FreshPorts - VuXML

Gitlab reports:

Arbitrary file read via design feature

ge 14.0.0 lt 14.0.4

ge 13.12.0 lt 13.12.8

ge 13.11.0 lt 13.11.7

SO-AND-SO reports:

Group Maintainers Can Update/Delete Group Runners Using API

GraphQL Queries Can Hang the Application

Unauthorized Users Have Access to Milestones of Releases

Private Group Name Revealed Through Protected Tags API

Users Can Publish Reviews on Locked Merge Requests

DoS in the Issue and Commit Comments Pages

Project Name Disclosed Through Unsubscribe Link

Private Project Name Disclosed Through Notification Settings

ge 12.6.0 lt 12.6.2

ge 12.5.0 lt 12.5.6

ge 5.1.0 lt 12.4.7

Gitlab reports:

Denial of Service via cloning an issue

Arbitrary PUT request as victim user through Sentry error list

Content injection via External Status Checks

Project maintainers can access Datadog API Key from logs

Unsafe serialization of Json data could lead to sensitive data leakage

Import bug allows importing of private local git repos

Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)

Unauthorized users able to create issues in any project

Bypass group IP restriction on Dependency Proxy

Healthcheck endpoint allow list can be bypassed when accessed over HTTP in an HTTPS enabled system

Disclosure of Todo details to guest users

A user's primary email may be disclosed through group member events webhooks

Content manipulation due to branch/tag name confusion with the default branch name

Leakage of email addresses in WebHook logs

Specially crafted output makes job logs inaccessible

Enforce editing approval rules on project level

ge 15.4.0 lt 15.4.1

ge 15.3.0 lt 15.3.4

ge 9.3.0 lt 15.2.5

Gitlab reports:

SSRF GCP access token disclosure

Persistent XSS on issue details

Diff formatter DoS in Sidekiq jobs

Confidential information disclosure in events API endpoint

validate_localhost function in url_blocker.rb could be bypassed

Slack integration CSRF Oauth2

GRPC::Unknown logging token disclosure

IDOR merge request approvals

Persistent XSS package.json

Persistent XSS merge request project import

ge 11.3.0 lt 11.3.1

ge 11.2.0 lt 11.2.4

ge 7.6.0 lt 11.1.7

Gitlab reports:

Disclosure of Private Code, Merge Requests and Commits via Elasticsearch integration

ge 12.3.0 lt 12.3.3

ge 12.2.0 lt 12.2.7

ge 8.17.0 lt 12.1.13

Gitlab reports:

Arbitrary File Read when Moving an Issue

Path Traversal in NPM Package Registry

SSRF on Project Import

External Users Can Create Personal Snippet

Triggers Decription Can be Updated by Other Maintainers in Project

Information Disclosure on Confidential Issues Moved to Private Programs

Potential DoS in Repository Archive Download

Blocked Users Can Still Pull/Push Docker Images

Repository Mirroring not Disabled when Feature not Activated

Vulnerability Feedback Page Was Leaking Information on Vulnerabilities

Stored XSS Vulnerability in Admin Feature

Upload Feature Allowed a User to Read Unauthorized Exported Files

Unauthorized Users Are Able to See CI Metrics

Last Pipeline Status of a Merge Request Leaked

Blind SSRF on FogBugz

Update Nokogiri dependency

ge 12.9.0 lt 12.9.1

ge 12.8.0 lt 12.8.8

ge 0 lt 12.7.8

Gitlab reports:

Missing Permission Check on Time Tracking

Cross-Site Scripting in PyPi Files API

Insecure Authorization Check on Private Project Security Dashboard

Cross-Site Scripting in References

Cross-Site Scripting in Group Names

Cross-Site Scripting in Blob Viewer

Cross-Site Scripting in Error Tracking

Insecure Authorisation Check on Creation and Deletion of Deploy Tokens

User Name Format Restiction Bypass

Denial of Service in Issue Comments

Cross-Site Scripting in Wiki Pages

Private Merge Request Updates Leaked via Todos

Private User Activity Leaked via API

Cross-Site Scripting in Bitbucket Import Feature

Github Project Restriction Bypass

Update PCRE Dependency

Update Kaminari Gem

Cross-Site Scripting in User Profile

Update Xterm.js

ge 13.1.0 lt 13.1.2

ge 13.0.0 lt 13.0.8

ge 0 lt 12.10.13

SO-AND-SO reports:

