Filtered by vendor Gitlab
Subscribe
Total
1047 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-39944 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.5 MEDIUM | 7.1 HIGH |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they import | |||||
CVE-2021-22263 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.5 MEDIUM | 6.5 MEDIUM |
An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user account with 'external' status which is granted 'Maintainer' role on any project on the GitLab instance where 'project tokens' are allowed may elevate its privilege to 'Internal' and access Internal projects. | |||||
CVE-2021-39875 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint. | |||||
CVE-2021-39871 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker making a crafted API call. | |||||
CVE-2021-39895 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 2.1 LOW | 4.5 MEDIUM |
In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source. | |||||
CVE-2021-22170 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Assuming a database breach, nonce reuse issues in GitLab 11.6+ allows an attacker to decrypt some of the database's encrypted content | |||||
CVE-2021-39927 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 3.5 LOW | 4.3 MEDIUM |
Server side request forgery protections in GitLab CE/EE versions between 8.4 and 14.4.4, between 14.5.0 and 14.5.2, and between 14.6.0 and 14.6.1 would fail to protect against attacks sending requests to localhost on port 80 or 443 if GitLab was configured to run on a port other than 80 or 443 | |||||
CVE-2021-39930 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates | |||||
CVE-2021-39912 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
A potential DoS vulnerability was discovered in GitLab CE/EE starting with version 13.7. Using a malformed TIFF images was possible to trigger memory exhaustion. | |||||
CVE-2021-22262 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Missing access control in all GitLab versions starting from 13.12 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page | |||||
CVE-2021-39915 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the names of project access tokens on arbitrary projects | |||||
CVE-2021-39905 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
An information disclosure vulnerability in the GitLab CE/EE API since version 8.9.6 allows a user to see basic information on private groups that a public project has been shared with | |||||
CVE-2021-22261 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 3.5 LOW | 4.8 MEDIUM |
A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses | |||||
CVE-2021-39898 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from. | |||||
CVE-2021-39911 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers | |||||
CVE-2021-39879 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 3.5 LOW |
Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication | |||||
CVE-2021-39900 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 2.7 LOW |
Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs. | |||||
CVE-2021-39909 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 3.5 LOW | 5.3 MEDIUM |
Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE starting from 11.3 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker to bypass CODEOWNERS Merge Request approval requirement under rare circumstances | |||||
CVE-2021-39880 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE all versions starting from 11.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to deny access to all users via specially crafted requests to the apollo_upload_server middleware. | |||||
CVE-2021-39894 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.5 MEDIUM | 5.4 MEDIUM |
In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks. |