Filtered by vendor Gitlab
Subscriptions
Total
1079 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-0456 | 1 Gitlab | 1 Gitlab | 2024-10-12 | 4.3 Medium |
An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project | ||||
CVE-2023-6955 | 1 Gitlab | 1 Gitlab | 2024-10-12 | 6.6 Medium |
A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group. | ||||
CVE-2024-9164 | 1 Gitlab | 1 Gitlab | 2024-10-11 | 9.6 Critical |
An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. | ||||
CVE-2024-5005 | 1 Gitlab | 1 Gitlab | 2024-10-11 | 4.3 Medium |
An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the API. | ||||
CVE-2024-8970 | 1 Gitlab | 1 Gitlab | 2024-10-11 | 8.2 High |
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances. | ||||
CVE-2023-3949 | 1 Gitlab | 1 Gitlab | 2024-10-10 | 5.3 Medium |
An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for unauthorized users to view a public projects' release descriptions via an atom endpoint when release access on the public was set to only project members. | ||||
CVE-2024-9596 | 1 Gitlab | 1 Gitlab | 2024-10-10 | 3.7 Low |
An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance. | ||||
CVE-2024-8977 | 1 Gitlab | 1 Gitlab | 2024-10-10 | 8.2 High |
An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks. | ||||
CVE-2024-6530 | 1 Gitlab | 1 Gitlab | 2024-10-10 | 7.3 High |
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When adding a authorizing an application, it can be made to render as HTML under specific circumstances. | ||||
CVE-2024-9623 | 1 Gitlab | 1 Gitlab | 2024-10-10 | 4.9 Medium |
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository. | ||||
CVE-2024-45409 | 3 Gitlab, Omniauth, Onelogin | 4 Gitlab, Omniauth-saml, Omniauth Saml and 1 more | 2024-10-10 | 10 Critical |
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3. | ||||
CVE-2023-4378 | 1 Gitlab | 1 Gitlab | 2024-10-09 | 5.5 Medium |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A malicious Maintainer can, under specific circumstances, leak the sentry token by changing the configured URL in the Sentry error tracking settings page. This was as a result of an incomplete fix for CVE-2022-4365. | ||||
CVE-2024-1066 | 1 Gitlab | 1 Gitlab | 2024-10-08 | 6.5 Medium |
An issue has been discovered in GitLab EE affecting all versions from 13.3.0 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows an attacker to do a resource exhaustion using GraphQL `vulnerabilitiesCountByDay` | ||||
CVE-2024-4278 | 1 Gitlab | 1 Gitlab | 2024-10-08 | 5.5 Medium |
An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting. | ||||
CVE-2023-4647 | 1 Gitlab | 1 Gitlab | 2024-10-08 | 5.3 Medium |
An issue has been discovered in GitLab affecting all versions starting from 15.2 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which the projects API pagination can be skipped, potentially leading to DoS on certain instances. | ||||
CVE-2023-3246 | 1 Gitlab | 1 Gitlab | 2024-10-08 | 4.3 Medium |
An issue has been discovered in GitLab EE/CE affecting all versions starting before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1 which allows an attackers to block Sidekiq job processor. | ||||
CVE-2023-2485 | 1 Gitlab | 1 Gitlab | 2024-10-08 | 4.4 Medium |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A malicious maintainer in a project can escalate other users to Owners in that project if they import members from another project that those other users are Owners of. | ||||
CVE-2023-2030 | 1 Gitlab | 1 Gitlab | 2024-10-08 | 3.5 Low |
An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits. | ||||
CVE-2023-1825 | 1 Gitlab | 1 Gitlab | 2024-10-08 | 3.1 Low |
An issue has been discovered in GitLab EE affecting all versions starting from 15.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. It was possible to disclose issue notes to an unauthorized user at project export. | ||||
CVE-2023-1401 | 1 Gitlab | 1 Gitlab | 2024-10-08 | 5 Medium |
An issue has been discovered in GitLab DAST scanner affecting all versions starting from 3.0.29 before 4.0.5, in which the DAST scanner leak cross site cookies on redirect during authorization. |