Ability to steal a user's API access token through GitLab Pages

ge 13.7.0 lt 13.7.4

ge 13.6.0 lt 13.6.5

ge 12.2 lt 13.5.7

Gitlab reports:

Improper Certificate Validation for Fortinet OTP

Denial of Service Attack on gitlab-shell

Resource exhaustion due to pending jobs

Confidential issue titles were exposed

Improper access control allowed demoted project members to access authored merge requests

Improper access control allowed unauthorized users to access analytic pages

Unauthenticated CI lint API may lead to information disclosure and SSRF

Prometheus integration in Gitlab may lead to SSRF

ge 13.8.0 lt 13.8.4

ge 13.7.0 lt 13.7.7

ge 10.5 lt 13.6.7

Gitlab reports:

Arbitrary file read via MergeRequestDiff

CSRF add Kubernetes cluster integration

Blind SSRF in prometheus integration

Merge request information disclosure

IDOR milestone name information disclosure

Burndown chart information disclosure

Private merge request titles in public project information disclosure

Private namespace disclosure in email notification when issue is moved

Milestone name disclosure

Issue board name disclosure

NPM automatic package referencer

Path traversal snippet mover

Information disclosure repo existence

Issue DoS via Mermaid

Privilege escalation impersonate user

ge 11.8.0 lt 11.8.1

ge 11.7.0 lt 11.7.6

ge 2.9.0 lt 11.6.10

Gitlab reports:

Moving an Issue to Private Repo Leaks Project Namespace

Notification Emails Sent to Restricted Users

Unauthorized Comments on Confidential Issues

Merge Request Approval Count Inflation

Unsanitized Branch Names on New Merge Request Notification Emails

Improper Sanitation of Credentials in Gitaly

ge 11.10.0 lt 11.10.2

ge 11.9.0 lt 11.9.10

ge 6.0.0 lt 11.8.9

Gitlab reports:

DAST analyzer sends custom request headers with every request

Stored-XSS with CSP-bypass via scoped labels' color

Maintainer can leak Datadog API key by changing integration URL

Uncontrolled resource consumption when parsing URLs

Issue HTTP requests when users view an OpenAPI document and click buttons

Command injection in CI jobs via branch name in CI pipelines

Open redirection

Prefill variables do not check permission of the project in external CI config

Disclosure of audit events to insufficiently permissioned group and project members

Arbitrary GFM references rendered in Jira issue description leak private/confidential resources

Award emojis API for an internal note is accessible to users without access to the note

Open redirect in pipeline artifacts when generating HTML documents

Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines

Project-level Secure Files can be written out of the target directory

ge 15.5.0 lt 15.5.2

ge 15.4.0 lt 15.4.4

ge 9.3.0 lt 15.3.5

Gitlab reports:

Path Traversal in LFS Upload

Path traversal allows saving packages in arbitrary location

Kubernetes agent API leaks private repos

Terraform state deletion API exposes object storage URL

Stored-XSS in error message of build-dependencies

Git credentials persisted on disk

Potential Denial of service via container registry

Info leak when group is transferred from private to public group

Limited File Disclosure Via Multipart Bypass

Unauthorized user is able to access scheduled pipeline variables and values

CSRF in runner administration page allows an attacker to pause/resume runners

Regex backtracking attack in path parsing of Advanced Search result

Bypass of required CODEOWNERS approval

SAST CiConfiguration information visible without permissions

ge 13.5.0 lt 13.5.2

ge 13.4.0 lt 13.4.5

ge 8.8.9 lt 13.3.9

Gitlab reports:

