CVE-2021-39931

An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.11 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under specific condition an unauthorised project member was allowed to delete a protected branches du...

CVE-2021-39947

In specific circumstances, trace file buffers in GitLab Runner versions up to 14.3.4, 14.4 to 14.4.2, and 14.5 to 14.5.2 would re-use the file descriptor 0 for multiple traces and mix the output of several jobs...

BIT-GITLAB-2021-39927

Server side request forgery protections in GitLab CE/EE versions between 8.4 and 14.4.4, between 14.5.0 and 14.5.2, and between 14.6.0 and 14.6.1 would fail to protect against attacks sending requests to localhost on port 80 or 443 if GitLab was configured to run on a port other than 80 or 443...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via a crafted request sent to the /admin/users/userid/memberships/membershipid endpoint containing an additional membershipentityid parameter. This will allow an attacker to update the...

Pageflow vulnerable to insecure direct object reference in membership update endpoint

Impact Pageflow has a membership edit feature which allows users to edit the roles of user memberships associated with an account that they have the manager role to including their own. While the Entity dropdown select field is greyed out in the UI, an attacker can use tools which allow sending...

Race condition

An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.11 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under specific condition an unauthorised project member was allowed to delete a protected branches du...

CVE-2021-39915

Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the names of project access tokens on arbitrary projects...

Authorization

Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates...

Code injection

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression used for handling user input notes, comments, etc was susceptible to catastroph...

CVE-2021-39939

Removed by vendor...

CVE-2021-39934

Removed by vendor...

CVE-2021-39919

CVE-2021-39919 affects GitLab CE/EE: vulnerable in all versions before 14.3.6, all versions from 14.4 before 14.4.4, and all versions from 14.5 before 14.5.2. The reset password token and new user email token are logged, risking information disclosure. Remediation is to upgrade to fixed releases ...

CVE-2021-39931

GitLab CE/EE CVE-2021-39931 affects all versions from 8.11 up to 14.3.6, and 14.4 up to 14.4.4, and 14.5 up to 14.5.2. The flaw is a business-logic error that allowed an unauthorized project member to delete a protected branch. Impact described in the sources involves unauthorized deletion by low...

PT-2021-22770 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 8.11 through 14.3.5 GitLab CE/EE versions 14.4 through 14.4.3 GitLab CE/EE versions 14.5 through 14.5.1 Description: An issue has been discovered in GitLab CE/EE due to a business logic error, allowing an unauthorized...

Vulnerabilities fixed in GitLab Runner

Vulnerabilities have been fixed in GitLab Runner. A authenticated malicious party could potentially exploit them to cause a denial-of-service or to gain access to system data. GitLab developers have released updates to address the vulnerabilities in GitLab Runner 14.3.4, 14.4.2 and 14.5.2. For mo...