CVE Daily
← All tags

Tag: GitLab

All CVEs associated with "GitLab". Page 8/13 • 1444 CVEs.

Subscribe CVEs: RSS for “GitLab”  ·  RSS (High+Critical only)

About “GitLab”

A curated feed of “GitLab”-related CVEs appears below. We currently track 1444 CVEs for this tag (all time). In the last 365 days, 232 were published. Average CVSS is 5.8 (all time; 5.9 over 365d), and 25% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-770 - Allocation of Resources Without Limits or Throttling, CWE-862 - Missing Authorization, CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

In our taxonomy this topic maps to a MODERATE impact class. Developer and CI or CD tooling touches supply chains and secrets. Patch controllers and agents, enforce SSO or MFA, rotate tokens, isolate runners, and audit plugins. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2021-11-04
Medium

CVE-2021-39903

In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance admi…

CVSS: 6.5 CWE: N/A View on NVD
Medium

CVE-2021-39902

Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident.

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
2021-10-11
Medium

CVE-2021-22263

An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user ac…

CVSS: 5.5 CWE: CWE-269 - Improper Privilege Management View on NVD
2021-10-07
Critical

CVE-2021-42091

An issue was discovered in Zammad before 4.1.1. SSRF can occur via GitHub or GitLab integration.

CVSS: 9.1 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2021-10-05
Medium

CVE-2021-39880

A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE all versions starting from 11.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions s…

CVSS: 6.5 CWE: N/A View on NVD
Medium

CVE-2021-39891

In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive…

CVSS: 5.9 CWE: CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer View on NVD
Medium

CVE-2021-39889

In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API…

CVSS: 4.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Low

CVE-2021-39886

Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic reference…

CVSS: 2.6 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Low

CVE-2021-39881

In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick u…

CVSS: 3.5 CWE: N/A View on NVD
Medium

CVE-2021-39870

In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted API call.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2021-22264

An issue has been discovered in GitLab affecting all versions starting from 13.8 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. Under spe…

CVSS: 6.8 CWE: N/A View on NVD
Medium

CVE-2021-22262

Missing access control in all GitLab versions starting from 13.12 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 with Jira Cloud integ…

CVSS: 5.4 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2021-22261

A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting f…

CVSS: 7.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-22258

The project import/export feature in GitLab 8.9 and greater could be used to obtain otherwise private email addresses

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2021-22257

An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. The route…

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2021-39894

In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks.

CVSS: 5.4 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2021-39893

A potential DOS vulnerability was discovered in GitLab starting with version 9.1 that allowed parsing files without authorisation.

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-39888

In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal det…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2021-39884

In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2021-39882

In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user.

CVSS: 5.3 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2021-39878

A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code.

CVSS: 5.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-39875

In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint.

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2021-39872

In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquir…

CVSS: 6.5 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2021-39869

In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project.

CVSS: 6.5 CWE: N/A View on NVD
Medium

CVE-2021-39867

In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks.

CVSS: 6.5 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2021-39866

A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens.

CVSS: 5.4 CWE: N/A View on NVD
High

CVE-2021-39887

A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf.

CVSS: 7.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-10-04
Low

CVE-2021-39900

Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs.

CVSS: 2.0 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
Low

CVE-2021-39899

In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the att…

CVSS: 2.9 CWE: CWE-640 - Weak Password Recovery Mechanism for Forgotten Password View on NVD
Low

CVE-2021-39896

In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may…

CVSS: 3.8 CWE: N/A View on NVD
High

CVE-2021-39885

A Stored XSS in merge request creation page in all versions of Gitlab EE starting from 13.7 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14…

CVSS: 8.7 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-39883

Improper authorization checks in all versions of GitLab EE starting from 13.11 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows s…

CVSS: 4.3 CWE: N/A View on NVD
Low

CVE-2021-39879

Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication

CVSS: 2.2 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2021-39877

A vulnerability was discovered in GitLab starting with version 12.2 that allows an attacker to cause uncontrolled resource consumption with a specially crafted file.

