15:59.991Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-18640 |
vulnerable | 2026-06-03 14:38:28.144079 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Information Exposure Through Browser Caching.
Published: 2018-12-04T23:00:00.000Z
Updated: 2024-08-05T11:15:59.959Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-17976 |
vulnerable | 2026-06-03 14:38:22.398831 |
Details available
An issue was discovered in GitLab Community Edition 11.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via Epic change descriptions.
Published: 2018-12-04T23:00:00.000Z
Updated: 2024-08-05T11:01:14.766Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-17975 |
vulnerable | 2026-06-03 14:38:22.398537 |
Details available
An issue was discovered in GitLab Community Edition 11.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via the GFM markdown API.
Published: 2018-12-04T23:00:00.000Z
Updated: 2024-08-05T11:01:14.702Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-17939 |
vulnerable | 2026-06-03 14:38:22.332404 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.1.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via the merge request JSON endpoint.
Published: 2018-12-04T23:00:00.000Z
Updated: 2024-08-05T11:01:14.732Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-17537 |
vulnerable | 2026-06-03 14:38:21.876426 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. blog-viewer has stored XSS during repository browsing, if package.json exists. .
Published: 2023-04-15T00:00:00.000Z
Updated: 2025-02-06T16:28:21.295Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-17536 |
vulnerable | 2026-06-03 14:38:21.876031 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is stored XSS on the merge request page via project import.
Published: 2023-04-15T00:00:00.000Z
Updated: 2025-02-06T20:16:24.791Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-17455 |
vulnerable | 2026-06-03 14:38:21.814102 |
Details available
An issue was discovered in GitLab Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Attackers could obtain sensitive information about group names, avatars, LDAP settings, and descriptions via an insecure direct object reference to the "merge request approvals" feature.
Published: 2023-04-15T00:00:00.000Z
Updated: 2025-02-06T20:18:51.858Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-17454 |
vulnerable | 2026-06-03 14:38:21.813725 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is stored XSS on the issue details screen.
Published: 2023-04-15T00:00:00.000Z
Updated: 2025-02-06T20:24:19.188Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-17453 |
vulnerable | 2026-06-03 14:38:21.813348 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Attackers may have been able to obtain sensitive access-token data from Sentry logs via the GRPC::Unknown exception.
Published: 2023-04-15T00:00:00.000Z
Updated: 2025-02-06T20:25:19.679Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-17452 |
vulnerable | 2026-06-03 14:38:21.812975 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is Server-Side Request Forgery (SSRF) via a loopback address to the validate_localhost function in url_blocker.rb.
Published: 2023-04-15T00:00:00.000Z
Updated: 2025-02-06T20:29:19.022Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-17451 |
vulnerable | 2026-06-03 14:38:21.812576 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is Cross Site Request Forgery (CSRF) in the Slack integration for issuing slash commands.
Published: 2023-04-15T00:00:00.000Z
Updated: 2025-02-06T20:36:43.218Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-17450 |
vulnerable | 2026-06-03 14:38:21.812159 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is Server-Side Request Forgery (SSRF) via the Kubernetes integration, leading (for example) to disclosure of a GCP service token.
Published: 2023-04-15T00:00:00.000Z
Updated: 2025-02-06T20:38:05.411Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-17449 |
vulnerable | 2026-06-03 14:38:21.808915 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Remote attackers could obtain sensitive information about issues, comments, and project titles via events API insecure direct object reference.
Published: 2023-04-15T00:00:00.000Z
Updated: 2025-02-07T16:46:22.155Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-16051 |
vulnerable | 2026-06-03 14:38:19.812114 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Orphaned Upload Files Exposure.
Published: 2018-10-03T16:00:00.000Z
Updated: 2024-08-05T10:10:06.091Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-16050 |
vulnerable | 2026-06-03 14:38:19.811740 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.1.x before 11.1.5 and 11.2.x before 11.2.2. There is Persistent XSS in the Merge Request Changes View.
Published: 2018-10-03T16:00:00.000Z
Updated: 2024-08-05T10:10:06.090Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-16049 |
vulnerable | 2026-06-03 14:38:19.811300 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Sensitive Data Disclosure in Sidekiq Logs through an Error Message.
Published: 2018-10-03T16:00:00.000Z
Updated: 2024-08-05T10:10:05.810Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-15472 |
vulnerable | 2026-06-03 14:38:13.507879 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. The diff formatter using rouge can block for a long time in Sidekiq jobs without any timeout.
