CVE Daily
← All tags

Tag: GitLab

All CVEs associated with "GitLab". Page 10/13 • 1444 CVEs.

Subscribe CVEs: RSS for “GitLab”  ·  RSS (High+Critical only)

About “GitLab”

A curated feed of “GitLab”-related CVEs appears below. We currently track 1444 CVEs for this tag (all time). In the last 365 days, 232 were published. Average CVSS is 5.8 (all time; 5.9 over 365d), and 25% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-770 - Allocation of Resources Without Limits or Throttling, CWE-862 - Missing Authorization, CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

In our taxonomy this topic maps to a MODERATE impact class. Developer and CI or CD tooling touches supply chains and secrets. Patch controllers and agents, enforce SSO or MFA, rotate tokens, isolate runners, and audit plugins. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2020-04-22
High

CVE-2020-11505

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 12.7.9, 12.8.x before 12.8.9, and 12.9.x before 12.9.3. A Workhorse bypass could lead to NuGet package and…

CVSS: 7.5 CWE: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') View on NVD
2020-04-08
Medium

CVE-2020-10981

GitLab EE/CE 9.0 to 12.9 allows a maintainer to modify other maintainers' pipeline trigger descriptions within the same project.

CVSS: 4.3 CWE: N/A View on NVD
Critical

CVE-2020-10980

GitLab EE/CE 8.0.rc1 to 12.9 is vulnerable to a blind SSRF in the FogBugz integration.

CVSS: 9.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2020-10979

GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pipelines metrics to unauthorized users.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2020-10978

GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public project and then moved to a private project through Web-UI and GraphQL API.

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2020-10977

GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects.

CVSS: 5.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2020-10976

GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when querying a merge request widget.

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2020-10975

GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page.

CVSS: 4.3 CWE: N/A View on NVD
2020-03-27
Critical

CVE-2020-10956

GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature.

CVSS: 9.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2020-10955

GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders.

CVSS: 6.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2020-10954

GitLab through 12.9 is affected by a potential DoS in repository archive download.

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
High

CVE-2020-10953

In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a path traversal issue.

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2020-10952

GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.

CVSS: 6.5 CWE: N/A View on NVD
2020-03-13
Critical

CVE-2020-10077

GitLab EE 3.0 through 12.8.1 allows SSRF. An internal investigation revealed that a particular deprecated service was creating a server side request forgery risk.

CVSS: 9.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2020-10076

GitLab 12.1 through 12.8.1 allows XSS. A stored cross-site scripting vulnerability was discovered when displaying merge requests.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-10075

GitLab 12.5 through 12.8.1 allows HTML Injection. A particular error header was potentially susceptible to injection or potentially other vulnerabilities via unescaped input.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2020-10074

GitLab 10.1 through 12.8.1 has Incorrect Access Control. A scenario was discovered in which a GitLab account could be taken over through an expired link.

CVSS: 9.8 CWE: N/A View on NVD
High

CVE-2020-10073

GitLab EE 12.4.2 through 12.8.1 allows Denial of Service. It was internally discovered that a potential denial of service involving permissions checks could impact a project home page.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2020-10092

GitLab 12.1 through 12.8.1 allows XSS. A cross-site scripting vulnerability was present in a particular view relating to the Grafana integration.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-10091

GitLab 9.3 through 12.8.1 allows XSS. A cross-site scripting vulnerability was found when viewing particular file types.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-10090

GitLab 11.7 through 12.8.1 allows Information Disclosure. Under certain group conditions, group epic information was unintentionally being disclosed.

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2020-10089

GitLab 8.11 through 12.8.1 allows a Denial of Service when using several features to recursively request eachother,

CVSS: 7.5 CWE: CWE-674 - Uncontrolled Recursion View on NVD
High

CVE-2020-10088

GitLab 12.5 through 12.8.1 has Insecure Permissions. Depending on particular group settings, it was possible for invited groups to be given the incorrect permission level.

CVSS: 8.1 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2020-10087

GitLab before 12.8.2 allows Information Disclosure. Badge images were not being proxied, causing mixed content warnings as well as leaking the IP address of the user.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2020-10086

GitLab 10.4 through 12.8.1 allows Directory Traversal. A particular endpoint was vulnerable to a directory traversal vulnerability, leading to arbitrary file read.

CVSS: 5.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2020-10085

GitLab 12.3.5 through 12.8.1 allows Information Disclosure. A particular view was exposing merge private merge request titles.

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2020-10084

GitLab EE 11.6 through 12.8.1 allows Information Disclosure. Sending a specially crafted request to the vulnerability_feedback endpoint could result in the exposure of a private project namespace

CVSS: 5.3 CWE: N/A View on NVD
Critical

CVE-2020-10083

GitLab 12.7 through 12.8.1 has Insecure Permissions. Under certain conditions involving groups, project authorization changes were not being applied.

CVSS: 9.1 CWE: CWE-281 - Improper Preservation of Permissions View on NVD
Medium

CVE-2020-10082

GitLab 12.2 through 12.8.1 allows Denial of Service. A denial of service vulnerability impacting the designs for public issues was discovered.

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2020-10081

GitLab before 12.8.2 has Incorrect Access Control. It was internally discovered that the LFS import process could potentially be used to incorrectly access LFS objects not owned by the user.

CVSS: 6.5 CWE: N/A View on NVD
Medium

CVE-2020-10080

GitLab 8.3 through 12.8.1 allows Information Disclosure. It was possible for certain non-members to access the Contribution Analytics page of a private group.

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2020-10079

GitLab 7.10 through 12.8.1 has Incorrect Access Control. Under certain conditions where users should have been required to configure two-factor authentication, it was not being required.

CVSS: 5.3 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2020-10078

GitLab 12.1 through 12.8.1 allows XSS. The merge request submission form was determined to have a stored cross-site scripting vulnerability.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-03-12
Medium

CVE-2020-10535

GitLab 12.8.x before 12.8.6, when sign-up is enabled, allows remote attackers to bypass email domain restrictions within the two-day grace period for an unconfirmed email address.

CVSS: 5.3 CWE: N/A View on NVD
2020-03-10
High

CVE-2019-13121

An issue was discovered in GitLab Enterprise Edition 10.6 through 12.0.2. The GitHub project integration was vulnerable to an SSRF vulnerability which allowed an attacker to make requests to local ne…

CVSS: 7.5 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2019-13011

An issue was discovered in GitLab Enterprise Edition 8.11.0 through 12.0.2. By using brute-force a user with access to a project, but not it's repository could create a list of merge requests templat…

CVSS: 4.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2019-13010

An issue was discovered in GitLab Enterprise Edition 8.3 through 12.0.2. The color codes decoder was vulnerable to a resource depletion attack if specific formats were used. It allows Uncontrolled Re…

CVSS: 5.9 CWE: N/A View on NVD
Medium

CVE-2019-13009

An issue was discovered in GitLab Community and Enterprise Edition 9.2 through 12.0.2. Uploaded files associated with unsaved personal snippets were accessible to unauthorized users due to improper p…

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2019-13007

An issue was discovered in GitLab Community and Enterprise Edition 11.11 through 12.0.2. When an admin enabled one of the service templates, it was triggering an action that leads to resource depleti…

CVSS: 4.9 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2019-13006

An issue was discovered in GitLab Community and Enterprise Edition 9.0 and through 12.0.2. Users with access to issues, but not the repository were able to view the number of related merge requests o…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2019-13005

An issue was discovered in GitLab Enterprise Edition and Community Edition 1.10 through 12.0.2. The GitLab graphql service was vulnerable to multiple authorization issues that disclosed restricted us…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2019-13004

An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.0.2. When specific encoded characters were added to comments, the comments section would become inaccessible. It ha…

CVSS: 5.3 CWE: N/A View on NVD
High

CVE-2019-13003

An issue was discovered in GitLab Community and Enterprise Edition before 12.0.3. One of the parsers used by Gilab CI was vulnerable to a resource exhaustion attack. It allows Uncontrolled Resource C…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2019-13002

An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.0.2. Unauthorized users were able to read pipeline information of the last merge request. It has Incorrect Access C…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2019-13001

An issue was discovered in GitLab Community and Enterprise Edition 11.9 and later through 12.0.2. GitLab Snippets were vulnerable to an authorization issue that allowed unauthorized users to add comm…

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2019-12446

An issue was discovered in GitLab Community and Enterprise Edition 8.3 through 11.11. It allows Information Exposure through an Error Message.

CVSS: 7.5 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD
Medium

CVE-2019-12445

An issue was discovered in GitLab Community and Enterprise Edition 8.4 through 11.11. A malicious user could execute JavaScript code on notes by importing a specially crafted project file. It allows…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2019-12444

An issue was discovered in GitLab Community and Enterprise Edition 8.9 through 11.11. Wiki Pages contained a lack of input validation which resulted in a persistent XSS vulnerability.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2019-12443

An issue was discovered in GitLab Community and Enterprise Edition 10.2 through 11.11. Multiple features contained Server-Side Request Forgery (SSRF) vulnerabilities caused by an insufficient validat…

CVSS: 9.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2019-12442

An issue was discovered in GitLab Enterprise Edition 11.7 through 11.11. The epic details page contained a lack of input validation and output encoding issue which resulted in a persistent XSS vulner…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2019-12441

