Gitlab Ee

Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled

Published: 2021-08-05T19:25:09.000Z
Updated: 2024-08-03T18:37:18.341Z

Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.

Published: 2020-12-11T03:34:03.000Z
Updated: 2024-08-04T15:56:04.341Z

Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before 13.6.2.

Published: 2020-12-11T03:51:02.000Z
Updated: 2024-08-04T15:56:04.357Z

Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

Published: 2020-11-17T00:13:19.000Z
Updated: 2024-08-04T15:56:04.397Z

An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

Published: 2020-11-17T18:22:32.000Z
Updated: 2024-08-04T12:18:17.565Z

An issue has been discovered in GitLab EE affecting all versions starting from 10.2. Required CODEOWNERS approval could be bypassed by targeting a branch without the CODEOWNERS file. Affected versions are >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

Published: 2020-11-17T18:11:51.000Z
Updated: 2024-08-04T12:18:17.574Z

An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions.

Published: 2020-01-28T02:29:38.000Z
Updated: 2024-08-04T19:54:53.488Z

An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration

Published: 2020-01-28T02:31:05.000Z
Updated: 2024-08-05T00:49:13.635Z

An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment.

Published: 2020-01-28T02:36:05.000Z
Updated: 2024-08-05T00:49:13.762Z

An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules.

Published: 2020-01-28T02:43:00.000Z
Updated: 2024-08-05T00:49:13.763Z