Published: 2023-04-15T00:00:00.000Z
Updated: 2025-02-10T15:09:21.872Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-14606 |
vulnerable | 2026-06-03 14:38:12.248528 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. XSS can occur via a Milestone name during a promotion.
Published: 2018-07-27T02:00:00.000Z
Updated: 2024-08-05T09:29:51.709Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-14605 |
vulnerable | 2026-06-03 14:38:12.248185 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. XSS can occur in the branch name during a Web IDE file commit.
Published: 2018-07-27T02:00:00.000Z
Updated: 2024-08-05T09:29:51.968Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-14604 |
vulnerable | 2026-06-03 14:38:12.247864 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. XSS can occur in the tooltip of the job inside the CI/CD pipeline.
Published: 2018-07-27T02:00:00.000Z
Updated: 2024-08-05T09:29:51.706Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-14603 |
vulnerable | 2026-06-03 14:38:12.247535 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. CSRF can occur in the Test feature of the System Hooks component.
Published: 2018-07-27T02:00:00.000Z
Updated: 2024-08-05T09:29:51.698Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-14602 |
vulnerable | 2026-06-03 14:38:12.247174 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. Information Disclosure can occur because the Prometheus metrics feature discloses private project pathnames.
Published: 2018-07-27T02:00:00.000Z
Updated: 2024-08-05T09:29:51.681Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-14601 |
vulnerable | 2026-06-03 14:38:12.246780 |
Details available
An issue was discovered in GitLab Community and Enterprise Edition 11.1.x before 11.1.2. A Denial of Service can occur because Markdown rendering times are slow.
Published: 2018-07-27T02:00:00.000Z
Updated: 2024-08-05T09:29:51.716Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-14364 |
vulnerable | 2026-06-03 14:38:12.005227 |
Details available
GitLab Community and Enterprise Edition before 10.7.7, 10.8.x before 10.8.6, and 11.x before 11.0.4 allows Directory Traversal with write access and resultant remote code execution via the GitLab projects import component.
Published: 2018-07-18T19:00:00.000Z
Updated: 2024-08-05T09:29:50.113Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-12607 |
vulnerable | 2026-06-03 14:38:04.602959 |
Details available
An issue was discovered in GitLab Community Edition and Enterprise Edition before 10.7.6, 10.8.x before 10.8.5, and 11.x before 11.0.1. The charts feature contained a persistent XSS issue due to a lack of output encoding.
Published: 2018-08-03T18:00:00.000Z
Updated: 2024-08-05T08:38:06.358Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-12606 |
vulnerable | 2026-06-03 14:38:04.602457 |
Details available
An issue was discovered in GitLab Community Edition and Enterprise Edition before 10.7.6, 10.8.x before 10.8.5, and 11.x before 11.0.1. The wiki contains a persistent XSS issue due to a lack of output encoding affecting a specific markdown feature.
Published: 2018-08-03T18:00:00.000Z
Updated: 2024-08-05T08:38:06.316Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-12605 |
vulnerable | 2026-06-03 14:38:04.601410 |
Details available
An issue was discovered in GitLab Community Edition and Enterprise Edition 10.7.x before 10.7.6. The usage of 'url_for' contained a XSS issue due to it allowing arbitrary protocols as a parameter.
Published: 2018-08-03T18:00:00.000Z
Updated: 2024-08-05T08:38:06.327Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-10379 |
vulnerable | 2026-06-03 14:37:53.370445 |
Details available
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 10.5.8, 10.6.x before 10.6.5, and 10.7.x before 10.7.2. The Move Issue feature contained a persistent XSS vulnerability.
Published: 2018-05-31T21:00:00.000Z
Updated: 2024-08-05T07:39:07.955Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-12426 |
vulnerable | 2026-06-03 14:36:35.969530 |
Details available
GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote attackers to execute arbitrary code via a crafted SSH URL in a project import.
Published: 2017-08-14T21:00:00.000Z
Updated: 2024-08-05T18:36:56.379Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-0927 |
vulnerable | 2026-06-03 14:36:19.719440 |
Details available
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the deployment keys component resulting in unauthorized use of deployment keys by guest users.
Published: 2018-03-21T20:00:00.000Z
Updated: 2024-08-05T13:25:16.907Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-0926 |
vulnerable | 2026-06-03 14:36:19.719046 |
Details available
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login.
Published: 2018-03-21T20:00:00.000Z
Updated: 2024-08-05T13:25:16.917Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-0925 |
vulnerable | 2026-06-03 14:36:19.718621 |
Details available
Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insufficiently protected credential issue in the project service integration API endpoint resulting in an information disclosure of plaintext password.
Published: 2018-03-21T20:00:00.000Z
Updated: 2024-08-05T13:25:17.478Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-0924 |
vulnerable | 2026-06-03 14:36:19.718188 |
Details available
Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the labels component resulting in persistent cross site scripting.
Published: 2018-03-21T20:00:00.000Z
Updated: 2024-08-05T13:25:17.209Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-0922 |
vulnerable | 2026-06-03 14:36:19.709666 |
Details available
Gitlab Enterprise Edition version 10.3 is vulnerable to an authorization bypass issue in the GitLab Projects::BoardsController component resulting in an information disclosure on any board object.
Published: 2018-03-21T20:00:00.000Z
Updated: 2024-08-05T13:25:16.596Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-0921 |
vulnerable | 2026-06-03 14:36:19.709302 |
Details available
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account takeover if a victim's session is compromised.
Published: 2018-07-03T21:00:00.000Z
Updated: 2024-09-17T00:40:46.151Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-0920 |
vulnerable | 2026-06-03 14:36:19.708969 |
Details available
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance.
Published: 2018-03-22T15:00:00.000Z
Updated: 2024-08-05T13:25:16.968Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-0919 |
vulnerable | 2026-06-03 14:36:19.708590 |
Details available
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the GitLab import component resulting in an attacker being able to perform operations under a group in which they were previously unauthorized.
Published: 2018-07-03T21:00:00.000Z
Updated: 2024-09-17T02:27:55.985Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-0918 |
vulnerable | 2026-06-03 14:36:19.708236 |
Details available
Gitlab Community Edition version 10.3 is vulnerable to a path traversal issue in the GitLab CI runner component resulting in remote code execution.
Published: 2018-03-21T20:00:00.000Z
Updated: 2024-08-05T13:25:17.195Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-0917 |
vulnerable | 2026-06-03 14:36:19.707798 |
Details available
Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the CI job component resulting in persistent cross site scripting.
Published: 2018-03-21T20:00:00.000Z
Updated: 2024-08-05T13:25:17.004Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-0916 |
vulnerable | 2026-06-03 14:36:19.707389 |
Details available
Gitlab Community Edition version 10.3 is vulnerable to a lack of input validation in the system_hook_push queue through web hook component resulting in remote code execution.
Published: 2018-03-21T20:00:00.000Z
Updated: 2024-08-05T13:25:16.962Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-0915 |
vulnerable | 2026-06-03 14:36:19.706952 |
Details available
Gitlab Community Edition version 10.2.4 is vulnerable to a lack of input validation in the GitlabProjectsImportService resulting in remote code execution.
Published: 2018-03-21T20:00:00.000Z
Updated: 2024-08-05T13:25:16.906Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-0914 |
vulnerable | 2026-06-03 14:36:19.705923 |
Details available
Gitlab Community and Enterprise Editions version 10.1, 10.2, and 10.2.4 are vulnerable to a SQL injection in the MilestoneFinder component resulting in disclosure of all data in a GitLab instance's database.
Published: 2018-03-21T20:00:00.000Z
Updated: 2024-08-05T13:25:16.728Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2013-4583 |
vulnerable | 2026-06-03 14:33:18.304009 |
Details available
The parse_cmd function in lib/gitlab_shell.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, and Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote authenticated users to gain privileges and clone arbitrary repositories.
Published: 2020-01-28T15:11:45.000Z
Updated: 2024-08-06T16:45:14.926Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2013-4582 |
vulnerable | 2026-06-03 14:33:18.303442 |
Details available
The (1) create_branch, (2) create_tag, (3) import_project, and (4) fork_project functions in lib/gitlab_projects.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote authenticated users to include information from local files into the metadata of a Git repository via the web interface.
Published: 2020-01-28T15:17:23.000Z
Updated: 2024-08-06T16:45:15.169Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2013-4581 |
vulnerable | 2026-06-03 14:33:18.286552 |
Details available
GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote attackers to execute arbitrary code via a crafted change using SSH.
Published: 2014-05-12T14:00:00.000Z
Updated: 2024-08-06T16:45:14.854Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2013-4580 |
vulnerable | 2026-06-03 14:33:18.242426 |
Details available
GitLab before 5.4.2, Community Edition before 6.2.4, and Enterprise Edition before 6.2.1, when using a MySQL backend, allows remote attackers to impersonate arbitrary users and bypass authentication via unspecified API calls.
Published: 2014-05-12T14:00:00.000Z
Updated: 2024-08-06T16:45:14.838Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.