Total
1025 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-39937 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| A collision in access memoization logic in all versions of GitLab CE/EE before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, leads to potential elevated privileges in groups and projects under rare circumstances | |||||
| CVE-2021-39868 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export. | |||||
| CVE-2021-39884 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project. | |||||
| CVE-2021-39866 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.5 MEDIUM | 5.4 MEDIUM |
| A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens. | |||||
| CVE-2021-39907 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 13.7. The stripping of EXIF data from certain images resulted in high CPU usage. | |||||
| CVE-2022-0154 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 6.0 MEDIUM | 8.0 HIGH |
| An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account. | |||||
| CVE-2021-22260 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
| A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf | |||||
| CVE-2021-39931 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 3.5 LOW | 4.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.11 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under specific condition an unauthorised project member was allowed to delete a protected branches due to a business logic error. | |||||
| CVE-2021-39916 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| Lack of an access control check in the External Status Check feature allowed any authenticated user to retrieve the configuration of any External Status Check in GitLab EE starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | |||||
| CVE-2021-39935 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API | |||||
| CVE-2021-22264 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 13.8 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. Under specialized conditions, an invited group member may continue to have access to a project even after the invited group, which the member was part of, is deleted. | |||||
| CVE-2021-39867 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.5 MEDIUM | 8.1 HIGH |
| In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks. | |||||
| CVE-2021-39891 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
| In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure. | |||||
| CVE-2022-0244 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group was due to incorrect handling of file. | |||||
| CVE-2021-39945 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 2.7 LOW |
| Improper access control in the GitLab CE/EE API affecting all versions starting from 9.4 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an author of a Merge Request to approve the Merge Request even after having their project access revoked | |||||
| CVE-2021-39889 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch. | |||||
| CVE-2021-39881 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 3.5 LOW | 3.5 LOW |
| In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description. | |||||
| CVE-2021-39896 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.5 MEDIUM | 3.8 LOW |
| In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may lead to repudiation issues. | |||||
| CVE-2021-39910 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature. | |||||
| CVE-2021-39882 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user. | |||||