Summary
| Detail | |||
|---|---|---|---|
| Vendor | Gitlab | First view | 2017-05-04 |
| Product | Gitlab | Last view | 2020-06-19 |
| Version | 8.9.1 | Type | Application |
| Update | * | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | enterprise | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:gitlab:gitlab | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 6.5 | 2020-06-19 | CVE-2020-13277 | An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5 |
| 4.3 | 2020-06-19 | CVE-2020-13276 | User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1 |
| 8.1 | 2020-06-19 | CVE-2020-13275 | A user with an unverified email address could request an access to domain restricted groups in GitLab EE 12.2 and later through 13.0.1 |
| 7.5 | 2020-06-19 | CVE-2020-13274 | A security issue allowed achieving Denial of Service attacks through memory exhaustion by uploading malicious artifacts in all previous GitLab versions through 13.0.1 |
| 7.5 | 2020-06-19 | CVE-2020-13273 | A Denial of Service vulnerability allowed exhausting the system resources in GitLab CE/EE 12.0 and later through 13.0.1 |
| 8.8 | 2020-06-19 | CVE-2020-13272 | OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow |
| 5.3 | 2020-06-19 | CVE-2020-13265 | User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification |
| 5.3 | 2020-06-19 | CVE-2020-13264 | Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1 allows other group maintainers to view Kubernetes cluster token |
| 8.8 | 2020-06-19 | CVE-2020-13263 | An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions. |
| 6.1 | 2020-06-19 | CVE-2020-13262 | Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a link |
| 6.1 | 2020-06-10 | CVE-2020-13271 | A Stored Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code in the blobs API in all previous GitLab CE/EE versions through 13.0.1 |
| 8.8 | 2020-06-10 | CVE-2020-13270 | Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API |
| 6.1 | 2020-06-10 | CVE-2020-13269 | A Reflected Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code on the Static Site Editor in GitLab CE/EE 12.10 and later through 13.0.1 |
| 5.3 | 2020-06-10 | CVE-2020-13268 | A specially crafted request could be used to confirm the existence of files hosted on object storage services, without disclosing their contents. This vulnerability affects GitLab CE/EE 12.10 and later through 13.0.1 |
| 6.1 | 2020-06-10 | CVE-2020-13267 | A Stored Cross-Site Scripting vulnerability allowed the execution on Javascript payloads on the Metrics Dashboard in GitLab CE/EE 12.8 and later through 13.0.1 |
| 4.3 | 2020-06-09 | CVE-2020-13266 | Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions |
| 5.3 | 2020-05-07 | CVE-2020-12448 | GitLab EE 12.8 and later allows Exposure of Sensitive Information to an Unauthorized Actor via NuGet. |
| 5.3 | 2020-04-29 | CVE-2020-12277 | GitLab 10.8 through 12.9 has a vulnerability that allows someone to mirror a repository even if the feature is not activated. |
| 4.8 | 2020-04-29 | CVE-2020-12276 | GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin notification feature. |
| 5.3 | 2020-04-29 | CVE-2020-12275 | GitLab 12.6 through 12.9 is vulnerable to a privilege escalation that allows an external user to create a personal snippet through the API. |
| 6.5 | 2020-04-22 | CVE-2020-11649 | An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Members of a group could still have access after the group is deleted. |
| 7.5 | 2020-04-22 | CVE-2020-11506 | An issue was discovered in GitLab 10.7.0 and later through 12.9.2. A Workhorse bypass could lead to job artifact uploads and file disclosure (Exposure of Sensitive Information) via request smuggling. |
| 7.5 | 2020-04-22 | CVE-2020-11505 | An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 12.7.9, 12.8.x before 12.8.9, and 12.9.x before 12.9.3. A Workhorse bypass could lead to NuGet package and file disclosure (Exposure of Sensitive Information) via request smuggling. |
| 4.3 | 2020-04-08 | CVE-2020-10981 | GitLab EE/CE 9.0 to 12.9 allows a maintainer to modify other maintainers' pipeline trigger descriptions within the same project. |
| 9.8 | 2020-04-08 | CVE-2020-10980 | GitLab EE/CE 8.0.rc1 to 12.9 is vulnerable to a blind SSRF in the FogBugz integration. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 32% (96) | CWE-200 | Information Exposure |
| 16% (48) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
| 6% (18) | CWE-284 | Access Control (Authorization) Issues |
| 5% (16) | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path ... |
| 5% (16) | CWE-20 | Improper Input Validation |
| 5% (15) | CWE-732 | Incorrect Permission Assignment for Critical Resource |
| 4% (13) | CWE-400 | Uncontrolled Resource Consumption ('Resource Exhaustion') |
| 2% (8) | CWE-269 | Improper Privilege Management |
| 2% (7) | CWE-276 | Incorrect Default Permissions |
| 2% (6) | CWE-275 | Permission Issues |
| 1% (5) | CWE-287 | Improper Authentication |
| 1% (5) | CWE-285 | Improper Access Control (Authorization) |
| 1% (5) | CWE-281 | Improper Preservation of Permissions |
| 1% (4) | CWE-639 | Access Control Bypass Through User-Controlled Key |
| 1% (4) | CWE-306 | Missing Authentication for Critical Function |
| 1% (4) | CWE-74 | Failure to Sanitize Data into a Different Plane ('Injection') |
| 0% (2) | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
| 0% (2) | CWE-532 | Information Leak Through Log Files |
| 0% (2) | CWE-362 | Race Condition |
| 0% (2) | CWE-352 | Cross-Site Request Forgery (CSRF) |
| 0% (2) | CWE-312 | Cleartext Storage of Sensitive Information |
| 0% (1) | CWE-798 | Use of Hard-coded Credentials |
| 0% (1) | CWE-674 | Uncontrolled Recursion |
| 0% (1) | CWE-640 | Weak Password Recovery Mechanism for Forgotten Password |
| 0% (1) | CWE-522 | Insufficiently Protected Credentials |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2019-09-17 | Gitlab directory traversal attempt RuleID : 51058 - Type : FILE-OTHER - Revision : 1 |
| 2019-09-17 | Gitlab directory traversal attempt RuleID : 51057 - Type : FILE-OTHER - Revision : 1 |
| 2019-09-17 | Gitlab directory traversal attempt RuleID : 51056 - Type : FILE-OTHER - Revision : 1 |
| 2019-09-17 | Gitlab directory traversal attempt RuleID : 51055 - Type : FILE-OTHER - Revision : 1 |
| 2019-09-17 | Gitlab directory traversal attempt RuleID : 51054 - Type : FILE-OTHER - Revision : 1 |
| 2019-09-17 | Gitlab directory traversal attempt RuleID : 51053 - Type : FILE-OTHER - Revision : 1 |
| 2019-09-17 | Gitlab directory traversal attempt RuleID : 51052 - Type : FILE-OTHER - Revision : 1 |
| 2019-09-17 | Gitlab directory traversal attempt RuleID : 51051 - Type : FILE-OTHER - Revision : 1 |
| 2019-09-17 | Gitlab directory traversal attempt RuleID : 51050 - Type : FILE-OTHER - Revision : 1 |
| 2019-09-17 | Gitlab directory traversal attempt RuleID : 51049 - Type : FILE-OTHER - Revision : 1 |
| 2019-09-17 | Gitlab directory traversal attempt RuleID : 51048 - Type : FILE-OTHER - Revision : 1 |
| 2019-09-17 | Gitlab directory traversal attempt RuleID : 51047 - Type : FILE-OTHER - Revision : 1 |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2019-01-17 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_ff50192c19eb11e98573001b217b3468.nasl - Type: ACT_GATHER_INFO |
| 2019-01-07 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_b2f4ab910e6b11e98700001b217b3468.nasl - Type: ACT_GATHER_INFO |
| 2018-12-24 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_70b774a805bc11e987ad001b217b3468.nasl - Type: ACT_GATHER_INFO |
| 2018-12-17 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_757e6ee8ff9111e8a148001b217b3468.nasl - Type: ACT_GATHER_INFO |
| 2018-12-07 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_9d3428d4f98c11e8a148001b217b3468.nasl - Type: ACT_GATHER_INFO |
| 2018-11-29 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_8a4aba2df33e11e89416001b217b3468.nasl - Type: ACT_GATHER_INFO |
| 2018-11-21 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_d889d32cecd911e89416001b217b3468.nasl - Type: ACT_GATHER_INFO |
| 2018-11-02 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_b51d9e83de0811e89416001b217b3468.nasl - Type: ACT_GATHER_INFO |
| 2018-10-30 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_b9591212dba711e89416001b217b3468.nasl - Type: ACT_GATHER_INFO |
| 2018-10-09 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_23413442c8ea11e8b35c001b217b3468.nasl - Type: ACT_GATHER_INFO |
| 2018-07-27 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_2da838f9916811e88c75d8cb8abf62dd.nasl - Type: ACT_GATHER_INFO |
| 2018-07-20 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_8fc615cc8a6611e88c75d8cb8abf62dd.nasl - Type: ACT_GATHER_INFO |
| 2018-06-27 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_b950a83b789e11e88545d8cb8abf62dd.nasl - Type: ACT_GATHER_INFO |
| 2018-05-23 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-4206.nasl - Type: ACT_GATHER_INFO |
| 2018-05-03 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_9dfe61c84d1511e88f2fd8cb8abf62dd.nasl - Type: ACT_GATHER_INFO |
| 2018-03-29 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_dc0c201c31da11e8ac53d8cb8abf62dd.nasl - Type: ACT_GATHER_INFO |
| 2018-03-19 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-4145.nasl - Type: ACT_GATHER_INFO |
| 2018-01-18 | Name: The remote FreeBSD host is missing a security-related update. File: freebsd_pkg_65fab89f223146db8541978f4e87f32a.nasl - Type: ACT_GATHER_INFO |
| 2017-08-14 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_abcc5ad37e6a11e793f7d43d7e971a1b.nasl - Type: ACT_GATHER_INFO |