CVSS: 7.7 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2021-39874

In all versions of GitLab CE/EE since version 11.0, the requirement to enforce 2FA is not honored when using git commands.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2021-39873

In all versions of GitLab CE/EE, there exists a content spoofing vulnerability which may be leveraged by attackers to trick users into visiting a malicious website by spoofing the content in an error…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2021-39871

In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker making a crafted API call.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2021-39868

In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export.

CVSS: 4.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Medium

CVE-2021-22259

A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API.

CVSS: 4.3 CWE: N/A View on NVD
2021-09-09
Medium

CVE-2021-22239

An unauthorized user was able to insert metadata when creating new issue on GitLab CE/EE 14.0 and later.

CVSS: 5.0 CWE: CWE-863 - Incorrect Authorization View on NVD
2021-08-25
Medium

CVE-2021-22256

Improper authorization in GitLab CE/EE affecting all versions since 12.6 allowed guest users to create issues for Sentry errors and track their status

CVSS: 5.4 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2021-22250

Improper authorization in GitLab CE/EE affecting all versions since 13.3 allowed users to view and delete impersonation tokens that administrators created for their account

CVSS: 5.4 CWE: N/A View on NVD
Medium

CVE-2021-22247

Improper authorization in GitLab CE/EE affecting all versions since 13.0 allows guests in private projects to view CI/CD analytics

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
Low

CVE-2021-22245

Improper validation of commit author in GitLab CE/EE affecting all versions allowed an attacker to make several pages in a project impossible to view

CVSS: 2.7 CWE: CWE-20 - Improper Input Validation View on NVD
Low

CVE-2021-22244

Improper authorization in the vulnerability report feature in GitLab EE affecting all versions since 13.1 allowed a reporter to access vulnerability data

CVSS: 3.1 CWE: N/A View on NVD
Medium

CVE-2021-22243

Under specialized conditions, GitLab CE/EE versions starting 7.10 may allow existing GitLab users to use an invite URL meant for another email address to gain access into a group.

CVSS: 5.0 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2021-22242

Insufficient input sanitization in Mermaid markdown in GitLab CE/EE version 11.4 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown

CVSS: 8.7 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-22237

Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. This vulnerability is present in GitLab CE/EE versions befo…

CVSS: 6.6 CWE: CWE-384 - Session Fixation View on NVD
Medium

CVE-2021-22236

Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1.

CVSS: 5.5 CWE: CWE-863 - Incorrect Authorization View on NVD
2021-08-23
Medium

CVE-2021-22253

Improper authorization in GitLab EE affecting all versions since 13.4 allowed a user who previously had the necessary access to trigger deployments to protected environments under specific conditions…

CVSS: 4.9 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2021-22252

A confusion between tag and branch names in GitLab CE/EE affecting all versions since 13.7 allowed a Developer to access protected CI variables which should only be accessible to Maintainers

CVSS: 6.5 CWE: N/A View on NVD
Medium

CVE-2021-22251

Improper validation of invited users' email address in GitLab EE affecting all versions since 12.2 allowed projects to add members with email address domain that should be blocked by group settings

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2021-22249

A verbose error message in GitLab EE affecting all versions since 12.2 could disclose the private email address of a user invited to a group

CVSS: 4.3 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD
Medium

CVE-2021-22248

Improper authorization on the pipelines page in GitLab CE/EE affecting all versions since 13.12 allowed unauthorized users to view some pipeline information for public projects that have access to pi…

CVSS: 5.3 CWE: N/A View on NVD
2021-08-20
Low

CVE-2021-22254

Under very specific conditions a user could be impersonated using Gitlab shell. This vulnerability affects GitLab CE/EE 13.1 and later through 14.1.2, 14.0.7 and 13.12.9.

CVSS: 3.1 CWE: CWE-116 - Improper Encoding or Escaping of Output View on NVD
High

CVE-2021-22246

A vulnerability was discovered in GitLab versions before 14.0.2, 13.12.6, 13.11.6. GitLab Webhook feature could be abused to perform denial of service attacks.

CVSS: 7.7 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
Medium

CVE-2021-22238

An issue has been discovered in GitLab affecting all versions starting with 13.3. GitLab was vulnerable to a stored XSS by using the design feature in issues.

CVSS: 6.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-08-05
Critical

CVE-2021-22234

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.11 before 13.11.7, all versions starting from 13.12 before 13.12.8, and all versions starting from 14.0 before 14.…

CVSS: 9.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2021-22241

An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0. It was possible to exploit a stored cross-site-scripting via a specifically crafted default branch name.

CVSS: 8.7 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-22240

Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled

CVSS: 4.2 CWE: CWE-863 - Incorrect Authorization View on NVD
2021-07-07
Medium

CVE-2021-22233

An information disclosure vulnerability in GitLab EE versions 13.10 and later allowed a user to read project details

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-22225

Insufficient input sanitization in markdown in GitLab version 13.11 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown

CVSS: 4.7 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2021-22224

A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim

CVSS: 7.1 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Low

CVE-2021-22231

A denial of service in user's profile page is found starting with GitLab CE/EE 8.0 that allows attacker to reject access to their profile page via using a specially crafted username.

CVSS: 3.5 CWE: N/A View on NVD
Medium

CVE-2021-22230

Improper code rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later through 13.11.6, 13.12.6, and 14.0.2.

CVSS: 4.9 CWE: N/A View on NVD
Medium

CVE-2021-22227

A reflected cross-site script vulnerability in GitLab before versions 13.11.6, 13.12.6 and 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf if they…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-07-06
Medium

CVE-2021-22228

An issue has been discovered in GitLab affecting all versions before 13.11.6, all versions starting from 13.12 before 13.12.6, and all versions starting from 14.0 before 14.0.2. Improper access contr…

CVSS: 6.5 CWE: N/A View on NVD
Medium

CVE-2021-22223

Client-Side code injection through Feature Flag name in GitLab CE/EE starting with 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2021-22232

HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE

CVSS: 3.5 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Medium

CVE-2021-22229

An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8. Under a special condition it was possible to access data of an internal repository through project fork done by…

CVSS: 5.9 CWE: N/A View on NVD
Medium

CVE-2021-22226

Under certain conditions, some users were able to push to protected branches that were restricted to deploy keys in GitLab CE/EE since version 13.9

CVSS: 6.5 CWE: N/A View on NVD
2021-06-11
High

CVE-2021-22181

A denial of service vulnerability in GitLab CE/EE affecting all versions since 11.8 allows an attacker to create a recursive pipeline relationship and exhaust resources.

CVSS: 7.7 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2021-22175

When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthen…

CVSS: 6.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2021-06-08
Medium

CVE-2021-22220

An issue has been discovered in GitLab affecting all versions starting with 13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-22216

A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a very long issue or merge requ…

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2021-22221

An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2…

CVSS: 6.5 CWE: CWE-613 - Insufficient Session Expiration View on NVD
Medium

CVE-2021-22219

All versions of GitLab CE/EE starting from 9.5 before 13.10.5, all versions starting from 13.11 before 13.11.5, and all versions starting from 13.12 before 13.12.2 allow a high privilege user to obta…

CVSS: 4.4 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
Medium

CVE-2021-22217

A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a specially crafted issue or me…

CVSS: 6.5 CWE: N/A View on NVD
High

CVE-2021-22213

A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Saf…

CVSS: 8.8 CWE: N/A View on NVD
Low

CVE-2021-22218

All versions of GitLab CE/EE starting from 12.8 before 13.10.5, all versions starting from 13.11 before 13.11.5, and all versions starting from 13.12 before 13.12.2 were affected by an issue in the h…

CVSS: 2.6 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2021-22215

An information disclosure vulnerability in GitLab EE versions 13.11 and later allowed a project owner to leak information about the members' on-call rotations in other projects

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2021-22214

When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an un…

CVSS: 6.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2021-05-06
Medium

CVE-2021-22210

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. When querying the repository branches through API, GitLab was ignoring a query parameter and returning a consid…

CVSS: 5.3 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
High

CVE-2021-22209

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.

CVSS: 7.5 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2021-22208

An issue has been discovered in GitLab affecting versions starting with 13.5 up to 13.9.7. Improper permission check could allow the change of timestamp for issue creation or update.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2021-22206

An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text,

CVSS: 6.8 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
Low

CVE-2021-22211

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect ac…

CVSS: 3.1 CWE: CWE-863 - Incorrect Authorization View on NVD
2021-04-23
Critical

CVE-2021-22205

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote com…

CVSS: 10.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2021-04-22
Low

CVE-2021-22199

An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used.