An issue was discovered in GitLab Community and Enterprise Edition 8.4 through 11.11. The protected branches feature contained a access control issue which resulted in a bypass of the protected branc…

CVSS: 7.5 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Medium

CVE-2019-12434

An issue was discovered in GitLab Community and Enterprise Edition 10.6 through 11.11. Users could guess the URL slug of private projects through the contrast of the destination URLs of issues linked…

CVSS: 4.3 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
Medium

CVE-2019-12433

An issue was discovered in GitLab Community and Enterprise Edition 11.7 through 11.11. It has Improper Input Validation. Restricted visibility settings allow creating internal projects in private gro…

CVSS: 5.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2019-12432

An issue was discovered in GitLab Community and Enterprise Edition 8.13 through 11.11. Non-member users who subscribed to issue notifications could access the title of confidential issues through the…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2019-12431

An issue was discovered in GitLab Community and Enterprise Edition 8.13 through 11.11. Restricted users could access the metadata of private milestones through the Search API. It has Improper Access…

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2019-12430

An issue was discovered in GitLab Community and Enterprise Edition 11.11. A specially crafted payload would allow an authenticated malicious user to execute commands remotely through the repository d…

CVSS: 8.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Medium

CVE-2019-12429

An issue was discovered in GitLab Community and Enterprise Edition 11.9 through 11.11. Unprivileged users were able to access labels, status and merge request counts of confidential issues via the mi…

CVSS: 6.5 CWE: N/A View on NVD
Critical

CVE-2019-12428

An issue was discovered in GitLab Community and Enterprise Edition 6.8 through 11.11. Users could bypass the mandatory external authentication provider sign-in restrictions by sending a specially cra…

CVSS: 9.8 CWE: N/A View on NVD
2020-03-06
Critical

CVE-2020-8113

GitLab 10.7 and later through 12.7.2 has Incorrect Access Control.

CVSS: 9.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2020-02-17
High

CVE-2020-8795

In GitLab Enterprise Edition (EE) 12.5.0 through 12.7.5, sharing a group with a group could grant project access to unauthorized users.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2019-12825

Unauthorized Access to the Container Registry of other groups was discovered in GitLab Enterprise 12.0.0-pre. In other words, authenticated remote attackers can read Docker registries of other groups…

CVSS: 4.3 CWE: CWE-922 - Insecure Storage of Sensitive Information View on NVD
2020-02-14
Medium

CVE-2019-15594

GitLab 11.8 and later contains a security vulnerability that allows a user to obtain details of restricted pipelines via the merge request endpoint.

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2019-15592

GitLab 12.2.2 and below contains a security vulnerability that allows a guest user in a private project to see the merge request ID associated to an issue via the activity timeline.

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2020-02-05
High

CVE-2020-6833

An issue was discovered in GitLab EE 11.3 and later. A GitLab Workhorse bypass could lead to package and file disclosure via request smuggling.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2020-7978

GitLab EE 12.6 and later through 12.7.2 allows Denial of Service.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2020-7977

GitLab EE 8.8 and later through 12.7.2 has Insecure Permissions.

CVSS: 5.3 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Medium

CVE-2020-7976

GitLab EE 12.4 and later through 12.7.2 has Incorrect Access Control.

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2020-7974

GitLab EE 10.1 through 12.7.2 allows Information Disclosure.

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2020-7973

GitLab through 12.7.2 allows XSS.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2020-7972

GitLab EE 12.2 has Insecure Permissions (issue 2 of 2).

CVSS: 7.5 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Medium

CVE-2020-7971

GitLab EE 11.0 and later through 12.7.2 allows XSS.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2020-7969

GitLab EE 8.0 and later through 12.7.2 allows Information Disclosure.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2020-7968

GitLab EE 8.0 through 12.7.2 has Incorrect Access Control.

CVSS: 7.5 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2020-7967

GitLab EE 8.0 through 12.7.2 has Insecure Permissions (issue 1 of 2).

CVSS: 4.3 CWE: CWE-276 - Incorrect Default Permissions View on NVD
High

CVE-2020-7966

GitLab EE 11.11 and later through 12.7.2 allows Directory Traversal.

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Critical

CVE-2020-8114

GitLab EE 8.9 and later through 12.7.2 has Insecure Permission

CVSS: 9.8 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Medium

CVE-2020-7979

GitLab EE 8.9 and later through 12.7.2 has Insecure Permission

CVSS: 5.3 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2020-01-28
High

CVE-2013-4583

The parse_cmd function in lib/gitlab_shell.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, and Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote authenticated…

CVSS: 8.8 CWE: CWE-269 - Improper Privilege Management View on NVD
Medium

CVE-2013-4582

The (1) create_branch, (2) create_tag, (3) import_project, and (4) fork_project functions in lib/gitlab_projects.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, Enterprise Edition befo…

CVSS: 6.5 CWE: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere View on NVD
Medium

CVE-2019-5474

An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions.