Path traversal with potential remote code execution

Private objects exposed through project import

Disclosure of notes via Elasticsearch integration

Disclosure of comments via Elasticsearch integration

DNS Rebind SSRF in various chat notifications

Disclosure of vulnerability status in dependency list

Disclosure of commit count in Cycle Analytics

Exposure of related branch names

Tags pushes from blocked users

Branches and Commits exposed to Guest members via integration

IDOR when adding users to protected environments

Former project members able to access repository information

Unauthorized access to grafana metrics

Todos created for former project members

Update Mattermost dependency

Disclosure of AWS secret keys on certain Admin pages

Stored XSS in Group and User profile fields

Forked project information disclosed via Project API

Denial of Service in the issue and commit comment pages

Tokens stored in plaintext

ge 12.5.0 lt 12.5.1

ge 12.4.0 lt 12.4.4

< 12.3.7

Gitlab reports:

Stored XSS in merge request creation page

Denial-of-service attack in Markdown parser

Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown

DNS Rebinding vulnerability in Gitea importer

Exposure of trigger tokens on project exports

Improper access control for users with expired password

Access tokens are not cleared after impersonation

Reflected Cross-Site Scripting in Jira Integration

DNS Rebinding vulnerability in Fogbugz importer

Access tokens persist after project deletion

User enumeration vulnerability

Potential DOS via API requests

Pending invitations of public groups and public projects are visible to any user

Bypass Disabled Repo by URL Project Creation

Low privileged users can see names of the private groups shared in projects

API discloses sensitive info to low privileged users

Epic listing do not honour group memberships

Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed

Low privileged users can import users from projects that they they are not a maintainer on

Potential DOS via dependencies API

Create a project with unlimited repository size through malicious Project Import

Bypass disabled Bitbucket Server import source project creation

Requirement to enforce 2FA is not honored when using git commands

Content spoofing vulnerability

Improper session management in impersonation feature

Create OAuth application with arbitrary scopes through content spoofing

Lack of account lockout on change password functionality

Epic reference was not updated while moved between groups

Missing authentication allows disabling of two-factor authentication

Information disclosure in SendEntry

ge 14.3.0 lt 14.3.1

ge 14.2.0 lt 14.2.5

ge 0 lt 14.1.7

Gitlab reports:

GitHub Integration SSRF

Trigger Token Impersonation

Build Status Disclosure

SSRF Mitigation Bypass

Information Disclosure New Issue ID

IDOR Label Name Enumeration

Persistent XSS Wiki Pages

User Revokation Bypass with Mattermost Integration

Arbitrary File Upload via Import Project Archive

Information Disclosure Vulnerability Feedback

Persistent XSS via Email

Denial Of Service Epic Comments

Email Verification Bypass

Override Merge Request Approval Rules

ge 12.1.0 lt 12.1.2

ge 12.0.0 lt 12.0.4

ge 8.9.0 lt 11.11.7

Gitlab reports:

Stored XSS in Mermaid when viewing Markdown files

Stored XSS in default branch name

Perform Git actions with an impersonation token even if impersonation is disabled

Tag and branch name confusion allows Developer to access protected CI variables

New subscriptions generate OAuth tokens on an incorrect OAuth client application

Ability to list and delete impersonation tokens for your own user

Pipelines page is partially visible for users that have no right to see CI/CD

Improper email validation on an invite URL

Unauthorised user was able to add meta data upon issue creation

Unauthorized user can trigger deployment to a protected environment

Guest in private project can see CI/CD Analytics

Guest users can create issues for Sentry errors and track their status

Private user email disclosure via group invitation

Projects are allowed to add members with email address domain that should be blocked by group settings

Misleading username could lead to impersonation in using SSH Certificates

Unauthorized user is able to access and view project vulnerability reports

Denial of service in repository caused by malformed commit author

ge 14.1.0 lt 14.1.2

ge 14.0.0 lt 14.0.7

ge 0 lt 13.12.9

Gitlab reports:

Incorrect membership handling of group sharing feature

ge 12.7.0 lt 12.7.6

ge 12.6.0 lt 12.6.7

ge 12.5.0 lt 12.5.10

Gitlab reports:

Vendor Cross-Account Assume-Role Attack

Stored XSS on the Vulnerability Page

Outdated Job Token Can Be Reused to Access Unauthorized Resources

File Disclosure Via Workhorse File Upload Bypass

Unauthorized Maintainer Can Edit Group Badge

Denial of Service Within Wiki Functionality

Sign-in Vulnerable to Brute-force Attacks

Invalidated Session Allows Account Access With an Old Password

GitLab Omniauth Endpoint Renders User Controlled Messages

Blind SSRF Through Repository Mirroring

Information Disclosure Through Incorrect Group Permission Verifications

No Rate Limit on GitLab Webhook Feature

GitLab Session Revocation Feature Does Not Invalidate All Sessions

OAuth Authorization Scope for an External Application Can Be Changed Without User Consent

Unauthorized Maintainer Can Delete Repository

Improper Verification of Deploy-Key Leads to Access Restricted Repository

Disabled Repository Still Accessible With a Deploy-Token

Duplicated Secret Code Generated by 2 Factor Authentication Mechanism

Lack of Validation Within Project Invitation Flow

Current Sessions Not Invalidated Upon Enabling 2 Factor Authentication

Users Without 2 Factor Authentication Can Be Blocked Accessing GitLab

Lack of Upper Bound Check Leading to Possible Denial of Service

2 Factor Authentication for Groups Was Not Enforced Within API Endpoint

GitLab Runner Denial of Service via CI Jobs

Update jQuery Dependency

ge 13.3.0 lt 13.3.4

ge 13.2.0 lt 13.2.8

ge 0 lt 13.1.10

Gitlab reports:

Path traversal with potential remote code execution

Disclosure of private code via Elasticsearch integration

Update Git dependency

ge 12.5.0 lt 12.5.4

ge 12.4.0 lt 12.4.6

ge 10.5.0 lt 12.3.9

Gitlab reports:

Merge request information disclosure

Private project namespace information disclosure

Gitlab Flavored Markdown API information disclosure

ge 11.3.0 lt 11.3.4

ge 11.2.0 lt 11.2.5

ge 10.2.0 lt 11.1.8

Gitlab reports:

Runner registration token disclosure through Quick Actions

Unprivileged users can add other users to groups through an API endpoint

Inaccurate display of Snippet contents can be potentially misleading to users

Environment variables can be leaked via the sendmail delivery method

Unauthenticated user enumeration on GraphQL API

Adding a mirror with SSH credentials can leak password

Denial of Service via user comments

ge 14.8.0 lt 14.8.2

ge 14.7.0 lt 14.7.4

ge 0 lt 14.6.5

Gitlab reports:

Markdown DoS

Information Disclosure Prometheus Metrics

CSRF in System Hooks

Persistent XSS Pipeline Tooltip

Persistent XSS in Branch Name via Web IDE

Persistent XSS in Branch Name via Web IDE

ge 11.1.0 lt 11.1.2

ge 11.0.0 lt 11.0.5

ge 2.7.0 lt 10.8.7

Gitlab reports:

Stored XSS via ipynb files

Pipeline schedules on imported projects can be set to automatically active after import

Potential Denial of service via Workhorse

Improper Access Control allows Merge Request creator to bypass locked status

Projects API discloses ID and name of private groups

Severity of an incident can be changed by a guest user

System root password accidentally written to log file

Potential DoS via a malformed TIFF image

Bypass of CODEOWNERS Merge Request approval requirement

Change project visibility to a restricted option

Project exports leak external webhook token value

SCIM token is visible after creation

Invited group members, with access inherited from parent group, continue to have project access even after invited subgroup is transfered

