Vulnerabilities (CVE)

Filtered by vendor Gitlab Subscribe
Filtered by product Gitlab
Total 52 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-0402 1 Gitlab 1 Gitlab 2024-01-31 N/A 9.9 CRITICAL
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.
CVE-2023-4008 1 Gitlab 1 Gitlab 2023-12-10 N/A 9.8 CRITICAL
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to takeover GitLab Pages with unique domain URLs if the random string added was known.
CVE-2023-5009 1 Gitlab 1 Gitlab 2023-12-10 N/A 9.8 CRITICAL
An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. This was a bypass of [CVE-2023-3932](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3932) showing additional impact.
CVE-2023-1708 1 Gitlab 1 Gitlab 2023-12-10 N/A 9.8 CRITICAL
An issue was identified in GitLab CE/EE affecting all versions from 1.0 prior to 15.8.5, 15.9 prior to 15.9.4, and 15.10 prior to 15.10.1 where non-printable characters gets copied from clipboard, allowing unexpected commands to be executed on victim machine.
CVE-2018-17452 1 Gitlab 1 Gitlab 2023-12-10 N/A 9.8 CRITICAL
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is Server-Side Request Forgery (SSRF) via a loopback address to the validate_localhost function in url_blocker.rb.
CVE-2022-2826 1 Gitlab 1 Gitlab 2023-12-10 N/A 9.8 CRITICAL
An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. TODO
CVE-2022-3726 1 Gitlab 1 Gitlab 2023-12-10 N/A 9.0 CRITICAL
Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions from 12.6 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick a user to click on the Swagger OpenAPI viewer and issue HTTP requests that affect the victim's account.
CVE-2022-2884 1 Gitlab 1 Gitlab 2023-12-10 N/A 9.9 CRITICAL
A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint
CVE-2022-2992 1 Gitlab 1 Gitlab 2023-12-10 N/A 9.9 CRITICAL
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
CVE-2022-0735 1 Gitlab 1 Gitlab 2023-12-10 7.5 HIGH 9.8 CRITICAL
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorised user was able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands.
CVE-2022-1162 1 Gitlab 1 Gitlab 2023-12-10 7.5 HIGH 9.8 CRITICAL
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
CVE-2022-0249 1 Gitlab 1 Gitlab 2023-12-10 6.4 MEDIUM 9.1 CRITICAL
A vulnerability was discovered in GitLab starting with version 12. GitLab was vulnerable to a blind SSRF attack since requests to shared address space were not blocked.
CVE-2021-39890 1 Gitlab 1 Gitlab 2023-12-10 7.5 HIGH 9.8 CRITICAL
It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above.
CVE-2021-22203 1 Gitlab 1 Gitlab 2023-12-10 7.5 HIGH 9.8 CRITICAL
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions starting from 13.9 before 13.9.5, and all versions starting from 13.10 before 13.10.1. A specially crafted Wiki page allowed attackers to read arbitrary files on the server.
CVE-2021-22205 1 Gitlab 1 Gitlab 2023-12-10 7.5 HIGH 10.0 CRITICAL
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
CVE-2021-22175 1 Gitlab 1 Gitlab 2023-12-10 6.8 MEDIUM 9.8 CRITICAL
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled
CVE-2020-13347 1 Gitlab 1 Gitlab 2023-12-10 9.0 HIGH 9.1 CRITICAL
A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable.
CVE-2020-10074 1 Gitlab 1 Gitlab 2023-12-10 7.5 HIGH 9.8 CRITICAL
GitLab 10.1 through 12.8.1 has Incorrect Access Control. A scenario was discovered in which a GitLab account could be taken over through an expired link.
CVE-2020-10956 1 Gitlab 1 Gitlab 2023-12-10 7.5 HIGH 9.8 CRITICAL
GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature.
CVE-2020-10083 1 Gitlab 1 Gitlab 2023-12-10 6.4 MEDIUM 9.1 CRITICAL
GitLab 12.7 through 12.8.1 has Insecure Permissions. Under certain conditions involving groups, project authorization changes were not being applied.