961 matches found
CVE-2021-39891
In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure...
CVE-2021-39880
CVE-2021-39880 affects the apollo_upload_server middleware in GitLab CE/EE (Ruby gem) across all affected GitLab releases: 11.9–14.0.8, 14.1.0–14.1.3, and 14.2.0–14.2.1. The issue allows a Denial of Service via specially crafted requests, denying access to all users. Upstream fixes exist in the c...
CVE-2021-39889
CVE-2021-39889 affects GitLab EE versions from 14.1 onward. An insecure direct object reference in a protected-branch API endpoint may disclose the protected branch name to a malicious user who crafts an API call using the branch ID. Impact is information disclosure (confidentiality) with no inte...
CVE-2021-39870
Removed by vendor...
CVE-2021-39875
In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint...
CVE-2021-39888
In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates...
CVE-2021-39872
CVE-2021-39872 affects GitLab CE/EE (all versions since 14.1) and stems from an improper access-control flaw that allows users with expired passwords to access GitLab via git and API tokens that were acquired before expiration. The vulnerability is described as enabling access through existing to...
CVE-2021-39885
A Stored XSS in merge request creation page in all versions of Gitlab EE starting from 13.7 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious...
CVE-2021-39899
In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account...
CVE-2021-22259
A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API...
CVE-2021-22259
A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API...
Authorization
Improper authorization checks in all versions of GitLab EE starting from 13.11 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows subgroup members to see epics from all parent subgroups...
Cross site scripting
A Stored XSS in merge request creation page in all versions of Gitlab EE starting from 13.7 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious...
Design/Logic Flaw
A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API...
CVE-2021-39885
A Stored XSS in merge request creation page in all versions of Gitlab EE starting from 13.7 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious...
CVE-2021-39883
Improper authorization checks in all versions of GitLab EE starting from 13.11 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows subgroup members to see epics from all parent subgroups...
CVE-2021-22259
A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API...
CVE-2021-22259
CVE-2021-22259 describes a potential denial-of-service against GitLab EE beginning with version 12.6, caused by lack of pagination in the dependencies API. The issue affects GitLab EE (starting at 12.6) and has CVSS-derived scores indicating higher impact on availability (as per the provided metr...
CVE-2021-39899
In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account...
CVE-2021-39885
Removed by vendor...