CVE-2023-6159 Inefficient Regular Expression Complexity in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a Cargo.toml containing maliciously crafted input...

CVE-2023-6159

CVE-2023-6159 affects GitLab CE/EE versions 12.7–16.6.5, 16.7.0–16.7.3, and 16.8.0–16.8.0; it enables a Regular Expression Denial of Service when processing a crafted Cargo.toml. The root cause is an inefficient regex handling in input processing. GitLab has released patched versions (e.g., 16.8....

CVE-2023-6159

Removed by vendor...

Input validation

An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests...

CVE-2023-5933 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests...

CVE-2023-5933

CVE-2023-5933 affects GitLab CE/EE. The issue is in the handling of user name input, where improper input sanitization enables arbitrary API PUT requests. Affected versions are all releases after 13.7 and before 16.6.6, versions 16.7 before 16.7.4, and versions 16.8 before 16.8.1. The reference d...

CVE-2023-5933 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests...

CVE-2024-0402

CVE-2024-0402: A path traversal flaw in GitLab CE/EE allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace. Affected versions are 16.0–16.0.x up to 16.6.5, 16.7.x up to 16.7.3, and 16.8.x up to 16.8.0. Exploitation details are not provi...

CVE-2024-0402

Removed by vendor...

CVE-2023-5356

Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user...

Design/Logic Flaw

An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits...

CVE-2023-2030

CVE-2023-2030 affects GitLab CE/EE versions from 12.2 up to 16.5.5 (and 16.6 up to 16.6.3, 16.7 up to 16.7.1). The issue allows an attacker to potentially modify the metadata of signed commits. The vulnerability’s CVSS3.1 base score is 5.3 (MEDIUM) with network attack vector, and no privileges re...

CVE-2023-5356 Incorrect Authorization in GitLab

Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user...

CVE-2023-7028

GitLab CE/EE versions affected are vulnerable to an improper access-control allowing password-reset emails to be sent to unverified addresses, enabling account takeover. CISA KEV notes active exploitation; PoCs and public references exist (Exploit-DB PoC for GitLab

CVE-2023-7028 Weak Password Recovery Mechanism for Forgotten Password in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to a...

GitLab 0.0 < 14.3.6 / 14.4 < 14.4.4 / 14.5 < 14.5.2 (CVE-2021-39937)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - A collision in access memoization logic in all versions of GitLab CE/EE before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, leads to potential...

GitLab 10.7 < 14.3.6 / 14.4 < 14.4.4 / 14.5 < 14.5.2 (CVE-2021-39936)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - Improper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an...

GitLab 11.9 < 13.11.6 / 13.12 < 13.12.6 / 14.0 < 14.0.2 (CVE-2021-22223)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - Client-Side code injection through Feature Flag name in GitLab CE/EE starting with 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link...

GitLab 13.8 < 13.9.7 / 13.10 < 13.10.4 / 13.11 < 13.11.12 (CVE-2021-22209)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed...

NewStart CGSL MAIN 6.06 : docker-ce Multiple Vulnerabilities (NS-SA-2023-0095)

The remote NewStart CGSL host, running version MAIN 6.06, has docker-ce packages installed that are affected by multiple vulnerabilities: - net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is...