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-04-12
High

CVE-2021-22190

A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token

CVSS: 8.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2021-04-02
High

CVE-2021-22203

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions starting from 13.9 before 13.9.5, and all versions starting from 13.10 before 13.1…

CVSS: 7.5 CWE: N/A View on NVD
Low

CVE-2021-22202

An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API.

CVSS: 2.4 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Critical

CVE-2021-22201

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server.

CVSS: 9.6 CWE: N/A View on NVD
Medium

CVE-2021-22200

An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project for…

CVSS: 5.9 CWE: N/A View on NVD
Medium

CVE-2021-22198

An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects.

CVSS: 4.3 CWE: N/A View on NVD
Low

CVE-2021-22197

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and targe…

CVSS: 3.5 CWE: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop') View on NVD
Medium

CVE-2021-22196

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch nam…

CVSS: 6.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-04-01
High

CVE-2021-22195

Client side code execution in gitlab-vscode-extension v3.15.0 and earlier allows attacker to execute code on user system

CVSS: 8.6 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
Medium

CVE-2021-22177

Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command.

CVSS: 4.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2021-03-26
Medium

CVE-2021-21411

OAuth2-Proxy is an open source reverse proxy that provides authentication with Google, Github or other providers. The `--gitlab-group` flag for group-based authorization in the GitLab provider stoppe…

CVSS: 5.5 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2021-22194

In all versions of GitLab, marshalled session keys were being stored in Redis.

CVSS: 5.7 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
Medium

CVE-2021-22184

An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted.

CVSS: 6.2 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
Medium

CVE-2021-22180

An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages.

CVSS: 4.3 CWE: CWE-425 - Direct Request ('Forced Browsing') View on NVD
Medium

CVE-2021-22172

Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2021-03-24
Medium

CVE-2021-22169

An issue was identified in GitLab EE 13.4 or later which leaked internal IP address via error messages.

CVSS: 4.3 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD
Low

CVE-2021-22193

An issue has been discovered in GitLab affecting all versions starting with 7.1. A member of a private group was able to validate the use of a specific name for private project.

CVSS: 3.5 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD
Critical

CVE-2021-22192

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.

CVSS: 9.9 CWE: N/A View on NVD
Medium

CVE-2021-22186

An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners

CVSS: 4.9 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2021-22185

Insufficient input sanitization in wikis in GitLab version 13.8 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted commit to a wiki

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-22179

A vulnerability was discovered in GitLab versions before 12.2. GitLab was vulnerable to a SSRF attack through the Outbound Requests feature.

CVSS: 5.4 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2021-22178

An issue has been discovered in GitLab affecting all versions starting from 13.2. Gitlab was vulnerable to SRRF attack through the Prometheus integration.

CVSS: 5.0 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2021-22176

An issue has been discovered in GitLab affecting all versions starting with 3.0.1. Improper access control allows demoted project members to access details on authored merge requests

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
2021-03-04
Medium

CVE-2021-22189

Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues.

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2021-22183

An issue has been discovered in GitLab affecting all versions starting with 11.8. GitLab was vulnerable to a stored XSS in the epics page, which could be exploited with user interactions.

CVSS: 4.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-03-03
Medium

CVE-2021-22188

An issue has been discovered in GitLab affecting all versions starting with 13.0. Confidential issue titles in Gitlab were readable by an unauthorised user via branch logs.

CVSS: 5.3 CWE: N/A View on NVD
Low

CVE-2021-22182

An issue has been discovered in GitLab affecting all versions starting with 13.7. GitLab was vulnerable to a stored XSS in merge request.

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-03-02
Medium

CVE-2021-22187

An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 13.6.7. A potential resource exhaustion issue that allowed running or pending jobs to continue even after project…

CVSS: 4.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2021-01-15
High

CVE-2021-22171

Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link

CVSS: 7.3 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2021-22168

A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8.

CVSS: 4.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2021-22167

An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers in specific project page allows attacker to have a temporary read access to the private repository

CVSS: 5.3 CWE: N/A View on NVD