CVE-2021-39911

GitLab CVE-2021-39911 affects GitLab CE/EE: improper access control exposes the assignee's private email in Issue/MR data via Webhook consumers. Affected versions: 13.9–14.2.5, 14.3.0–14.3.3, and 14.4.0 only. Fixed in GitLab: 14.2.6, 14.3.4, and 14.4.1. Mitigation: upgrade to the fixed releases; ...

CVE-2021-39903

In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings...

CVE-2021-39904

CVE-2021-39904 is an Improper Access Control vulnerability in GitLab’s GraphQL API affecting GitLab CE/EE versions 13.1–14.2.5, 14.3 before 14.3.4, and 14.4 before 14.4.1. The MR creator could resolve discussions and apply suggestions after the MR owner locked the MR. Root cause: inadequate acces...

CVE-2021-39904

An Improper Access Control vulnerability in the GraphQL API in all versions of GitLab CE/EE starting from 13.1 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows a Merge Request creator to resolve discussions and apply suggestion...

CVE-2021-39895

Removed by vendor...

CVE-2021-39895

CVE-2021-39895 affects GitLab CE/EE, vulnerable since version 8.0. The issue arises when an attacker can set pipeline schedules to be active in a project export, causing pipelines to be active by default when an unsuspecting owner imports the project. Under specialized conditions, this can lead t...

CVE-2021-39895

In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure...

CVE-2021-22260

Removed by vendor...

CVE-2021-22260

CVE-2021-22260 is a stored XSS vulnerability in the DataDog integration for GitLab CE/EE. Affected: GitLab versions 13.7–13.x before 14.0.9; 14.1.x before 14.1.4; 14.2.x before 14.2.2. Root cause: improper sanitization in the DataDog integration. Impact: arbitrary JavaScript execution in the vict...

CVE-2021-39901

In all versions of GitLab CE/EE since version 11.10, an admin of a group can see the SCIM token of that group by visiting a specific endpoint...

CVE-2021-39897

Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transferred...

CVE-2021-39912

CVE-2021-39912 describes a potential DoS in GitLab CE/EE starting with version 13.7, triggered by malformed TIFF images that can cause memory exhaustion. The evidence across connected sources consistently identifies the affected product as GitLab CE/EE and the root cause as processing malformed T...

CVE-2021-39906

Removed by vendor...

CVE-2021-39906

CVE-2021-39906 affects GitLab CE/EE 13.5 and later. The root cause is the improper validation of ipynb files, enabling an attacker to have the victim’s browser execute arbitrary JavaScript. Exploitation is not elaborated in the provided documents, but several sources indicate affected versions an...

CVE-2021-39903

Removed by vendor...

CVE-2021-39903

CVE-2021-39903 affects GitLab CE/EE (all versions since 13.0). A privileged user can, via API calls, change the visibility of a group or project to a restricted option even after the administrator has restricted that visibility in settings. The root cause is an API-level ability to override confi...

GitLab Unauthenticated Remote ExifTool Command Injection

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'GitLab Unauthenticated Remote ExifTool Command Injection', 'Description' = %q This module exploits an unauthenticated file upload and command...

PT-2021-22750 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 13.0 and later Description: A privileged user can change the visibility level of a group or a project to a restricted option through an API call, even after the instance administrator sets that visibility option as...

PT-2021-22759 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions prior to 14.2.6 GitLab CE/EE versions 14.3 through 14.3.3 GitLab CE/EE versions 14.4 through 14.4.0 Description: The issue involves the accidental logging of the system root password in the migration log. This allows an...

NewStart CGSL CORE 5.04 / MAIN 5.04 : docker-ce Vulnerability (NS-SA-2021-0097)

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has docker-ce packages installed that are affected by a vulnerability: - In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd...