This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Gitlab First view 2019-04-11
Product Gitlab Last view 2020-06-19
Version 11.5.11 Type Application
Update *  
Edition *  
Language *  
Sofware Edition community  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:gitlab:gitlab

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
6.5 2020-06-19 CVE-2020-13277

An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5

4.3 2020-06-19 CVE-2020-13276

User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1

8.1 2020-06-19 CVE-2020-13275

A user with an unverified email address could request an access to domain restricted groups in GitLab EE 12.2 and later through 13.0.1

7.5 2020-06-19 CVE-2020-13274

A security issue allowed achieving Denial of Service attacks through memory exhaustion by uploading malicious artifacts in all previous GitLab versions through 13.0.1

7.5 2020-06-19 CVE-2020-13273

A Denial of Service vulnerability allowed exhausting the system resources in GitLab CE/EE 12.0 and later through 13.0.1

8.8 2020-06-19 CVE-2020-13272

OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow

5.3 2020-06-19 CVE-2020-13265

User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification

5.3 2020-06-19 CVE-2020-13264

Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1 allows other group maintainers to view Kubernetes cluster token

8.8 2020-06-19 CVE-2020-13263

An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions.

6.1 2020-06-19 CVE-2020-13262

Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a link

2.7 2020-06-19 CVE-2020-13261

Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 allows other administrators to view Amazon EKS credentials via HTML source code

6.1 2020-06-10 CVE-2020-13271

A Stored Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code in the blobs API in all previous GitLab CE/EE versions through 13.0.1

8.8 2020-06-10 CVE-2020-13270

Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API

6.1 2020-06-10 CVE-2020-13269

A Reflected Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code on the Static Site Editor in GitLab CE/EE 12.10 and later through 13.0.1

5.3 2020-06-10 CVE-2020-13268

A specially crafted request could be used to confirm the existence of files hosted on object storage services, without disclosing their contents. This vulnerability affects GitLab CE/EE 12.10 and later through 13.0.1

6.1 2020-06-10 CVE-2020-13267

A Stored Cross-Site Scripting vulnerability allowed the execution on Javascript payloads on the Metrics Dashboard in GitLab CE/EE 12.8 and later through 13.0.1

4.3 2020-06-09 CVE-2020-13266

Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions

5.3 2020-05-07 CVE-2020-12448

GitLab EE 12.8 and later allows Exposure of Sensitive Information to an Unauthorized Actor via NuGet.

5.3 2020-04-29 CVE-2020-12277

GitLab 10.8 through 12.9 has a vulnerability that allows someone to mirror a repository even if the feature is not activated.

4.8 2020-04-29 CVE-2020-12276

GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin notification feature.

5.3 2020-04-29 CVE-2020-12275

GitLab 12.6 through 12.9 is vulnerable to a privilege escalation that allows an external user to create a personal snippet through the API.

6.5 2020-04-22 CVE-2020-11649

An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Members of a group could still have access after the group is deleted.

7.5 2020-04-22 CVE-2020-11506

An issue was discovered in GitLab 10.7.0 and later through 12.9.2. A Workhorse bypass could lead to job artifact uploads and file disclosure (Exposure of Sensitive Information) via request smuggling.

7.5 2020-04-22 CVE-2020-11505

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 12.7.9, 12.8.x before 12.8.9, and 12.9.x before 12.9.3. A Workhorse bypass could lead to NuGet package and file disclosure (Exposure of Sensitive Information) via request smuggling.

4.3 2020-04-08 CVE-2020-10981

GitLab EE/CE 9.0 to 12.9 allows a maintainer to modify other maintainers' pipeline trigger descriptions within the same project.

CWE : Common Weakness Enumeration

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
%idName
37% (86) CWE-200 Information Exposure
12% (28) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
6% (14) CWE-732 Incorrect Permission Assignment for Critical Resource
5% (13) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
5% (13) CWE-284 Access Control (Authorization) Issues
3% (9) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...
3% (9) CWE-20 Improper Input Validation
3% (8) CWE-269 Improper Privilege Management
3% (7) CWE-276 Incorrect Default Permissions
2% (6) CWE-275 Permission Issues
2% (5) CWE-287 Improper Authentication
2% (5) CWE-281 Improper Preservation of Permissions
1% (4) CWE-639 Access Control Bypass Through User-Controlled Key
1% (4) CWE-74 Failure to Sanitize Data into a Different Plane ('Injection')
1% (3) CWE-306 Missing Authentication for Critical Function
0% (2) CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
0% (2) CWE-522 Insufficiently Protected Credentials
0% (1) CWE-798 Use of Hard-coded Credentials
0% (1) CWE-674 Uncontrolled Recursion
0% (1) CWE-399 Resource Management Errors
0% (1) CWE-362 Race Condition
0% (1) CWE-352 Cross-Site Request Forgery (CSRF)
0% (1) CWE-345 Insufficient Verification of Data Authenticity
0% (1) CWE-320 Key Management Errors
0% (1) CWE-312 Cleartext Storage of Sensitive Information

Nessus® Vulnerability Scanner

id Description
2019-01-07 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_b2f4ab910e6b11e98700001b217b3468.nasl - Type: ACT_GATHER_INFO