This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Gitlab First view 2014-05-12
Product Gitlab Last view 2024-07-17
Version 2.6.0 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:gitlab:gitlab

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
5.3 2024-07-17 CVE-2024-6595

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to upload an NPM package with conflicting package data.

9.8 2024-07-11 CVE-2024-6385

An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.

2.7 2024-07-11 CVE-2024-5470

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Guest user with `admin_push_rules` permission may have been able to create project-level deploy tokens.

2.7 2024-07-11 CVE-2024-5257

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Developer user with `admin_compliance_framework` custom role may have been able to modify the URL for a group namespace.

2.7 2024-07-11 CVE-2024-2880

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 in which a user with `admin_group_member` custom role permission could ban group members.

7.5 2024-06-27 CVE-2024-6323

Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project.

8.8 2024-06-27 CVE-2024-5655

An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to trigger a pipeline as another user under certain circumstances.

4.9 2024-06-27 CVE-2024-5430

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows a project maintainer can delete the merge request approval policy via graphQL.

5.4 2024-06-27 CVE-2024-4901

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit notes.

6.5 2024-06-27 CVE-2024-4557

Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an attacker to cause resource exhaustion via banzai pipeline.

4.3 2024-06-27 CVE-2024-4011

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives.

6.5 2024-06-27 CVE-2024-3959

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows private job artifacts can be accessed by any user.

4.3 2024-06-27 CVE-2024-3115

An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to access issues and epics without having an SSO session using Duo Chat.

5.3 2024-06-27 CVE-2024-2191

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members only.

5.5 2024-06-27 CVE-2024-1816

An issue was discovered in GitLab CE/EE affecting all versions starting from 12.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows for an attacker to cause a denial of service using a crafted OpenAPI file.

6.5 2024-06-27 CVE-2024-1493

An issue was discovered in GitLab CE/EE affecting all versions starting from 9.2 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, with the processing logic for generating link in dependency files can lead to a regular expression DoS attack on the server

4.4 2024-06-12 CVE-2024-4201

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 16.10.7, all versions starting from 16.11 before 16.111.4, all versions starting from 17.0 before 17.0.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances.

6.5 2024-06-12 CVE-2024-1963

An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.

6.5 2024-06-12 CVE-2024-1736

An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's CI/CD pipeline editor could allow for denial of service attacks through maliciously crafted configuration files.

6.5 2024-06-12 CVE-2024-1495

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.1 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. It was possible for an attacker to cause a denial of service using maliciously crafted file.

5.3 2024-02-22 CVE-2024-1525

An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Under some specialized conditions, an LDAP user may be able to reset their password using their verified secondary email address and sign-in using direct authentication with the reset password, bypassing LDAP.

4.3 2024-02-22 CVE-2024-0861

An issue has been discovered in GitLab EE affecting all versions starting from 16.4 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Users with the `Guest` role can change `Custom dashboard projects` settings contrary to permissions.

7.7 2024-02-22 CVE-2024-0410

An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1. A developer could bypass CODEOWNERS approvals by creating a merge conflict.

6.7 2024-02-22 CVE-2023-6477

An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be able to make a group, other members or themselves Owners of that group, which may lead to privilege escalation.

4.3 2024-02-22 CVE-2023-4895

An issue has been discovered in GitLab EE affecting all versions starting from 12.0 to 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. This vulnerability allows for bypassing the 'group ip restriction' settings to access environment details of projects

CWE : Common Weakness Enumeration

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
%idName
23% (118) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
8% (45) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
8% (45) CWE-200 Information Exposure
5% (26) CWE-732 Incorrect Permission Assignment for Critical Resource
4% (25) CWE-639 Access Control Bypass Through User-Controlled Key
4% (24) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...
3% (17) CWE-269 Improper Privilege Management
3% (16) CWE-20 Improper Input Validation
2% (14) CWE-287 Improper Authentication
2% (12) CWE-532 Information Leak Through Log Files
1% (10) CWE-770 Allocation of Resources Without Limits or Throttling
1% (10) CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
1% (10) CWE-352 Cross-Site Request Forgery (CSRF)
1% (10) CWE-276 Incorrect Default Permissions
1% (8) CWE-668 Exposure of Resource to Wrong Sphere
1% (8) CWE-281 Improper Preservation of Permissions
1% (7) CWE-209 Information Exposure Through an Error Message
1% (7) CWE-94 Failure to Control Generation of Code ('Code Injection')
1% (6) CWE-613 Insufficient Session Expiration
1% (6) CWE-306 Missing Authentication for Critical Function
0% (5) CWE-312 Cleartext Storage of Sensitive Information
0% (5) CWE-74 Failure to Sanitize Data into a Different Plane ('Injection')
0% (4) CWE-640 Weak Password Recovery Mechanism for Forgotten Password
0% (4) CWE-522 Insufficiently Protected Credentials
0% (4) CWE-345 Insufficient Verification of Data Authenticity

SAINT Exploits

Description Link
GitLab ExifTool uploaded image command injection More info here

Snort® IPS/IDS

Date Description
2019-09-17 Gitlab directory traversal attempt
RuleID : 51058 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51057 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51056 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51055 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51054 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51053 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51052 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51051 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51050 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51049 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51048 - Type : FILE-OTHER - Revision : 1
2019-09-17 Gitlab directory traversal attempt
RuleID : 51047 - Type : FILE-OTHER - Revision : 1

Nessus® Vulnerability Scanner

id Description
2019-01-17 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_ff50192c19eb11e98573001b217b3468.nasl - Type: ACT_GATHER_INFO
2019-01-07 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_b2f4ab910e6b11e98700001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-12-24 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_70b774a805bc11e987ad001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-12-17 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_757e6ee8ff9111e8a148001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-12-07 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_9d3428d4f98c11e8a148001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-11-29 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_8a4aba2df33e11e89416001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-11-21 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_d889d32cecd911e89416001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_b51d9e83de0811e89416001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-10-30 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_b9591212dba711e89416001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-10-09 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_23413442c8ea11e8b35c001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-10-02 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_065b3b72c5ab11e89ae2001b217b3468.nasl - Type: ACT_GATHER_INFO
2018-07-27 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_2da838f9916811e88c75d8cb8abf62dd.nasl - Type: ACT_GATHER_INFO
2018-07-20 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_8fc615cc8a6611e88c75d8cb8abf62dd.nasl - Type: ACT_GATHER_INFO
2018-06-27 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_b950a83b789e11e88545d8cb8abf62dd.nasl - Type: ACT_GATHER_INFO
2018-05-23 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4206.nasl - Type: ACT_GATHER_INFO
2018-05-03 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_9dfe61c84d1511e88f2fd8cb8abf62dd.nasl - Type: ACT_GATHER_INFO
2018-03-29 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_dc0c201c31da11e8ac53d8cb8abf62dd.nasl - Type: ACT_GATHER_INFO
2018-03-19 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4145.nasl - Type: ACT_GATHER_INFO
2018-01-18 Name: The remote FreeBSD host is missing a security-related update.
File: freebsd_pkg_65fab89f223146db8541978f4e87f32a.nasl - Type: ACT_GATHER_INFO
2017-08-14 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_abcc5ad37e6a11e793f7d43d7e971a1b.nasl - Type: ACT_GATHER_INFO