This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Gitlab First view 2018-03-21
Product Gitlab Last view 2020-07-07
Version 10.0.3 Type Application
Update *  
Edition *  
Language *  
Sofware Edition enterprise  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:gitlab:gitlab

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
5.3 2020-07-07 CVE-2020-15525

GitLab EE 11.3 through 13.1.2 has Incorrect Access Control because of the Maven package upload endpoint.

6.5 2020-06-19 CVE-2020-13277

An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5

4.3 2020-06-19 CVE-2020-13276

User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1

8.1 2020-06-19 CVE-2020-13275

A user with an unverified email address could request an access to domain restricted groups in GitLab EE 12.2 and later through 13.0.1

7.5 2020-06-19 CVE-2020-13274

A security issue allowed achieving Denial of Service attacks through memory exhaustion by uploading malicious artifacts in all previous GitLab versions through 13.0.1

7.5 2020-06-19 CVE-2020-13273

A Denial of Service vulnerability allowed exhausting the system resources in GitLab CE/EE 12.0 and later through 13.0.1

8.8 2020-06-19 CVE-2020-13272

OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow

5.3 2020-06-19 CVE-2020-13265

User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification

5.3 2020-06-19 CVE-2020-13264

Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1 allows other group maintainers to view Kubernetes cluster token

8.8 2020-06-19 CVE-2020-13263

An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions.

6.1 2020-06-19 CVE-2020-13262

Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a link

2.7 2020-06-19 CVE-2020-13261

Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 allows other administrators to view Amazon EKS credentials via HTML source code

6.1 2020-06-10 CVE-2020-13271

A Stored Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code in the blobs API in all previous GitLab CE/EE versions through 13.0.1

8.8 2020-06-10 CVE-2020-13270

Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API

6.1 2020-06-10 CVE-2020-13269

A Reflected Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code on the Static Site Editor in GitLab CE/EE 12.10 and later through 13.0.1

5.3 2020-06-10 CVE-2020-13268

A specially crafted request could be used to confirm the existence of files hosted on object storage services, without disclosing their contents. This vulnerability affects GitLab CE/EE 12.10 and later through 13.0.1

6.1 2020-06-10 CVE-2020-13267

A Stored Cross-Site Scripting vulnerability allowed the execution on Javascript payloads on the Metrics Dashboard in GitLab CE/EE 12.8 and later through 13.0.1

4.3 2020-06-09 CVE-2020-13266

Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions

5.3 2020-05-07 CVE-2020-12448

GitLab EE 12.8 and later allows Exposure of Sensitive Information to an Unauthorized Actor via NuGet.

5.3 2020-04-29 CVE-2020-12277

GitLab 10.8 through 12.9 has a vulnerability that allows someone to mirror a repository even if the feature is not activated.

4.8 2020-04-29 CVE-2020-12276

GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin notification feature.

5.3 2020-04-29 CVE-2020-12275

GitLab 12.6 through 12.9 is vulnerable to a privilege escalation that allows an external user to create a personal snippet through the API.

6.5 2020-04-22 CVE-2020-11649

An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Members of a group could still have access after the group is deleted.

7.5 2020-04-22 CVE-2020-11506

An issue was discovered in GitLab 10.7.0 and later through 12.9.2. A Workhorse bypass could lead to job artifact uploads and file disclosure (Exposure of Sensitive Information) via request smuggling.

7.5 2020-04-22 CVE-2020-11505

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 12.7.9, 12.8.x before 12.8.9, and 12.9.x before 12.9.3. A Workhorse bypass could lead to NuGet package and file disclosure (Exposure of Sensitive Information) via request smuggling.

CWE : Common Weakness Enumeration

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
%idName
32% (96) CWE-200 Information Exposure
16% (47) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
6% (18) CWE-284 Access Control (Authorization) Issues
5% (16) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...
5% (15) CWE-20 Improper Input Validation
4% (14) CWE-732 Incorrect Permission Assignment for Critical Resource
4% (13) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
3% (9) CWE-269 Improper Privilege Management
2% (7) CWE-276 Incorrect Default Permissions
2% (6) CWE-275 Permission Issues
1% (5) CWE-287 Improper Authentication
1% (5) CWE-285 Improper Access Control (Authorization)
1% (5) CWE-281 Improper Preservation of Permissions
1% (4) CWE-639 Access Control Bypass Through User-Controlled Key
1% (4) CWE-306 Missing Authentication for Critical Function
1% (4) CWE-74 Failure to Sanitize Data into a Different Plane ('Injection')
0% (2) CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
0% (2) CWE-532 Information Leak Through Log Files
0% (2) CWE-522 Insufficiently Protected Credentials
0% (2) CWE-362 Race Condition
0% (2) CWE-352 Cross-Site Request Forgery (CSRF)
0% (2) CWE-312 Cleartext Storage of Sensitive Information
0% (1) CWE-798 Use of Hard-coded Credentials
0% (1) CWE-674 Uncontrolled Recursion
0% (1) CWE-640 Weak Password Recovery Mechanism for Forgotten Password

Snort® IPS/IDS

Date Description
2019-09-17 Gitlab directory traversal attempt
RuleID : 51058 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51057 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51056 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51055 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51054 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51053 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51052 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51051 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51050 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51049 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51048 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51047 - Type : FILE-OTHER - Revision : 1

Nessus® Vulnerability Scanner

id Description
2019-01-17 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_ff50192c19eb11e98573001b217b3468.nasl - Type: ACT_GATHER_INFO
2019-01-07 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_b2f4ab910e6b11e98700001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-12-24 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_70b774a805bc11e987ad001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-12-17 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_757e6ee8ff9111e8a148001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-12-07 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_9d3428d4f98c11e8a148001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-11-29 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_8a4aba2df33e11e89416001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-11-21 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_d889d32cecd911e89416001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_b51d9e83de0811e89416001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-10-30 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_b9591212dba711e89416001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-10-09 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_23413442c8ea11e8b35c001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-07-27 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_2da838f9916811e88c75d8cb8abf62dd.nasl - Type: ACT_GATHER_INFO
2018-07-20 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_8fc615cc8a6611e88c75d8cb8abf62dd.nasl - Type: ACT_GATHER_INFO
2018-06-27 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_b950a83b789e11e88545d8cb8abf62dd.nasl - Type: ACT_GATHER_INFO
2018-05-23 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4206.nasl - Type: ACT_GATHER_INFO
2018-05-03 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_9dfe61c84d1511e88f2fd8cb8abf62dd.nasl - Type: ACT_GATHER_INFO
2018-03-29 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_dc0c201c31da11e8ac53d8cb8abf62dd.nasl - Type: ACT_GATHER_INFO
2018-03-19 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4145.nasl - Type: ACT_GATHER_INFO
2018-01-18 Name: The remote FreeBSD host is missing a security-related update.
File: freebsd_pkg_65fab89f223146db8541978f4e87f32a.nasl - Type: ACT_GATHER_INFO