CVE-2022-2459

GitLab Enterprise Edition (GitLab EE) is affected by CVE-2022-2459 in affected versions prior to 15.0.5, versions 15.1 before 15.1.4, and versions 15.2 before 15.2.1. Description: an issue could allow email-invited members to join a project even after the group-owner setting to prevent adding mem...

CVE-2022-2501

GitLab EE vulnerability CVE-2022-2501 is an improper access control issue where an attacker can bypass IP allow-listing to download artifacts, while needing proper permissions. Affected versions include all 12.0–14.x (up to 15.0.5 before 15.0.5), 15.1 before 15.1.4, and 15.2 before 15.2.1. Remedi...

CVE-2022-2501

Removed by vendor...

CVE-2022-2501

An improper access control issue in GitLab EE affecting all versions from 12.0 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an attacker to bypass IP allow-listing and download artifacts. This attack only bypasses IP allow-listing, proper permissions are still required...

CVE-2022-2498

CVE-2022-2498 affects GitLab Enterprise Edition pipelines subscriptions. The issue causes new pipelines to be created with the tag creator as the pipeline creator rather than the subscription author, indicating a mismatch in ownership attribution in the subscription logic. Affected versions: GitL...

CVE-2022-2498

An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author...

CVE-2022-2498

Removed by vendor...

CVE-2022-2498

An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author...

CVE-2022-2417

GitLab CVE-2022-2417 affects GitLab CE/EE; root cause is insufficient validation during project import, enabling an authenticated user to import a project with branch names that are 40 hexadecimal characters, which could enable supply-chain attacks by pinning to a specific commit. Affected versio...

CVE-2022-2417

Insufficient validation in GitLab CE/EE affecting all versions from 12.10 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an authenticated and authorised user to import a project that includes branch names which are 40 hexadecimal characters, which could be abused in supply...

CVE-2022-2499

GitLab EE Jira integration contains an insecure direct object reference vulnerability that may allow an attacker to leak Jira issues. Affected GitLab EE versions: 13.10–15.0.4, 15.1–15.1.3, and 15.2–15.2.0. Root cause is an insecure direct object reference in the Jira integration. Remediation by ...

CVE-2022-2228

Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling...

CVE-2022-2228

Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling...

Information disclosure

Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling...

Information disclosure

An issue has been discovered in GitLab EE affecting all versions starting from 12.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. In GitLab, if a group enables the setting to restrict access to users belonging to specific domains, that allow-list may be bypassed if a Maintaine...

CVE-2022-2229

Removed by vendor...

CVE-2022-2235

Insufficient sanitization in GitLab EE's external issue tracker affecting all versions from 14.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to perform cross-site scripting when a victim clicks on a maliciously crafted ZenTao link...

CVE-2022-2281

An information disclosure vulnerability in GitLab EE affecting all versions from 12.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows disclosure of release titles if group milestones are associated with any project releases...

Information disclosure

An information disclosure vulnerability in GitLab EE affecting all versions from 12.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows disclosure of release titles if group milestones are associated with any project releases...

Authorization

Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allowed an attacker already in possession of a valid Deploy Key or a Deploy Token to misuse it from any location to access Container Registries even when IP...