Total
52 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-0402 | 1 Gitlab | 1 Gitlab | 2024-01-31 | N/A | 9.9 CRITICAL |
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace. | |||||
CVE-2023-4008 | 1 Gitlab | 1 Gitlab | 2023-12-10 | N/A | 9.8 CRITICAL |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to takeover GitLab Pages with unique domain URLs if the random string added was known. | |||||
CVE-2023-5009 | 1 Gitlab | 1 Gitlab | 2023-12-10 | N/A | 9.8 CRITICAL |
An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. This was a bypass of [CVE-2023-3932](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3932) showing additional impact. | |||||
CVE-2023-1708 | 1 Gitlab | 1 Gitlab | 2023-12-10 | N/A | 9.8 CRITICAL |
An issue was identified in GitLab CE/EE affecting all versions from 1.0 prior to 15.8.5, 15.9 prior to 15.9.4, and 15.10 prior to 15.10.1 where non-printable characters gets copied from clipboard, allowing unexpected commands to be executed on victim machine. | |||||
CVE-2018-17452 | 1 Gitlab | 1 Gitlab | 2023-12-10 | N/A | 9.8 CRITICAL |
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is Server-Side Request Forgery (SSRF) via a loopback address to the validate_localhost function in url_blocker.rb. | |||||
CVE-2022-2826 | 1 Gitlab | 1 Gitlab | 2023-12-10 | N/A | 9.8 CRITICAL |
An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. TODO | |||||
CVE-2022-3726 | 1 Gitlab | 1 Gitlab | 2023-12-10 | N/A | 9.0 CRITICAL |
Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions from 12.6 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick a user to click on the Swagger OpenAPI viewer and issue HTTP requests that affect the victim's account. | |||||
CVE-2022-2884 | 1 Gitlab | 1 Gitlab | 2023-12-10 | N/A | 9.9 CRITICAL |
A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint | |||||
CVE-2022-2992 | 1 Gitlab | 1 Gitlab | 2023-12-10 | N/A | 9.9 CRITICAL |
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. | |||||
CVE-2022-0735 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorised user was able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands. | |||||
CVE-2022-1162 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts | |||||
CVE-2022-0249 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
A vulnerability was discovered in GitLab starting with version 12. GitLab was vulnerable to a blind SSRF attack since requests to shared address space were not blocked. | |||||
CVE-2021-39890 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above. | |||||
CVE-2021-22203 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions starting from 13.9 before 13.9.5, and all versions starting from 13.10 before 13.10.1. A specially crafted Wiki page allowed attackers to read arbitrary files on the server. | |||||
CVE-2021-22205 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 7.5 HIGH | 10.0 CRITICAL |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. | |||||
CVE-2021-22175 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 6.8 MEDIUM | 9.8 CRITICAL |
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled | |||||
CVE-2020-13347 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 9.0 HIGH | 9.1 CRITICAL |
A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable. | |||||
CVE-2020-10074 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
GitLab 10.1 through 12.8.1 has Incorrect Access Control. A scenario was discovered in which a GitLab account could be taken over through an expired link. | |||||
CVE-2020-10956 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature. | |||||
CVE-2020-10083 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
GitLab 12.7 through 12.8.1 has Insecure Permissions. Under certain conditions involving groups, project authorization changes were not being applied. |