CVE-2022-1413

Removed by vendor...

CVE-2022-1545

It was possible to disclose details of confidential notes created via the API in Gitlab CE/EE affecting all versions from 13.2 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1 if an unauthorised project member was tagged in the note...

Design/Logic Flaw

Missing filtering in an error message in GitLab CE/EE affecting all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 exposed sensitive information when an include directive fails in the CI/CD configuration...

CVE-2022-1174

GitLab CE/EE is affected by CVE-2022-1174: a DoS condition where a crafted input in Issues, Merge requests, Milestones, Snippets, Wiki pages, etc. can trigger high CPU usage. Affected versions: 13.7 before 14.7.7; 14.8 before 14.8.5; 14.9 before 14.9.2. Remediation: upgrade to fixed releases (14....

CVE-2022-1099

The CVE-2022-1099 entry affects GitLab CE/EE (GitLab CI runners) where adding an extremely large number of tags to a runner can degrade GitLab performance. Affected versions include all prior to 14.7.7, 14.8.x prior to 14.8.5, and 14.9.x prior to 14.9.2. The vulnerability stems from how runner ta...

CVE-2022-0740

GitLab CE/EE versions are affected by an incorrect authorization in the Asana integration's branch restriction feature, allowing closure of Asana tasks from unrestricted branches. Affected ranges: 7.8.0–14.7.6; 14.8.0–14.8.4; 14.9.0–14.9.1. Root cause: enforcement gap in the branch restriction lo...

CVE-2022-0425

Summary (CVE-2022-0425) A DNS rebinding vulnerability in the Irker IRC Gateway integration affects all GitLab CE/EE versions since 7.9, enabling Server Side Request Forgery (SSRF). The issue is tied to the GitLab Irker gateway component, with root cause described as DNS rebinding that can trigger...

CVE-2022-0427

Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading to potential account takeover...

CVE-2021-39943

An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call...

CVE-2021-39943

An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call...

CVE-2021-39943

An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call...

Authorization

An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call...

CVE-2021-39943

An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call...

CVE-2021-39943

CVE-2021-39943 describes an authorization logic error in GitLab EE's External Status Check API, allowing a user to update the status of a check via an API call. The issue affects GitLab EE versions: 14.1 up to but not including 14.3.6; 14.4.x up to but not including 14.4.4; and 14.5.x up to but n...

CVE-2021-39943

Removed by vendor...

Design/Logic Flaw

Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis...

CVE-2021-39942

Removed by vendor...

CVE-2021-39930

Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates...

CVE-2021-39945

Improper access control in the GitLab CE/EE API affecting all versions starting from 9.4 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an author of a Merge Request to approve the Merge Request even after having their project...

CVE-2021-39918

Incorrect Authorization in GitLab EE affecting all versions starting from 11.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows a user to add comments to a vulnerability which cannot be accessed...