7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
8.7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
0.001 Low
EPSS
Percentile
45.2%
Gitlab reports:
Stored XSS via ipynb files
Pipeline schedules on imported projects can be set to automatically active after import
Potential Denial of service via Workhorse
Improper Access Control allows Merge Request creator to bypass locked status
Projects API discloses ID and name of private groups
Severity of an incident can be changed by a guest user
System root password accidentally written to log file
Potential DoS via a malformed TIFF image
Bypass of CODEOWNERS Merge Request approval requirement
Change project visibility to a restricted option
Project exports leak external webhook token value
SCIM token is visible after creation
Invited group members, with access inherited from parent group, continue to have project access even after invited subgroup is transfered
Regular expression denial of service issue when cleaning namespace path
Prevent creation of scopeless apps using applications API
Webhook data exposes assignee’s private email address
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
8.7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
0.001 Low
EPSS
Percentile
45.2%