Design/Logic Flaw

An issue has been discovered in GitLab EE affecting all versions from 13.3.0 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows an attacker to do a resource exhaustion using GraphQL vulnerabilitiesCountByDay...

CVE-2024-1066

An issue has been discovered in GitLab EE affecting all versions from 13.3.0 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows an attacker to do a resource exhaustion using GraphQL vulnerabilitiesCountByDay...

CVE-2023-6736

CVE-2023-6736 – GitLab EE DoS via CODEOWNERS . Affected: GitLab EE versions 11.3–16.7.6, 16.8 (before 16.8.3), and 16.9 (before 16.9.1). Description: attacker could trigger a client-side denial of service by supplying malicious content in the CODEOWNERS file. Impact: DoS on affected clients; no r...

CVE-2023-6840 Missing Authorization in GitLab

An issue has been discovered in GitLab EE affecting all versions from 16.4 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows a maintainer to change the name of a protected branch that bypasses the security policy added to block MR...

CVE-2023-6840

Removed by vendor...

CVE-2024-1066 Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab EE affecting all versions from 13.3.0 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows an attacker to do a resource exhaustion using GraphQL vulnerabilitiesCountByDay...

Improper Access Control

GitLab EE is vulnerable to Improper Access Control. The vulnerability is caused due to a flaw in authorization check while approving previously approved merged request. This flaw can be exploited to bypass CODEOWNERS approval by adding changes to a previously approved merge request...

PT-2024-1870 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab EE versions 16.4 through 16.7.5 GitLab EE versions 16.8 through 16.8.2 GitLab EE versions 16.9 through 16.9.0 Description: An issue has been discovered in GitLab EE, where users with the Guest role can change Custom dashboard projects...

Design/Logic Flaw

An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits...

CVE-2023-4812 Incorrect Authorization in GitLab

An issue has been discovered in GitLab EE affecting all versions starting from 15.3 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. The required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge...

GitLab 11.1 < 14.3.6 / 14.4 < 14.4.4 / 14.5 < 14.5.2 (CVE-2021-39918)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - Incorrect Authorization in GitLab EE affecting all versions starting from 11.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows a use...

GitLab 11.9 < 13.11.6 / 13.12 < 13.12.6 / 14.0 < 14.0.2 (CVE-2021-22223)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - Client-Side code injection through Feature Flag name in GitLab CE/EE starting with 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link...

GitLab 13.4 < 13.12.9 / 14.0 < 14.0.7 / 14.1 < 14.1.2 (CVE-2021-22253)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - Improper authorization in GitLab EE affecting all versions since 13.4 allowed a user who previously had the necessary access to trigger deployments to protected environments under specific conditions...

GitLab 12.2 < 13.12.9 / 14.0 < 14.0.7 / 14.1 < 14.1.2 (CVE-2021-22251)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - Improper validation of invited users' email address in GitLab EE affecting all versions since 12.2 allowed projects to add members with email address domain that should be blocked by group settings...

Privilege escalation

A privilege escalation vulnerability in GitLab EE affecting all versions from 16.0 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows a project Maintainer to use a Project Access Token to escalate their role to Owner...

CVE-2023-3907 Improper User Management in GitLab

A privilege escalation vulnerability in GitLab EE affecting all versions from 16.0 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows a project Maintainer to use a Project Access Token to escalate their role to Owner...

CVE-2023-3907

CVE-2023-3907 describes a privilege escalation in GitLab Enterprise Edition where a project Maintainer can use a Project Access Token to elevate their role to Owner. Affected versions are GitLab EE 16.0 up to but not including 16.4.4, 16.5 up to but not including 16.5.4, and 16.6 up to but not in...

CVE-2023-3907 Improper User Management in GitLab

A privilege escalation vulnerability in GitLab EE affecting all versions from 16.0 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows a project Maintainer to use a Project Access Token to escalate their role to Owner...

CVE-2023-3907

Removed by vendor...

CVE-2023-3904

An issue has been discovered in GitLab EE affecting all versions starting before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible to overflow the time spent on an issue that altered the details shown in the issue boards...