Regular expression denial of service issue when cleaning namespace path

Prevent creation of scopeless apps using applications API

Webhook data exposes assignee's private email address

ge 14.4.0 lt 14.4.1

ge 14.3.0 lt 14.3.4

ge 0 lt 14.2.6

Gitlab reports:

Arbitrary POST requests via special HTML attributes in Jupyter Notebooks

DNS Rebinding vulnerability in Irker IRC Gateway integration

Missing certificate validation for external CI services

Blind SSRF Through Project Import

Open redirect vulnerability in Jira Integration

Issue link was disclosing the linked issue

Service desk email accessible by project non-members

Authenticated users can search other users by their private email

"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request

Deleting packages in bulk from package registries may cause table locks

Autocomplete enabled on specific pages

Possible SSRF due to not blocking shared address space

System notes reveals private project path when Issue is moved to a public project

Timeout for pages using Markdown

Certain branch names could not be protected

ge 14.7.0 lt 14.7.1

ge 14.6.0 lt 14.6.4

ge 0 lt 14.5.4

Gitlab reports:

Race condition on gitlab.com enables verified email forgery and third-party account hijacking

DOS and high resource consumption of Prometheus server through abuse of Grafana integration proxy endpoint

Maintainer can leak sentry token by changing the configured URL

Maintainer can leak masked webhook secrets by changing target URL of the webhook

Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP

Group access tokens continue to work after owner loses ability to revoke them

Users' avatar disclosure by user ID in private GitLab instances

Arbitrary Protocol Redirection in GitLab Pages

Regex DoS due to device-detector parsing user agents

Regex DoS in the Submodule Url Parser

ge 15.7.0 lt 15.7.2

ge 15.6.0 lt 15.6.4

ge 6.6.0 lt 15.5.7

Gitlab reports:

DAST API scanner exposes Authorization headers in vulnerabilities

Group IP allow-list not fully respected by the Package Registry

Deploy keys and tokens may bypass External Authorization service if it is enabled

Repository import still allows to import 40 hexadecimal branches

Webhook secret tokens leaked in webhook logs

Maintainer can leak webhook secret token by changing the webhook URL

Cross-site scripting in Jira Integration affecting self-hosted instances without strict CSP

Release names visible in public projects despite release set as project members only

Sidekiq background job DoS by uploading malicious NuGet packages

SSRF in Web Terminal advertise_address

ge 15.6.0 lt 15.6.1

ge 15.5.0 lt 15.5.5

ge 9.3.0 lt 15.4.6

Gitlab reports:

Remote Command Execution Vulnerability on Repository Download Feature

Confidential Issue Titles Revealed to Restricted Users on Unsubscribe

Disclosure of Milestone Metadata through the Search API

Private Project Discovery via Comment Links

Metadata of Confidential Issues Disclosed to Restricted Users

Mandatory External Authentication Provider Sign-In Restrictions Bypass

Internal Projects Allowed to Be Created on in Private Groups

Server-Side Request Forgery Through DNS Rebinding

Stored Cross-Site Scripting on Wiki Pages

Stored Cross-Site Scripting on Notes

Repository Password Disclosed on Import Error Page

Protected Branches Restriction Rules Bypass

Stored Cross-Site Scripting Vulnerability on Child Epics

ge 11.11.0 lt 11.11.1

ge 11.10.0 lt 11.10.5

ge 6.8.0 lt 11.9.12

Gitlab reports:

CI Token Access Control

ge 13.0.0 lt 13.0.4

ge 12.10.0 lt 12.10.9

ge 10.6.0 lt 12.9.9

Gitlab reports:

Leak of Confidential Issue and Merge Request Titles

Persistent XSS in User Status

ge 11.7.0 lt 11.7.4

ge 11.6.0 lt 11.6.9

Gitlab reports:

Arbitrary file read via group import feature

Stored XSS in notes

Lack of state parameter on GitHub import project OAuth

Vulnerability related fields are available to unauthorized users on GraphQL API

Deleting packages may cause table locks

IP restriction bypass via GraphQL

Repository content spoofing using Git replacement references

Users can import members from projects that they are not a maintainer on through API

