Gitlab Ce vulnerabilities
572 known vulnerabilities affecting gitlab/gitlab_ce.
Total CVEs
572
CISA KEV
3
actively exploited
Public exploits
14
Exploited in wild
2
Severity breakdown
CRITICAL18HIGH128MEDIUM342LOW84
Vulnerabilities
Page 23 of 29
CVE-2021-39931LOWCVSS 3.12021-12-13
CVE-2021-39931 [LOW] CVE-2021-39931: An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.11 before 14.3.6, all versions starting from 14.4 before 14.4.4, a
CVE-2021-39931: An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.11 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under specific condition an unauthorised project member was allowed to delete a protected branches d
gitlab
CVE-2021-39945LOWCVSS 2.72021-12-13
CVE-2021-39945 [LOW] CWE-863 CVE-2021-39945: Improper access control in the GitLab CE/EE API affecting all versions starting from 9.4 before 14.3.6, all versions starting from 14.4 before 14.4.4,
CVE-2021-39945: Improper access control in the GitLab CE/EE API affecting all versions starting from 9.4 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an author of a Merge Request to approve the Merge Request even after having their p
gitlab
CVE-2021-39941LOWCVSS 3.72021-12-13
CVE-2021-39941 [LOW] CWE-200 CVE-2021-39941: An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see
CVE-2021-39941: An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members
gitlab
CVE-2021-39906HIGHCVSS 8.72021-11-05
CVE-2021-39906 [HIGH] CWE-79 CVE-2021-39906: Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's beha
CVE-2021-39906: Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf.
gitlab
CVE-2021-22260HIGHCVSS 7.72021-11-05
CVE-2021-22260 [HIGH] CWE-79 CVE-2021-22260: A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions
CVE-2021-22260: A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code
gitlab
CVE-2021-39913MEDIUMCVSS 4.42021-11-05
CVE-2021-39913 [MEDIUM] CWE-532 CVE-2021-39913: Accidental logging of system root password in the migration log in all versions of GitLab CE/EE before 14.2.6, all versions starting from 14.3 before
CVE-2021-39913: Accidental logging of system root password in the migration log in all versions of GitLab CE/EE before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker with local file system access to obtain system root-level p
gitlab
CVE-2021-39904MEDIUMCVSS 4.32021-11-05
CVE-2021-39904 [MEDIUM] CWE-863 CVE-2021-39904: An Improper Access Control vulnerability in the GraphQL API in all versions of GitLab CE/EE starting from 13.1 before 14.2.6, all versions starting fr
CVE-2021-39904: An Improper Access Control vulnerability in the GraphQL API in all versions of GitLab CE/EE starting from 13.1 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows a Merge Request creator to resolve discussions and appl
gitlab
CVE-2021-39912MEDIUMCVSS 5.32021-11-05
CVE-2021-39912 [MEDIUM] CWE-770 CVE-2021-39912: A potential DoS vulnerability was discovered in GitLab CE/EE starting with version 13.7. Using a malformed TIFF images was possible to trigger memory
CVE-2021-39912: A potential DoS vulnerability was discovered in GitLab CE/EE starting with version 13.7. Using a malformed TIFF images was possible to trigger memory exhaustion.
gitlab
CVE-2021-39905MEDIUMCVSS 4.32021-11-05
CVE-2021-39905 [MEDIUM] CVE-2021-39905: An information disclosure vulnerability in the GitLab CE/EE API since version 8.9.6 allows a user to see basic information on private groups that a pu
CVE-2021-39905: An information disclosure vulnerability in the GitLab CE/EE API since version 8.9.6 allows a user to see basic information on private groups that a public project has been shared with
gitlab
CVE-2021-39907MEDIUMCVSS 5.32021-11-05
CVE-2021-39907 [MEDIUM] CWE-770 CVE-2021-39907: A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 13.7. The stripping of EXIF data from certain images resulted in hi
CVE-2021-39907: A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 13.7. The stripping of EXIF data from certain images resulted in high CPU usage.
gitlab
CVE-2021-39895MEDIUMCVSS 6.02021-11-05
CVE-2021-39895 [MEDIUM] CVE-2021-39895: In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting
CVE-2021-39895: In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclo
gitlab
CVE-2021-39897LOWCVSS 2.62021-11-05
CVE-2021-39897 [LOW] CWE-281 CVE-2021-39897: Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to stil
CVE-2021-39897: Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transferred
gitlab
CVE-2021-39901LOWCVSS 2.72021-11-05
CVE-2021-39901 [LOW] CVE-2021-39901: In all versions of GitLab CE/EE since version 11.10, an admin of a group can see the SCIM token of that group by visiting a specific endpoint.
CVE-2021-39901: In all versions of GitLab CE/EE since version 11.10, an admin of a group can see the SCIM token of that group by visiting a specific endpoint.
gitlab
CVE-2021-39911LOWCVSS 1.72021-11-05
CVE-2021-39911 [LOW] CVE-2021-39911: An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and a
CVE-2021-39911: An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers
gitlab
CVE-2021-39898LOWCVSS 3.72021-11-05
CVE-2021-39898 [LOW] CWE-200 CVE-2021-39898: In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project whic
CVE-2021-39898: In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from.
gitlab
CVE-2021-39902MEDIUMCVSS 4.32021-11-04
CVE-2021-39902 [MEDIUM] CWE-863 CVE-2021-39902: Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident.
CVE-2021-39902: Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident.
gitlab
CVE-2021-39903MEDIUMCVSS 6.52021-11-04
CVE-2021-39903 [MEDIUM] CVE-2021-39903: In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to
CVE-2021-39903: In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings.
gitlab
CVE-2021-39887HIGHCVSS 7.32021-10-05
CVE-2021-39887 [HIGH] CWE-79 CVE-2021-39887: A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbit
CVE-2021-39887: A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf.
gitlab
CVE-2021-39872MEDIUMCVSS 6.52021-10-05
CVE-2021-39872 [MEDIUM] CWE-287 CVE-2021-39872: In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab
CVE-2021-39872: In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.
gitlab
CVE-2021-39880MEDIUMCVSS 6.52021-10-05
CVE-2021-39880 [MEDIUM] CVE-2021-39880: A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE all versions starting from 11.9 before 14.0.9, all versions sta
CVE-2021-39880: A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE all versions starting from 11.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to deny access to all users via specially c
gitlab