Filtered by vendor Gitlab
Subscriptions
Total
1068 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-39875 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 5.3 Medium |
| In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint. | ||||
| CVE-2021-22167 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 5.3 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers in specific project page allows attacker to have a temporary read access to the private repository | ||||
| CVE-2021-22254 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 3.1 Low |
| Under very specific conditions a user could be impersonated using Gitlab shell. This vulnerability affects GitLab CE/EE 13.1 and later through 14.1.2, 14.0.7 and 13.12.9. | ||||
| CVE-2021-22263 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 5.5 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user account with 'external' status which is granted 'Maintainer' role on any project on the GitLab instance where 'project tokens' are allowed may elevate its privilege to 'Internal' and access Internal projects. | ||||
| CVE-2021-22259 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 4.3 Medium |
| A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API. | ||||
| CVE-2021-22260 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 7.7 High |
| A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf | ||||
| CVE-2021-22257 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 5.3 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. The route for /user.keys is not restricted on instances with public visibility disabled. This allows user enumeration on such instances. | ||||
| CVE-2021-22264 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 6.8 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 13.8 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. Under specialized conditions, an invited group member may continue to have access to a project even after the invited group, which the member was part of, is deleted. | ||||
| CVE-2021-22231 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 3.5 Low |
| A denial of service in user's profile page is found starting with GitLab CE/EE 8.0 that allows attacker to reject access to their profile page via using a specially crafted username. | ||||
| CVE-2021-22262 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 5.4 Medium |
| Missing access control in all GitLab versions starting from 13.12 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page | ||||
| CVE-2021-22261 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 7.3 High |
| A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses | ||||
| CVE-2021-22258 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 4.3 Medium |
| The project import/export feature in GitLab 8.9 and greater could be used to obtain otherwise private email addresses | ||||
| CVE-2021-22256 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 5.4 Medium |
| Improper authorization in GitLab CE/EE affecting all versions since 12.6 allowed guest users to create issues for Sentry errors and track their status | ||||
| CVE-2021-22206 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 6.8 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text, | ||||
| CVE-2021-22237 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 6.6 Medium |
| Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. This vulnerability is present in GitLab CE/EE versions before 13.12.9, 14.0.7, 14.1.2 | ||||
| CVE-2021-22234 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 9.6 Critical |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.11 before 13.11.7, all versions starting from 13.12 before 13.12.8, and all versions starting from 14.0 before 14.0.4. A specially crafted design image allowed attackers to read arbitrary files on the server. | ||||
| CVE-2021-22233 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 4.3 Medium |
| An information disclosure vulnerability in GitLab EE versions 13.10 and later allowed a user to read project details | ||||
| CVE-2021-22211 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 3.1 Low |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling. | ||||
| CVE-2021-22244 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 3.1 Low |
| Improper authorization in the vulnerability report feature in GitLab EE affecting all versions since 13.1 allowed a reporter to access vulnerability data | ||||
| CVE-2021-22241 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 8.7 High |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0. It was possible to exploit a stored cross-site-scripting via a specifically crafted default branch name. | ||||