957 matches found
CVE-2020-26417
Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions =13.6 to =13.5 to =13.1 to 13.4.7...
CVE-2020-26417
Removed by vendor...
Input validation
A DOS vulnerability exists in Gitlab CE/EE =10.3, =13.5, =13.6, 13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields...
CVE-2020-26409
A DOS vulnerability exists in Gitlab CE/EE =10.3, =13.5, =13.6, 13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields...
PT-2020-16416 · Gitlab · Gitlab Ce/Ee +1
Name of the Vulnerable Software and Affected Versions: Gitlab CE/EE versions 10.3 through 13.4.6 Gitlab CE/EE versions 13.5 through 13.5.4 Gitlab CE/EE versions 13.6 through 13.6.1 Description: A DOS issue exists that allows an attacker to trigger uncontrolled resource consumption by bypassing...
CVE-2020-26407
Removed by vendor...
CVE-2020-13359
The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are =12.10, =13.4, =13.5, 13.5.2...
CVE-2020-13359
The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are =12.10, =13.4, =13.5, 13.5.2...
CVE-2020-13359
The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are =12.10, =13.4, =13.5, 13.5.2...
CVE-2020-13355
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: =8.14, =13.4, =13.5, 13.5.2...
CVE-2020-13356
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9. A specially crafted request could bypass Multipart protection and read files in certain specific paths on the server. Affected versions are: =8.8.9, =13.4, =13.5, 13.5.2...
Design/Logic Flaw
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9. A specially crafted request could bypass Multipart protection and read files in certain specific paths on the server. Affected versions are: =8.8.9, =13.4, =13.5, 13.5.2...
Path traversal
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: =8.14, =13.4, =13.5, 13.5.2...
CVE-2020-13359
The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are =12.10, =13.4, =13.5, 13.5.2...
CVE-2020-13359
Removed by vendor...
CVE-2020-13355
Removed by vendor...
CVE-2020-26405
Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are =12.8, =13.4, =13.5, 13.5.2...
CVE-2020-26405
CVE-2020-26405 is a path-traversal vulnerability in GitLab CE/EE package upload that allows saving packages to arbitrary locations. Affected GitLab versions include 12.8–13.3.8, 13.4–13.4.4, and 13.5–13.5.1. Root cause is in the package upload functionality. Remediation per sources: upgrade to 13...
CVE-2020-13351
Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are =13.0, =13.4.0, =13.5.0, 13.5.2...
Design/Logic Flaw
Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are =13.0, =13.4.0, =13.5.0, 13.5.2...