10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.061 Low
EPSS
Percentile
93.4%
Gitlab reports:
Vendor Cross-Account Assume-Role Attack
Stored XSS on the Vulnerability Page
Outdated Job Token Can Be Reused to Access Unauthorized Resources
File Disclosure Via Workhorse File Upload Bypass
Unauthorized Maintainer Can Edit Group Badge
Denial of Service Within Wiki Functionality
Sign-in Vulnerable to Brute-force Attacks
Invalidated Session Allows Account Access With an Old Password
GitLab Omniauth Endpoint Renders User Controlled Messages
Blind SSRF Through Repository Mirroring
Information Disclosure Through Incorrect Group Permission Verifications
No Rate Limit on GitLab Webhook Feature
GitLab Session Revocation Feature Does Not Invalidate All Sessions
OAuth Authorization Scope for an External Application Can Be Changed Without User Consent
Unauthorized Maintainer Can Delete Repository
Improper Verification of Deploy-Key Leads to Access Restricted Repository
Disabled Repository Still Accessible With a Deploy-Token
Duplicated Secret Code Generated by 2 Factor Authentication Mechanism
Lack of Validation Within Project Invitation Flow
Current Sessions Not Invalidated Upon Enabling 2 Factor Authentication
Users Without 2 Factor Authentication Can Be Blocked Accessing GitLab
Lack of Upper Bound Check Leading to Possible Denial of Service
2 Factor Authentication for Groups Was Not Enforced Within API Endpoint
GitLab Runner Denial of Service via CI Jobs
Update jQuery Dependency
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.061 Low
EPSS
Percentile
93.4%