Vulnerabilities (CVE)

Filtered by vendor Gitlab Subscribe
Total 1047 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-39944 1 Gitlab 1 Gitlab 2024-02-28 5.5 MEDIUM 7.1 HIGH
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they import
CVE-2021-22263 1 Gitlab 1 Gitlab 2024-02-28 5.5 MEDIUM 6.5 MEDIUM
An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user account with 'external' status which is granted 'Maintainer' role on any project on the GitLab instance where 'project tokens' are allowed may elevate its privilege to 'Internal' and access Internal projects.
CVE-2021-39875 1 Gitlab 1 Gitlab 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint.
CVE-2021-39871 1 Gitlab 1 Gitlab 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker making a crafted API call.
CVE-2021-39895 1 Gitlab 1 Gitlab 2024-02-28 2.1 LOW 4.5 MEDIUM
In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source.
CVE-2021-22170 1 Gitlab 1 Gitlab 2024-02-28 5.0 MEDIUM 7.5 HIGH
Assuming a database breach, nonce reuse issues in GitLab 11.6+ allows an attacker to decrypt some of the database's encrypted content
CVE-2021-39927 1 Gitlab 1 Gitlab 2024-02-28 3.5 LOW 4.3 MEDIUM
Server side request forgery protections in GitLab CE/EE versions between 8.4 and 14.4.4, between 14.5.0 and 14.5.2, and between 14.6.0 and 14.6.1 would fail to protect against attacks sending requests to localhost on port 80 or 443 if GitLab was configured to run on a port other than 80 or 443
CVE-2021-39930 1 Gitlab 1 Gitlab 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates
CVE-2021-39912 1 Gitlab 1 Gitlab 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
A potential DoS vulnerability was discovered in GitLab CE/EE starting with version 13.7. Using a malformed TIFF images was possible to trigger memory exhaustion.
CVE-2021-22262 1 Gitlab 1 Gitlab 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
Missing access control in all GitLab versions starting from 13.12 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page
CVE-2021-39915 1 Gitlab 1 Gitlab 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the names of project access tokens on arbitrary projects
CVE-2021-39905 1 Gitlab 1 Gitlab 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
An information disclosure vulnerability in the GitLab CE/EE API since version 8.9.6 allows a user to see basic information on private groups that a public project has been shared with
CVE-2021-22261 1 Gitlab 1 Gitlab 2024-02-28 3.5 LOW 4.8 MEDIUM
A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses
CVE-2021-39898 1 Gitlab 1 Gitlab 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from.
CVE-2021-39911 1 Gitlab 1 Gitlab 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers
CVE-2021-39879 1 Gitlab 1 Gitlab 2024-02-28 4.0 MEDIUM 3.5 LOW
Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication
CVE-2021-39900 1 Gitlab 1 Gitlab 2024-02-28 4.0 MEDIUM 2.7 LOW
Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs.
CVE-2021-39909 1 Gitlab 1 Gitlab 2024-02-28 3.5 LOW 5.3 MEDIUM
Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE starting from 11.3 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker to bypass CODEOWNERS Merge Request approval requirement under rare circumstances
CVE-2021-39880 1 Gitlab 1 Gitlab 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE all versions starting from 11.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to deny access to all users via specially crafted requests to the apollo_upload_server middleware.
CVE-2021-39894 1 Gitlab 1 Gitlab 2024-02-28 5.5 MEDIUM 5.4 MEDIUM
In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks.