Gitlab Security Vulnerabilities
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. Under certain conditions, merge request IDs were being disclosed via email.
5.3CVSS
5.3AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition 8.1 through 12.2.1. Certain areas displaying Markdown were not properly sanitizing some XSS payloads.
6.1CVSS
5.9AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition 7.9 through 12.2.1. EXIF Geolocation data was not being removed from certain image uploads.
5.3CVSS
5.3AI Score
0.001EPSS
An issue was discovered in GitLab Enterprise Edition 11.x and 12.x before 12.0.9, 12.1.x before 12.1.9, and 12.2.x before 12.2.5. It has Incorrect Access Control.
7.1CVSS
6.6AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.4. It has Insecure Permissions (issue 1 of 2).
4.3CVSS
4.6AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Insecure Permissions.
4.3CVSS
4.6AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Incorrect Access Control.
6.5CVSS
6.4AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the autocomplete feature. It has Insecure Permissions (issue 2 of 2).
4.3CVSS
4.6AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the Project labels feature. It has Insecure Permissions.
4.3CVSS
4.6AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition 10.7.4 through 12.4 in the InternalRedirect filtering feature. It has an Open Redirect.
6.1CVSS
6.2AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4 when moving an issue to a public project from a private one. It has Insecure Permissions.
5.3CVSS
5.3AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition 11.6 through 12.4 in the add comments via email feature. It has Insecure Permissions.
4.3CVSS
4.6AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition 10.5 through 12.4 in link validation for RDoc wiki pages feature. It has XSS.
6.1CVSS
6.2AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition 11 through 12.4 when building Nested GraphQL queries. It has a large or infinite loop.
7.5CVSS
7.3AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition 8.17 through 12.4 in the Search feature provided by Elasticsearch integration.. It has Insecure Permissions (issue 1 of 4).
5.3CVSS
5.3AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition 11.8 through 12.4 when handling Security tokens.. It has Insecure Permissions.
8.8CVSS
8.4AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition through 12.4. It has Insecure Permissions (issue 2 of 4).
2.7CVSS
3.9AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition 11.3 to 12.3 in the protected environments feature. It has Insecure Permissions (issue 3 of 4).
5.3CVSS
5.2AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.4 in the Comments Search feature provided by the Elasticsearch integration. It has Incorrect Access Control.
7.5CVSS
7.3AI Score
0.002EPSS
An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.3 when a sub group epic is added to a public group. It has Incorrect Access Control.
4.3CVSS
4.5AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4. It has Insecure Permissions.
4.3CVSS
4.6AI Score
0.001EPSS
An issue was discovered in GitLab Community and Enterprise Edition through 12.4. It has Insecure Permissions (issue 4 of 4).
4.3CVSS
4.6AI Score
0.001EPSS
Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 1 of 2).
4.3CVSS
4.9AI Score
0.001EPSS
Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 2 of 2).
4.3CVSS
4.9AI Score
0.001EPSS
9.8CVSS
9.4AI Score
0.002EPSS
GitLab Community Edition (CE) and Enterprise Edition (EE). 9.6 and later through 12.5 has Incorrect Access Control.
5.3CVSS
5.5AI Score
0.001EPSS
GitLab Enterprise Edition (EE) 12.3 and later through 12.5 has Incorrect Access Control.
4.3CVSS
4.8AI Score
0.001EPSS
GitLab Enterprise Edition (EE) 12.2 and later through 12.5 has Incorrect Access Control.
5.3CVSS
5.5AI Score
0.001EPSS
GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 1 of 2).
5.3CVSS
5.5AI Score
0.001EPSS
GitLab Enterprise Edition (EE) 10.8 and later through 12.5 has Incorrect Access Control.
5.3CVSS
5.5AI Score
0.001EPSS
GitLab Enterprise Edition (EE) 11.3 and later through 12.5 allows an Insecure Direct Object Reference (IDOR).
4.3CVSS
4.7AI Score
0.001EPSS
GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 2 of 2).
5.4CVSS
5.7AI Score
0.001EPSS
8.8CVSS
8.5AI Score
0.002EPSS
GitLab Enterprise Edition (EE) 11.9 and later through 12.5 has Insecure Permissions.
4.3CVSS
4.7AI Score
0.001EPSS
GitLab Enterprise Edition (EE) 8.2 and later through 12.5 has Insecure Permissions.
4.3CVSS
4.7AI Score
0.001EPSS
GitLab Enterprise Edition (EE) 8.90 and later through 12.5 has Incorrect Access Control.
4.3CVSS
4.8AI Score
0.001EPSS
GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Information Disclosure.
4.9CVSS
5.2AI Score
0.001EPSS
GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 allows XSS in group and profile fields.
5.4CVSS
5.3AI Score
0.001EPSS
GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access Control. After a project changed to private, previously forked repositories were still able to get information about the private project through the API.
5.8CVSS
5.6AI Score
0.001EPSS
GitLab EE 12.3 through 12.5, 12.4.3, and 12.3.6 allows Denial of Service. Certain characters were making it impossible to create, edit, or view issues and commits.
7.5CVSS
7.4AI Score
0.003EPSS
7.5CVSS
7.3AI Score
0.003EPSS
In GitLab EE 11.3 through 12.5.3, 12.4.5, and 12.3.8, insufficient parameter sanitization for the Maven package registry could lead to privilege escalation and remote code execution vulnerabilities under certain conditions.
9.8CVSS
10AI Score
0.03EPSS
In GitLab EE 10.5 through 12.5.3, 12.4.5, and 12.3.8, when transferring a public project to a private group, private code would be disclosed via the Group Search API provided by the Elasticsearch integration.
7.5CVSS
7.4AI Score
0.002EPSS
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 12.3 through 12.6.1. It allows Denial of Service.
4.3CVSS
4.3AI Score
0.001EPSS
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 12.6. It has Incorrect Access Control.
5.3CVSS
5AI Score
0.001EPSS
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 10.8 through 12.6.1. It has Incorrect Access Control.
4.3CVSS
4.4AI Score
0.001EPSS
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.4 through 12.6.1. It has Incorrect Access Control.
4.3CVSS
4.4AI Score
0.001EPSS
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.0 through 12.6. It allows Uncontrolled Resource Consumption.
5.3CVSS
4.9AI Score
0.001EPSS
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 9.1 through 12.6.1. It has Incorrect Access Control.
5.3CVSS
5AI Score
0.001EPSS
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 8.13 through 12.6.1. It has Incorrect Access Control.
5.3CVSS
5AI Score
0.001EPSS