Filtered by vendor Gitlab
Subscriptions
Filtered by product Gitlab
Subscriptions
Total
1054 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-6371 | 1 Gitlab | 1 Gitlab | 2024-09-17 | 8.7 High |
An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. A wiki page with a crafted payload may lead to a Stored XSS, allowing attackers to perform arbitrary actions on behalf of victims. | ||||
CVE-2024-0199 | 1 Gitlab | 1 Gitlab | 2024-09-17 | 7.7 High |
An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old feature branch to perform malicious actions. | ||||
CVE-2024-1299 | 1 Gitlab | 1 Gitlab | 2024-09-17 | 6.5 Medium |
A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with owner privileges. | ||||
CVE-2024-7110 | 1 Gitlab | 1 Gitlab | 2024-09-17 | 6.4 Medium |
An issue was discovered in GitLab EE affecting all versions starting 17.0 to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1 allows an attacker to execute arbitrary command in a victim's pipeline through prompt injection. | ||||
CVE-2024-4835 | 1 Gitlab | 1 Gitlab | 2024-09-17 | 8 High |
A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information. | ||||
CVE-2024-5655 | 1 Gitlab | 1 Gitlab | 2024-09-17 | 9.6 Critical |
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to trigger a pipeline as another user under certain circumstances. | ||||
CVE-2024-6595 | 1 Gitlab | 1 Gitlab | 2024-09-17 | 3 Low |
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to upload an NPM package with conflicting package data. | ||||
CVE-2024-3958 | 1 Gitlab | 1 Gitlab | 2024-09-17 | 5.3 Medium |
An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code. | ||||
CVE-2024-3035 | 1 Gitlab | 1 Gitlab | 2024-09-17 | 6.8 Medium |
A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories. | ||||
CVE-2024-6685 | 1 Gitlab | 1 Gitlab | 2024-09-17 | 3.1 Low |
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, where group runners information was disclosed to unauthorised group members. | ||||
CVE-2024-8124 | 1 Gitlab | 1 Gitlab | 2024-09-17 | 7.5 High |
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service via sending a specific POST request. | ||||
CVE-2017-0919 | 1 Gitlab | 1 Gitlab | 2024-09-17 | N/A |
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the GitLab import component resulting in an attacker being able to perform operations under a group in which they were previously unauthorized. | ||||
CVE-2014-3456 | 1 Gitlab | 1 Gitlab | 2024-09-17 | N/A |
Cross-site scripting (XSS) vulnerability in GitLab Enterprise Edition (EE) 6.6.0 before 6.6.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
CVE-2017-0921 | 1 Gitlab | 1 Gitlab | 2024-09-17 | N/A |
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account takeover if a victim's session is compromised. | ||||
CVE-2017-17716 | 1 Gitlab | 1 Gitlab | 2024-09-16 | N/A |
GitLab 9.4.x before 9.4.2 does not support LDAP SSL certificate verification, but a verify_certificates LDAP option was mentioned in the 9.4 release announcement. This issue occurred because code was not merged. This is related to use of the omniauth-ldap library and the gitlab_omniauth-ldap gem. | ||||
CVE-2024-8640 | 1 Gitlab | 1 Gitlab | 2024-09-14 | 8.5 High |
An issue has been discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. Due to incomplete input filtering, it was possible to inject commands into a connected Cube server. | ||||
CVE-2024-8635 | 1 Gitlab | 1 Gitlab | 2024-09-14 | 7.7 High |
A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL | ||||
CVE-2024-8631 | 1 Gitlab | 1 Gitlab | 2024-09-14 | 5.5 Medium |
A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include other custom roles. | ||||
CVE-2024-6446 | 1 Gitlab | 1 Gitlab | 2024-09-14 | 3.5 Low |
An issue has been discovered in GitLab affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. A crafted URL could be used to trick a victim to trust an attacker controlled application. | ||||
CVE-2024-6389 | 1 Gitlab | 1 Gitlab | 2024-09-14 | 4.3 Medium |
An issue was discovered in GitLab-CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions. |