Gitlab Ee vulnerabilities

CVE-2021-22240 [MEDIUM] CWE-863 CVE-2021-22240: Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be create Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled

CVE-2020-26416 [MEDIUM] CWE-532 CVE-2020-26416: Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposu Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to =13.5 to =13.6 to <13.6.2.

CVE-2020-26412 [LOW] CVE-2020-26412: Removed group members were able to use the To-Do functionality to retrieve updated information on co Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before 13.6.2.

CVE-2020-26406 [MEDIUM] CVE-2020-26406: Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, =13.4, =13.5, <13.5.2.

CVE-2020-13349 [MEDIUM] CWE-400 CVE-2020-13349: An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expre An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, =13.4, =13.5, <13.5.2.

CVE-2020-13348 [MEDIUM] CVE-2020-13348: An issue has been discovered in GitLab EE affecting all versions starting from 10.2. Required CODEOW An issue has been discovered in GitLab EE affecting all versions starting from 10.2. Required CODEOWNERS approval could be bypassed by targeting a branch without the CODEOWNERS file. Affected versions are >=10.2, =13.4, =13.5, <13.5.2.

CVE-2019-15590 [HIGH] CWE-284 CVE-2019-15590: An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration

CVE-2019-5474 [MEDIUM] CWE-284 CVE-2019-5474: An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the me An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions.

CVE-2019-15582 [MEDIUM] CWE-639 CVE-2019-15582: An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and En An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment.

CVE-2019-15581 [MEDIUM] CWE-639 CVE-2019-15581: An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules.