CVE-2022-3265

CVE-2022-3265 affects GitLab CE/EE. The issue is a stored cross-site scripting (XSS) vulnerability in the labels color feature, impacting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. The root cause is exploitation of the labels color setting, enabling attackers to...

CVE-2022-3726

Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions from 12.6 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick a user to click on the Swagger OpenAPI viewer and issue HTTP requests that affect the victim's account...

CVE-2022-3280

CVE-2022-3280 describes an open redirect in GitLab CE/EE. Affected versions are GitLab 10.1–14.x? specifically all versions from 10.1 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. The vulnerability allows an attacker to trick users into visiting a trustworthy URL and be redirec...

CVE-2022-2761

An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to use GitLab Flavored Markdown GFM references in a Jira issue to disclose the names of resources they don't have access to...

CVE-2022-3819

An improper authorization issue in GitLab CE/EE affecting all versions from 15.0 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a malicious users to set emojis on internal notes they don't have access to...

CVE-2022-3706

Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user retrying a job in a downstream pipeline to take ownership of the retried jobs in the upstream pipeline even if the user doesn't have access to that...

CVE-2022-3483

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 15.3.5, all versions starting from 15.4 before 15.4.4, all versions starting from 15.5 before 15.5.2. A malicious maintainer could exfiltrate a Datadog integration's access token by modifying the...

CVE-2022-3706

CVE-2022-3706 affects GitLab CE/EE: improper authorization lets a user retrying a downstream job take ownership of retried upstream jobs without access to the project. Affected versions: 7.14 up to but not including 15.3.5; 15.4 up to but not including 15.4.4; 15.5 up to but not including 15.5.2....

CVE-2022-3793

GitLab CE/EE vulnerability CVE-2022-3793: improper authorization allows reading variables set in a GitLab CI/CD config file by an attacker without access. Affected: all 14.4 up to before 15.3.5; 15.4 up to before 15.4.4; 15.5 up to before 15.5.2. Root cause: insufficient access control around CI/...

GitLab 10.1 < 15.3.5 / 15.4 < 15.4.4 / 15.5 < 15.5.2 (CVE-2022-3280)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An open redirect in GitLab CE/EE affecting all versions from 10.1 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick users into visiting a trustworthy URL and...

Cross site scripting

A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 It was possible to exploit a vulnerability in the external status checks feature...

CVE-2022-2904

CVE-2022-2904 concerns a stored cross-site scripting flaw in GitLab CE/EE affecting versions 15.2 up to before 15.2.5, 15.3 up to before 15.3.4, and 15.4 up to before 15.4.1. The vulnerability exists in the external status checks feature and could allow an attacker to perform arbitrary actions on...

CVE-2022-2882

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A malicious maintainer could exfiltrate a GitHub integration's access token by modifying the...

Information disclosure

An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 9.3 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 allows a project maintainer to access the DataDog integration API key from webhook logs...

Code injection

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A malicious maintainer could exfiltrate a GitHub integration's access token by modifying the...

CVE-2022-2882

Removed by vendor...

CVE-2022-3018

Removed by vendor...

CVE-2022-3018

CVE-2022-3018 is an information-disclosure vulnerability in GitLab CE/EE that allows a project maintainer to access the DataDog integration API key from webhook logs. Affected versions are: all 9.3 up to, but not including, 15.2.5; all 15.3 up to, but not including, 15.3.4; and all 15.4 up to, bu...

CVE-2022-20953

Cisco TelePresence CE and RoomOS Software are affected by multiple local, authenticated vulnerabilities leading to path traversal, sensitive data disclosure, and arbitrary file writes. Exploitation routes include excessive privileges for system commands (viewing keystrokes via USB, etc.) and syml...

Denial of service

A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 10.8 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. Improper data handling on branch creation could have been used to trigger high CPU usage...