Gitlab Ce/Ee

Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to <13.6.2, >=13.5 to <13.5.5, and >=13.1 to <13.4.7.

Published: 2020-12-11T03:37:36.000Z
Updated: 2024-08-04T15:56:04.584Z

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.

Published: 2020-12-11T03:47:34.000Z
Updated: 2024-08-04T15:56:04.703Z

A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.

Published: 2020-12-11T01:17:28.000Z
Updated: 2024-08-04T15:56:04.626Z

A limited information disclosure vulnerability exists in Gitlab CE/EE from >= 12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2 that allows an attacker to view limited information in user's private profile

Published: 2020-12-11T04:01:26.000Z
Updated: 2024-08-04T15:56:04.394Z

A XSS vulnerability exists in Gitlab CE/EE from 12.4 before 13.4.7, 13.5 before 13.5.5, and 13.6 before 13.6.2 that allows an attacker to perform cross-site scripting to other users via importing a malicious project

Published: 2020-12-10T05:16:24.000Z
Updated: 2024-08-04T15:56:04.267Z

Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are >=12.8, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

Published: 2020-11-17T18:26:50.000Z
Updated: 2024-08-04T15:56:04.586Z

The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are >=12.10, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

Published: 2020-11-18T23:57:34.000Z
Updated: 2024-08-04T12:18:17.623Z

A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: >=13.4, <13.4.5,>=13.3, <13.3.9,>=13.5, <13.5.2.

Published: 2020-11-17T00:20:25.000Z
Updated: 2024-08-04T12:18:17.461Z

An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.

Published: 2020-12-11T03:55:55.000Z
Updated: 2024-08-04T12:18:17.628Z

An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9. A specially crafted request could bypass Multipart protection and read files in certain specific paths on the server. Affected versions are: >=8.8.9, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

Published: 2020-11-18T23:35:05.000Z
Updated: 2024-08-04T12:18:17.540Z

An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: >=8.14, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

Published: 2020-11-18T23:30:25.000Z
Updated: 2024-08-04T12:18:17.457Z

A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage. Affected versions are: >=12.6, <13.3.9.

Published: 2020-11-17T00:43:55.000Z
Updated: 2024-08-04T12:18:17.583Z

Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group. Affected versions are: >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

Published: 2020-11-17T00:36:27.000Z
Updated: 2024-08-04T12:18:17.655Z

Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are >=13.0, <13.3.9,>=13.4.0, <13.4.5,>=13.5.0, <13.5.2.

Published: 2020-11-17T17:52:28.000Z
Updated: 2024-08-04T12:18:17.580Z

CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners. Affected versions are >=13.5.0, <13.5.2,>=13.4.0, <13.4.5,<13.3.9.

Published: 2020-11-17T17:55:43.000Z
Updated: 2024-08-04T12:18:17.575Z

An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID.

Published: 2020-01-28T02:28:00.000Z
Updated: 2024-08-04T19:54:53.509Z

A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized.

Published: 2020-01-28T02:23:14.000Z
Updated: 2024-08-04T19:54:53.478Z

A XSS exists in Gitlab CE/EE < 12.1.10 in the Mermaid plugin.

Published: 2020-01-28T02:14:59.000Z
Updated: 2024-08-05T00:49:13.628Z

Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user's account.

Published: 2020-01-28T02:21:16.000Z
Updated: 2024-08-05T00:49:13.654Z

An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). When an issue was moved to a public project from a private one, the associated private labels and the private project namespace would be disclosed through the GitLab API.

Published: 2020-01-28T02:24:38.000Z
Updated: 2024-08-05T00:49:13.753Z

An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) where the assignee(s) of a confidential issue in a private project would be disclosed to a guest via milestones.

Published: 2020-01-28T02:45:42.000Z
Updated: 2024-08-05T00:49:13.633Z

An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge requests.

Published: 2020-01-28T02:46:55.000Z
Updated: 2024-08-05T00:49:13.672Z