PRIOn Logo

Search KB


Search our pre-analyzed vulnerability database

Total Results: 967

of 49

Published:   Updated:

Vulnerability Type: Input validation

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v35.4

Improper neutralization of input in Jira integration configuration in GitLab CE/EE, affecting all versions from 15.10 prior to 16.6.1, 16.5 prior to 16.5.3, and 16.4 prior to 16.4.3 allows attacker to execute javascript in victim's browser.

Published:   Updated:

Vulnerability Type: Design/Logic Flaw

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v37.5

An issue has been discovered in GitLab EE affecting all versions starting from 16.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the policy bot to gain access to internal projects.

Published:   Updated:

Vulnerability Type: Design/Logic Flaw

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v37.5

An issue has been discovered in GitLab affecting all versions before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. Under certain circumstances, a malicious actor bypass prohibited branch checks using a specially crafted branch name to manipulate repository content in the UI.

Published:   Updated:

Vulnerability Type: Input validation

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v36.5

An issue has been discovered in GitLab EE affecting all versions starting from 10.5 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted mermaid diagram input.

Published:   Updated:

Vulnerability Type: Design/Logic Flaw

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v33.1

An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the `Allowed to merge` permission as a guest user, when granted the permission through a group.

Published:   Updated:

Vulnerability Type: Design/Logic Flaw

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v34.3

An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a user with the Developer role to update a pipeline schedule from an unprotected branch to a protected branch.

Published:   Updated:

Vulnerability Type: Design/Logic Flaw

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v34.3

An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer packages on public projects that have package registry disabled in the project settings.

Published:   Updated:

Vulnerability Type: Design/Logic Flaw

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v35.3

An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for unauthorized users to view a public projects' release descriptions via an atom endpoint when release access on the public was set to only project members.

Published:   Updated:

Vulnerability Type: Design/Logic Flaw

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v34.3

An issue has been discovered in GitLab affecting all versions starting from 12.1 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a Guest user to add an emoji on confidential work items.

Published:   Updated:

Vulnerability Type: Code injection

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v37.5

An issue has been discovered in GitLab EE affecting all versions starting from 15.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Code owner approval was not removed from merge requests when the target branch was updated.

Published:   Updated:

Vulnerability Type: Authorization

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v36.5

An authorization issue affecting GitLab EE affecting all versions from 14.7 prior to 16.3.6, 16.4 prior to 16.4.2, and 16.5 prior to 16.5.1, allowed a user to run jobs in protected environments, bypassing any required approvals.

Published:   Updated:

Vulnerability Type: Design/Logic Flaw

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v34.3

An issue has been discovered in GitLab EE with Advanced Search affecting all versions from 13.9 to 16.3.6, 16.4 prior to 16.4.2 and 16.5 prior to 16.5.1 that could allow a denial of service in the Advanced Search function by chaining too many syntax operators.

Published:   Updated:

Vulnerability Type: Input validation

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v36.5

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.3 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A Regular Expression Denial of Service was possible by adding a large string in timeout input in gitlab-ci.yml file.

Published:   Updated:

Vulnerability Type: Design/Logic Flaw

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v37.7

An issue has been discovered in GitLab EE affecting all versions starting from 11.6 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. It was possible for an unauthorised project or group member to read the CI/CD variables using the custom project templates.

Published:   Updated:

Vulnerability Type: Design/Logic Flaw

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v34.3

An issue has been discovered in GitLab EE/CE affecting all versions starting before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1 which allows an attackers to block Sidekiq job processor.

Published:   Updated:

Vulnerability Type: Default configuration

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v35.3

An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, and all versions starting from 16.5.0 before 16.5.1 which have the `super_sidebar_logged_out` feature flag enabled. Affected versions with this default-disabled feature flag enabled may unintentionally disclose GitLab version metadata to unauthorized actors.

Published:   Updated:

Vulnerability Type: Design/Logic Flaw

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v36.5

An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.2 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A low-privileged attacker can point a CI/CD Component to an incorrect path and cause the server to exhaust all available memory through an infinite loop and cause Denial of Service.

Published:   Updated:

Vulnerability Type: Design/Logic Flaw

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v37.5

An issue has been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through direct transfer group imports.

Published:   Updated:

Vulnerability Type: Design/Logic Flaw

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v38.8

A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user.

Published:   Updated:

Vulnerability Type: Code injection

Vendor(s):  Gitlab
Routine
Remediate Within 6 Months
CVSS v2N/ACVSS v37.5

An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members.

of 49