CVE-2023-5332

Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE...

PT-2023-32051 · Hashicorp +2 · Hashicorp Consul +2

Name of the Vulnerable Software and Affected Versions: GitLab-EE affected versions not specified Description: The issue is related to a patch in the third-party library Consul, which requires the 'enable-script-checks' setting to be set to False. This setting is necessary to enable a patch provid...

Design/Logic Flaw

An issue has been discovered in GitLab EE affecting all versions starting from 16.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the policy bot to gain access to internal projects...

Input validation

An issue has been discovered in GitLab EE affecting all versions starting from 10.5 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted mermaid...

CVE-2023-4658 Incorrect Authorization in GitLab

An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the Allowed to merge permission as a guest user, when granted t...

CVE-2023-4658 Incorrect Authorization in GitLab

An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the Allowed to merge permission as a guest user, when granted t...

CVE-2023-6033

CVE-2023-6033 affects GitLab CE/EE: improper neutralization of input in Jira integration configuration enables cross-site scripting (XSS) by an attacker. Impact spans GitLab versions 15.10 prior to 16.6.1, 16.5 prior to 16.5.3, and 16.4 prior to 16.4.3. Documented impact is attacker-executed Java...

CVE-2023-4912

An issue has been discovered in GitLab EE affecting all versions starting from 10.5 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted mermaid...

CVE-2023-5995

An issue has been discovered in GitLab EE affecting all versions starting from 16.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the policy bot to gain access to internal projects...

CVE-2023-4379 Incorrect Authorization in GitLab

An issue has been discovered in GitLab EE affecting all versions starting from 15.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Code owner approval was not removed from merge requests when the target branch was updated...

Authorization

An authorization issue affecting GitLab EE affecting all versions from 14.7 prior to 16.3.6, 16.4 prior to 16.4.2, and 16.5 prior to 16.5.1, allowed a user to run jobs in protected environments, bypassing any required approvals...

CVE-2023-5963

An issue has been discovered in GitLab EE with Advanced Search affecting all versions from 13.9 to 16.3.6, 16.4 prior to 16.4.2 and 16.5 prior to 16.5.1 that could allow a denial of service in the Advanced Search function by chaining too many syntax operators...

CVE-2023-3399

An issue has been discovered in GitLab EE affecting all versions starting from 11.6 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. It was possible for an unauthorised project or group member to read the CI/CD variables using the custom...

CVE-2023-5963

GitLab EE Advanced Search vulnerability (CVE-2023-5963) affects GitLab EE versions 13.9–16.3.6, 16.4 before 16.4.2, and 16.5 before 16.5.1. The issue allows a denial-of-service in Advanced Search by chaining too many syntax operators. Remediation: upgrade to GitLab version 16.4.2 or 16.5.1 or lat...

CVE-2023-5963

Removed by vendor...

CVE-2023-5963 Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab EE with Advanced Search affecting all versions from 13.9 to 16.3.6, 16.4 prior to 16.4.2 and 16.5 prior to 16.5.1 that could allow a denial of service in the Advanced Search function by chaining too many syntax operators...

CVE-2023-3909

Removed by vendor...

CVE-2023-5831

GitLab CE/EE vulnerable when the super_sidebar_logged_out feature flag is enabled. Affected versions are: 16.0–16.3.5, 16.4.x prior to 16.4.2, and 16.5.x prior to 16.5.1. In these cases, with the flag enabled, there is a risk of unintentionally disclosing GitLab version metadata to unauthorized a...

CVE-2023-3932

An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan...

CVE-2023-3993

An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Access tokens may have been logged when a query was made to a specific endpoint...