CVSS: 6.5 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2019-5472

An authorization issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 that prevented owners and maintainer to delete epic comments.

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
High

CVE-2019-5470

An information disclosure issue was discovered GitLab versions < 12.1.2, < 12.0.4, and < 11.11.6 in the security dashboard which could result in disclosure of vulnerability feedback information.

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2019-5468

An privilege escalation issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 when Mattermost slash commands are used with a blocked account.

CVSS: 8.8 CWE: CWE-269 - Improper Privilege Management View on NVD
Medium

CVE-2019-5466

An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names.

CVSS: 4.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2019-5465

An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID.

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2019-5464

A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized.

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2019-5462

A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed.

CVSS: 8.8 CWE: CWE-613 - Insufficient Session Expiration View on NVD
High

CVE-2019-15590

An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the G…

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2019-15586

A XSS exists in Gitlab CE/EE < 12.1.10 in the Mermaid plugin.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2019-15585

Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2019-15583

An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). When an issue was moved to a public project from a private one, th…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2019-15582

An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment.

CVSS: 5.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2019-15581

An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group vi…

CVSS: 5.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2019-15579

An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) where the assignee(s) of a confidential issue in a private project…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2019-15578

An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to be public, would be di…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2020-01-15
Medium

CVE-2020-2096

Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-01-13
Medium

CVE-2019-20144

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 10.8 through 12.6.1. It has Incorrect Access Control.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2019-20143

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 12.6. It has Incorrect Access Control.

CVSS: 5.3 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2019-20142

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 12.3 through 12.6.1. It allows Denial of Service.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2020-6832

An issue was discovered in GitLab Enterprise Edition (EE) 8.9.0 through 12.6.1. Using the project import feature, it was possible for someone to obtain issues from private projects.

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2020-5197

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 5.1 through 12.6.1. It has Incorrect Access Control.

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2019-20148

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 8.13 through 12.6.1. It has Incorrect Access Control.

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2019-20147

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 9.1 through 12.6.1. It has Incorrect Access Control.

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2019-20146

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.0 through 12.6. It allows Uncontrolled Resource Consumption.

CVSS: 5.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2019-20145

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.4 through 12.6.1. It has Incorrect Access Control.

CVSS: 4.3 CWE: N/A View on NVD
2020-01-05
High

CVE-2019-19629

In GitLab EE 10.5 through 12.5.3, 12.4.5, and 12.3.8, when transferring a public project to a private group, private code would be disclosed via the Group Search API provided by the Elasticsearch int…

CVSS: 7.5 CWE: N/A View on NVD
Critical

CVE-2019-19628

In GitLab EE 11.3 through 12.5.3, 12.4.5, and 12.3.8, insufficient parameter sanitization for the Maven package registry could lead to privilege escalation and remote code execution vulnerabilities u…

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2019-19314

GitLab EE 8.4 through 12.5, 12.4.3, and 12.3.6 stored several tokens in plaintext.

CVSS: 7.5 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
High

CVE-2019-19313

GitLab EE 12.3 through 12.5, 12.4.3, and 12.3.6 allows Denial of Service. Certain characters were making it impossible to create, edit, or view issues and commits.

CVSS: 7.5 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
Medium

CVE-2019-19312

GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access Control. After a project changed to private, previously forked repositories were still able to get information about the private p…

CVSS: 5.8 CWE: N/A View on NVD
2020-01-03
Medium

CVE-2019-19310

GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Information Disclosure.

CVSS: 4.9 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
Medium

CVE-2019-19309

GitLab Enterprise Edition (EE) 8.90 and later through 12.5 has Incorrect Access Control.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2019-19263

GitLab Enterprise Edition (EE) 8.2 and later through 12.5 has Insecure Permissions.

CVSS: 4.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Medium

CVE-2019-19262

GitLab Enterprise Edition (EE) 11.9 and later through 12.5 has Insecure Permissions.

CVSS: 4.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
High

CVE-2019-19261

GitLab Enterprise Edition (EE) 6.7 and later through 12.5 allows SSRF.

CVSS: 8.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2019-19260

GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 2 of 2).

CVSS: 5.4 CWE: N/A View on NVD
Medium

CVE-2019-19259

GitLab Enterprise Edition (EE) 11.3 and later through 12.5 allows an Insecure Direct Object Reference (IDOR).

CVSS: 4.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2019-19258

GitLab Enterprise Edition (EE) 10.8 and later through 12.5 has Incorrect Access Control.

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2019-19257

GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 1 of 2).

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2019-19256

GitLab Enterprise Edition (EE) 12.2 and later through 12.5 has Incorrect Access Control.

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD