Filtered by vendor Gitlab
Subscribe
Total
1309 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0121 | 1 Gitlab | 1 Gitlab | 2025-01-07 | N/A | 6.5 MEDIUM |
|
A denial of service issue was discovered in GitLab CE/EE affecting all versions starting from 13.2.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2 which allows an attacker to cause high resource consumption using malicious test report artifacts.
|
|||||
| CVE-2024-2874 | 1 Gitlab | 1 Gitlab | 2024-12-16 | N/A | 6.5 MEDIUM |
|
An issue has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. A runner registered with a crafted description has the potential to disrupt the loading of targeted GitLab web resources.
|
|||||
| CVE-2024-4835 | 1 Gitlab | 1 Gitlab | 2024-12-16 | N/A | 8.0 HIGH |
|
A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.
|
|||||
| CVE-2023-6502 | 1 Gitlab | 1 Gitlab | 2024-12-16 | N/A | 4.3 MEDIUM |
|
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. It is possible for an attacker to cause a denial of service using a crafted wiki page.
|
|||||
| CVE-2023-7045 | 1 Gitlab | 1 Gitlab | 2024-12-16 | N/A | 5.4 MEDIUM |
|
A CSRF vulnerability exists within GitLab CE/EE from versions 13.11 before 16.10.6, from 16.11 before 16.11.3, from 17.0 before 17.0.1. By leveraging this vulnerability, an attacker could exfiltrate anti-CSRF tokens via the Kubernetes Agent Server (KAS).
|
|||||
| CVE-2024-1947 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 4.3 MEDIUM |
|
A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls.
|
|||||
| CVE-2024-5258 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 4.4 MEDIUM |
|
An authorization vulnerability exists within GitLab from versions 16.10 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1 where an authenticated attacker could utilize a crafted naming convention to bypass pipeline authorization logic.
|
|||||
| CVE-2024-5318 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 4.0 MEDIUM |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.11 prior to 16.10.6, starting from 16.11 prior to 16.11.3, and starting from 17.0 prior to 17.0.1. A Guest user can view dependency lists of private projects through job artifacts.
|
|||||
| CVE-2024-4597 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 5.7 MEDIUM |
|
An issue has been discovered in GitLab EE affecting all versions from 16.7 before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. An attacker could force a user with an active SAML session to approve an MR via CSRF.
|
|||||
| CVE-2024-9164 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 9.6 CRITICAL |
|
An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches.
|
|||||
| CVE-2024-3127 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 4.3 MEDIUM |
|
An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL allowing unauthorised users to perform some actions at the group level.
|
|||||
| CVE-2024-8312 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 8.7 HIGH |
|
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. An attacker could inject HTML into the Global Search field on a diff view leading to XSS.
|
|||||
| CVE-2024-6826 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 6.5 MEDIUM |
|
An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. A denial of service could occur via importing a malicious crafted XML manifest file.
|
|||||
| CVE-2024-10240 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 5.3 MEDIUM |
|
An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances.
|
|||||
| CVE-2024-8237 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 6.5 MEDIUM |
|
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 12.6 prior to 17.4.5, 17.5 prior to 17.5.3, and 17.6 prior to 17.6.1. An attacker could cause a denial of service with a crafted cargo.toml file.
|
|||||
| CVE-2024-8177 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 5.3 MEDIUM |
|
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.4.5, starting from 17.5 prior to 17.5.3, starting from 17.6 prior to 17.6.1 which could cause Denial of Service via integrating a malicious harbor registry.
|
|||||
| CVE-2024-8180 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 5.4 MEDIUM |
|
An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. Improper output encoding could lead to XSS if CSP is not enabled.
|
|||||
| CVE-2024-8970 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 8.2 HIGH |
|
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.
|
|||||
| CVE-2024-4539 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 4.3 MEDIUM |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 where abusing the API to filter branch and tags could lead to Denial of Service.
|
|||||
| CVE-2024-2651 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 6.5 MEDIUM |
|
An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. It was possible for an attacker to cause a denial of service using maliciously crafted markdown content.
|
|||||
| CVE-2024-7404 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 6.8 MEDIUM |
|
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow.
|
|||||
| CVE-2024-8648 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 6.1 MEDIUM |
|
An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL.
|
|||||
| CVE-2024-9633 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 3.1 LOW |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.3 before 17.4.2, all versions starting from 17.5 before 17.5.4, all versions starting from 17.6 before 17.6.2. This issue allows an attacker to create a group with a name matching an existing unique Pages domain, potentially leading to domain confusion attacks.
|
|||||
| CVE-2024-11668 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 4.2 MEDIUM |
|
An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results.
|
|||||
| CVE-2024-11669 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 6.5 MEDIUM |
|
An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes.
|
|||||
| CVE-2024-11828 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 4.3 MEDIUM |
|
A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls. This was a regression of an earlier patch.
|
|||||
| CVE-2024-8114 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 8.2 HIGH |
|
An issue has been discovered in GitLab CE/EE affecting all versions from 8.12 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. This issue allows an attacker with access to a victim's Personal Access Token (PAT) to escalate privileges.
|
|||||
| CVE-2024-2177 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 6.8 MEDIUM |
|
A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload.
|
|||||
| CVE-2023-3441 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 6.6 MEDIUM |
|
An issue has been discovered in GitLab EE/CE affecting all versions starting from 8.0 before 16.4. The product did not sufficiently warn about security implications of granting merge rights to protected branches.
|
|||||
| CVE-2024-5005 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 4.3 MEDIUM |
|
An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the API.
|
|||||
| CVE-2024-2434 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 8.5 HIGH |
|
An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to 16.11.1 where path traversal could lead to DoS and restricted file read.
|
|||||
| CVE-2024-2829 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 7.5 HIGH |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.5 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. A crafted wildcard filter in FileFinder may lead to a denial of service.
|
|||||
| CVE-2024-4006 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 4.3 MEDIUM |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not honored by GraphQL subscriptions
|
|||||
| CVE-2024-4024 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 7.3 HIGH |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.8 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker with their Bitbucket account credentials may be able to take over a GitLab account linked to another user's Bitbucket account, if Bitbucket is used as an OAuth 2.0 provider on GitLab.
|
|||||
| CVE-2024-2454 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 6.5 MEDIUM |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. The pins endpoint is susceptible to DoS through a crafted request.
|
|||||
| CVE-2023-6682 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 6.5 MEDIUM |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. A problem with the processing logic for Discord Integrations Chat Messages can lead to a regular expression DoS attack on the server.
|
|||||
| CVE-2023-6688 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 6.5 MEDIUM |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.11 prior to 16.11.2. A problem with the processing logic for Google Chat Messages integration may lead to a regular expression DoS attack on the server.
|
|||||
| CVE-2023-6371 | 1 Gitlab | 1 Gitlab | 2024-12-11 | N/A | 8.7 HIGH |
|
An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. A wiki page with a crafted payload may lead to a Stored XSS, allowing attackers to perform arbitrary actions on behalf of victims.
|
|||||
| CVE-2024-2818 | 1 Gitlab | 1 Gitlab | 2024-12-11 | N/A | 4.3 MEDIUM |
|
An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. It was possible for an attacker to cause a denial of service using malicious crafted description parameter for labels.
|
|||||
| CVE-2024-1299 | 1 Gitlab | 1 Gitlab | 2024-12-11 | N/A | 6.5 MEDIUM |
|
A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with owner privileges.
|
|||||