Open redirect

An open redirect vulnerability in GitLab EE/CE affecting all versions from 11.1 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to redirect users to an arbitrary location if they trust the URL...

CVE-2022-1983

Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allowed an attacker already in possession of a valid Deploy Key or a Deploy Token to misuse it from any location to access Container Registries even when IP...

Cross site scripting

Insufficient sanitization in GitLab EE's external issue tracker affecting all versions from 14.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to perform cross-site scripting when a victim clicks on a maliciously crafted ZenTao link...

CVE-2022-2281

An information disclosure vulnerability in GitLab EE affecting all versions from 12.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows disclosure of release titles if group milestones are associated with any project releases...

CVE-2022-2228

Removed by vendor...

CVE-2022-2228

Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling...

CVE-2022-2228

The CVE-2022-2228 entry affects GitLab EE (and related GitLab product lines) with Information exposure through CI variables in a group when IP-based access restrictions are in place. Affected versions are GitLab from 12.0 up to, but not including, 14.10.5; 15.0 up to, but not including, 15.0.4; a...

CVE-2022-1981

Removed by vendor...

CVE-2022-1983

Removed by vendor...

CVE-2022-1983

Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allowed an attacker already in possession of a valid Deploy Key or a Deploy Token to misuse it from any location to access Container Registries even when IP...

CVE-2022-1983

CVE-2022-1983 affects GitLab EE: an incorrect authorization flaw allows an attacker with a valid Deploy Key or Deploy Token to misuse it from anywhere to access Container Registries, bypassing IP restrictions. Affected versions are GitLab EE 10.7–14.10.4, 15.0–15.0.3, and 15.1–15.1.0; fixed versi...

CVE-2022-2235

Insufficient sanitization in GitLab EE's external issue tracker affecting all versions from 14.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to perform cross-site scripting when a victim clicks on a maliciously crafted ZenTao link...

CVE-2022-2235

Removed by vendor...

CVE-2022-2235

Insufficient sanitization in GitLab EE's external issue tracker affecting all versions from 14.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to perform cross-site scripting when a victim clicks on a maliciously crafted ZenTao link...

CVE-2022-2235

GitLab CE/EE external issue tracker sanitization flaw leads to cross-site scripting (XSS) in affected GitLab releases. Affected versions are 14.5 up to 14.10.5 (exclusive), 15.0 up to 15.0.4 (exclusive), and 15.1 up to 15.1.1 (exclusive). The vulnerability arises from insufficient input sanitizat...

CVE-2022-2281

An information disclosure vulnerability in GitLab EE affecting all versions from 12.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows disclosure of release titles if group milestones are associated with any project releases...

CVE-2022-2281

An information disclosure vulnerability in GitLab EE affecting all versions from 12.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows disclosure of release titles if group milestones are associated with any project releases...

CVE-2022-2281

Removed by vendor...

Code injection

An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature available only on Premium+...

CVE-2022-1680

An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature available only on Premium+...