Possibility to direct user to malicious site through Slack integration

Bypassing file size limits to the NPM package repository

User with expired password can still access sensitive information

Incorrect port validation allows access to services on ports 80 and 443 if GitLab is configured to run on another port

ge 14.6.0 lt 14.6.2

ge 14.5.0 lt 14.5.3

ge 7.7 lt 14.4.5

Gitlab reports:

Remote Command Execution via GitLab Pages

Covert Redirect to Steal GitHub/Bitbucket Tokens

Remote Mirror Branches Leaked by Git Transfer Refs

Denial of Service with Markdown

Guests Can View List of Group Merge Requests

Guest Can View Merge Request Titles via System Notes

Persistent XSS via KaTeX

Emails Sent to Unauthorized Users

Hyperlink Injection in Notification Emails

Unauthorized Access to LFS Objects

Trigger Token Exposure

Upgrade Rails to 5.0.7.1 and 4.2.11

Contributed Project Information Visible in Private Profile

Imported Project Retains Prior Visibility Setting

Error disclosure on Project Import

Persistent XSS in User Status

Last Commit Status Leaked to Guest Users

Mitigations for IDN Homograph and RTLO Attacks

Access to Internal Wiki When External Wiki Enabled

User Can Comment on Locked Project Issues

Unauthorized Reaction Emojis by Guest Users

User Retains Project Role After Removal from Private Group

GitHub Token Leaked to Maintainers

Unauthenticated Blind SSRF in Jira Integration

Unauthorized Access to Group Membership

Validate SAML Response in Group SAML SSO

ge 11.7.0 lt 11.7.3

ge 11.6.0 lt 11.6.8

ge 0.0.0 lt 11.5.10

Gitlab reports:

Revoke access to confidential notes todos

Pipeline subscriptions trigger new pipelines with the wrong author

Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email

Import via git protocol allows to bypass checks on repository

Unauthenticated IP allowlist bypass when accessing job artifacts through GitLab Pages

Maintainer can leak Packagist and other integration access tokens by changing integration URL

Unauthenticated access to victims Grafana datasources through path traversal

Unauthorized users can filter issues by contact and organization

Malicious Maintainer may change the visibility of project or a group

Stored XSS in job error messages

Enforced group MFA can be bypassed when using Resource Owner Password Credentials grant

Non project members can view public project's Deploy Keys

IDOR in project with Jira integration leaks project owner's other projects Jira issues

Group Bot Users and Tokens not deleted after group deletion

Email invited members can join projects even after the member lock has been enabled

Datadog integration returns user emails

ge 15.2.0 lt 15.2.1

ge 15.1.0 lt 15.1.4

ge 0 lt 15.0.5

Gitlab reports:

Unauthorized access to grafana metrics

Update Mattermost dependency

ge 12.5.0 lt 12.5.2

ge 12.4.0 lt 12.4.5

ge 11.9.0 lt 12.3.8

Gitlab reports:

Ability to Write a Note to a Private Snippet

Recent Pipeline Information Disclosed to Unauthorised Users

Resource Exhaustion Attack

Error Caused by Encoded Characters in Comments

Authorization Issues in GraphQL

Number of Merge Requests was Accessible

Enabling One of the Service Templates Could Cause Resource Depletion

Broken Access Control for the Content of Personal Snippets

Decoding Color Codes Caused Resource Depletion

Merge Request Template Name Disclosure

SSRF Vulnerability in Project GitHub Integration

ge 12.0.0 lt 12.0.3

ge 11.11.0 lt 11.11.5

ge 8.3.0 lt 11.10.8

Gitlab reports:

Information Disclosure with Limited Scope Token

ge 11.10.0 lt 11.10.3

ge 11.9.0 lt 11.9.11

ge 11.8.0 lt 11.8.10

Gigtlab reports:

