Gitlab Security Vulnerabilities

CVE-2020-7969

GitLab EE 8.0 and later through 12.7.2 allows Information...

CVE-2020-7966

GitLab EE 11.11 and later through 12.7.2 allows Directory...

CVE-2020-7967

GitLab EE 8.0 through 12.7.2 has Insecure Permissions (issue 1 of...

CVE-2020-7968

GitLab EE 8.0 through 12.7.2 has Incorrect Access...

CVE-2020-7979

GitLab EE 8.9 and later through 12.7.2 has Insecure...

CVE-2020-8114

GitLab EE 8.9 and later through 12.7.2 has Insecure...

CVE-2013-4582

The (1) create_branch, (2) create_tag, (3) import_project, and (4) fork_project functions in lib/gitlab_projects.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote authenticated users to include information...

CVE-2013-4583

The parse_cmd function in lib/gitlab_shell.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, and Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote authenticated users to gain privileges and clone arbitrary...

CVE-2019-5466

An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label...

CVE-2019-5468

An privilege escalation issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 when Mattermost slash commands are used with a blocked...

CVE-2019-5470

An information disclosure issue was discovered GitLab versions < 12.1.2, < 12.0.4, and < 11.11.6 in the security dashboard which could result in disclosure of vulnerability feedback...

CVE-2019-5472

An authorization issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 that prevented owners and maintainer to delete epic...

CVE-2019-5474

An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate...

CVE-2019-15583

An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). When an issue was moved to a public project from a private one, the associated private labels and the private project namespace would be disclosed through th...

CVE-2019-15585

Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user's...

CVE-2019-5464

A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the url_blocker.rb which could result in SSRF where the library is...

CVE-2019-15579

An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) where the assignee(s) of a confidential issue in a private project would be disclosed to a guest via...

CVE-2019-15582

An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected...

CVE-2019-5462

A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has...

CVE-2019-5465

An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue...

CVE-2019-15578

An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge...

CVE-2019-15586

A XSS exists in Gitlab CE/EE < 12.1.10 in the Mermaid...

CVE-2019-15581

An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval...

CVE-2019-15590

An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch...

CVE-2020-2096

Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS...

CVE-2019-20142

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 12.3 through 12.6.1. It allows Denial of...

CVE-2019-20143

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 12.6. It has Incorrect Access...

CVE-2019-20144

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 10.8 through 12.6.1. It has Incorrect Access...

CVE-2020-6832

An issue was discovered in GitLab Enterprise Edition (EE) 8.9.0 through 12.6.1. Using the project import feature, it was possible for someone to obtain issues from private...

CVE-2020-5197

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 5.1 through 12.6.1. It has Incorrect Access...

CVE-2019-20145

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.4 through 12.6.1. It has Incorrect Access...

CVE-2019-20147

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 9.1 through 12.6.1. It has Incorrect Access...

CVE-2019-20148

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 8.13 through 12.6.1. It has Incorrect Access...

CVE-2019-20146

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.0 through 12.6. It allows Uncontrolled Resource...

CVE-2019-19628

In GitLab EE 11.3 through 12.5.3, 12.4.5, and 12.3.8, insufficient parameter sanitization for the Maven package registry could lead to privilege escalation and remote code execution vulnerabilities under certain...

CVE-2019-19314

GitLab EE 8.4 through 12.5, 12.4.3, and 12.3.6 stored several tokens in...

CVE-2019-19629

In GitLab EE 10.5 through 12.5.3, 12.4.5, and 12.3.8, when transferring a public project to a private group, private code would be disclosed via the Group Search API provided by the Elasticsearch...

CVE-2019-19313

GitLab EE 12.3 through 12.5, 12.4.3, and 12.3.6 allows Denial of Service. Certain characters were making it impossible to create, edit, or view issues and...

CVE-2019-19312

GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access Control. After a project changed to private, previously forked repositories were still able to get information about the private project through the...

CVE-2019-19310

GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Information...

CVE-2019-19309

GitLab Enterprise Edition (EE) 8.90 and later through 12.5 has Incorrect Access...

CVE-2019-19262

GitLab Enterprise Edition (EE) 11.9 and later through 12.5 has Insecure...

CVE-2019-19259

GitLab Enterprise Edition (EE) 11.3 and later through 12.5 allows an Insecure Direct Object Reference...

CVE-2019-19256

GitLab Enterprise Edition (EE) 12.2 and later through 12.5 has Incorrect Access...

CVE-2019-19257

GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 1 of...

CVE-2019-19258

GitLab Enterprise Edition (EE) 10.8 and later through 12.5 has Incorrect Access...

CVE-2019-19263

GitLab Enterprise Edition (EE) 8.2 and later through 12.5 has Insecure...

CVE-2019-19260

GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 2 of...

CVE-2019-19255

GitLab Enterprise Edition (EE) 12.3 and later through 12.5 has Incorrect Access...

CVE-2019-19261

GitLab Enterprise Edition (EE) 6.7 and later through 12.5 allows...