Remote code execution via unsafe user-controlled markdown rendering options

ge 13.9.0 lt 13.9.4

ge 13.8.0 lt 13.8.6

ge 13.2.0 lt 13.7.9

Gitlab reports:

Read API scoped tokens can execute mutations

Pull mirror credentials were exposed

Denial of Service when querying repository branches API

Non-owners can set system_note_timestamp when creating / updating issues

DeployToken will impersonate a User with the same ID when using Dependency Proxy

ge 13.11.0 lt 13.11.2

ge 13.10.0 lt 13.10.4

ge 11.6.0 lt 13.9.7

Gitlab reports:

Arbitrary File Read During Project Import

Kroki Arbitrary File Read/Write

Stored Cross-Site-Scripting in merge requests

Access data of an internal project through a public project fork as an anonymous user

Incident metric images can be deleted by any user

Infinite Loop When a User Access a Merge Request

Stored XSS in scoped labels

Admin CSRF in System Hooks Execution Through API

Update OpenSSL dependency

Update PostgreSQL dependency

ge 13.10.0 lt 13.10.1

ge 13.9.0 lt 13.9.5

ge 9 lt 13.8.7

Gitlab reports:

NuGet Package and File Disclosure through GitLab Workhorse

Job Artifact Uploads and File Disclosure through GitLab Workhorse

Incorrect membership following group removal

Logging of Praefect tokens

Update Rack dependency

Update OpenSSL dependency

ge 12.9.0 lt 12.9.3

ge 12.8.0 lt 12.8.9

ge 0 lt 12.7.9

Gitlab reports:

XSS in Zoom Meeting URL

Limited Information Disclosure in Private Profile

User email exposed via GraphQL endpoint

Group and project membership potentially exposed via GraphQL

Search terms logged in search parameter in rails logs

Un-authorised access to feature flag user list

A specific query on the explore page causes statement timeouts

Exposure of starred projects on private user profiles

Uncontrolled Resource Consumption in any Markdown field using Mermaid

Former group members able to view updates to confidential epics

Update GraphicsMagick dependency

Update GnuPG dependency

Update libxml dependency

ge 13.6.0 lt 13.6.2

ge 13.5.0 lt 13.5.5

ge 12.2 lt 13.4.9

Gitlab reports:

Stealing GitLab OAuth access tokens using XSLeaks in Safari

Denial of service through recursive triggered pipelines

Unauthenticated CI lint API may lead to information disclosure and SSRF

Server-side DoS through rendering crafted Markdown documents

Issue and merge request length limit is not being enforced

Insufficient Expired Password Validation

XSS in blob viewer of notebooks

Logging of Sensitive Information

On-call rotation information exposed when removing a member

Spoofing commit author for signed commits

Enable qsh verification for Atlassian Connect

ge 13.12.0 lt 13.12.2

ge 13.11.0 lt 13.11.5

ge 7.10.0 lt 13.10.5

Gitlab reports:

Directory Traversal to Arbitrary File Read

Account Takeover Through Expired Link

Server Side Request Forgery Through Deprecated Service

Group Two-Factor Authentication Requirement Bypass

Stored XSS in Merge Request Pages

Stored XSS in Merge Request Submission Form

Stored XSS in File View

Stored XSS in Grafana Integration

Contribution Analytics Exposed to Non-members

Incorrect Access Control in Docker Registry via Deploy Tokens

Denial of Service via Permission Checks

Denial of Service in Design For Public Issue

Incorrect Access Control via LFS Import

Unescaped HTML in Header

Private Merge Request Titles Leaked via Widget

Project Namespace Exposed via Vulnerability Feedback Endpoint

Denial of Service Through Recursive Requests

Project Authorization Not Being Updated

Incorrect Permission Level For Group Invites

Disclosure of Private Group Epic Information

User IP Address Exposed via Badge images

ge 12.8.0 lt 12.8.2

ge 12.7.0 lt 12.7.7

ge 0 lt 12.6.8

Gitlab reports:

Stored XSS in merge request

Stored XSS in epic's pages

Sensitive GraphQL variables exposed in structured log

Guest user can see tag names in private projects

Information disclosure via error message

DNS rebinding protection bypass

Validate existence of private project

ge 13.8.0 lt 13.8.2

ge 13.7.0 lt 13.7.6

ge 11.8 lt 13.6.6

Gitlab reports:

User Email Verification Bypass

OAuth Flow Missing Email Verification Checks

Notification Email Verification Bypass

Undisclosed Vulnerability on a Third-Party Rendering Engine

Group Sign-Up Restriction Bypass

Mirror Project Owner Impersonation

Missing Permission Check on Fork Relation Creation

Cross-Site Scripting in Repository Files API

Kubernetes Cluster Token Disclosure

Object Storage File Enumeration

Insecure Authorization Check on Project Deploy Keys

Cross-Site Scripting on Metrics Dashboard

Denial of Service on Custom Dashboards

Client-Side Code Injection through Mermaid Markup

Cross-Site Scripting on Static Site Editor

Disclosure of Amazon EKS Credentials

Denial of Service on Workhorse

ge 13.0.0 lt 13.0.1

ge 12.10.0 lt 12.10.7

ge 12.9.0 lt 12.9.8

Gitlab reports:

Stored XSS in DataDog Integration

Invited group members continue to have project access even after invited group is deleted

Specially crafted requests to apollo_upload_server middleware leads to denial of service

Privilege escalation of an external user through project token

Missing access control allows non-admin users to add/remove Jira Connect Namespaces

User enumeration on private instances

Member e-mails can be revealed via project import/export feature

Stored XSS in Jira integration

Stored XSS in markdown via the Design reference

ge 14.2.0 lt 14.2.2

ge 14.1.0 lt 14.1.4

ge 0 lt 14.0.9

Gitlab reports:

Source branch of a MR could be removed by an unauthorised user

Private group members could be listed

Disclosure of System Notes via Elasticsearch integration

Disclosure of Private Comments via Elasticsearch integration

Confirm existence of private repositories

Private group membership could be disclosed

Disclosure of Project Labels

Disclosure of Private Project Path and Labels

Uncontrolled Resource Consumption due to Nested GraphQL Queries

Improper access control on comments

Sentry Token Access Control

Authorisation check for Project Transfer option

XSS in Wiki Pages Using RDoc

Untrusted Input could be used for Internal Redirect

Access control for protected environments

Private Sub Group path Disclosure

Disclosure of Group Packages List

Private Repository Name Disclosure

ge 12.4.0 lt 12.4.1

ge 12.3.0 lt 12.3.6

ge 0 lt 12.2.9

Gitlab reports:

Arbitrary File read in Gitlab project import

ge 11.5.0 lt 11.5.5

ge 11.4.0 lt 11.4.12

ge 8.9.0 lt 11.3.14

Gitlab reports:

Arbitrary File read in GitLab project import with Git LFS

ge 11.5.0 lt 11.5.4

ge 11.4.0 lt 11.4.11

ge 11.0.0 lt 11.4.0

Gitlab reports:

Public project in a private group makes the group page publicly accessible

< 11.8.2

Gitlab reports:

Static passwords inadvertently set during OmniAuth-based registration

Stored XSS in notes

Stored XSS on Multi-word milestone reference

Denial of service caused by a specially crafted RDoc file

GitLab Pages access tokens can be reused on multiple domains

GitLab Pages uses default (disabled) server Timeouts and a weak TCP Keep-Alive timeout

Incorrect include in pipeline definition exposes masked CI variables in UI

Regular expression denial of service in release asset link

Latest Commit details from private projects leaked to guest users via Merge Requests

CI/CD analytics are available even when public pipelines are disabled

Absence of limit for the number of tags that can be added to a runner can cause performance issues

Client DoS through rendering crafted comments

Blind SSRF Through Repository Mirroring

Bypass of branch restriction in Asana integration

Readable approval rules by Guest user

Redact InvalidURIError error messages

Project import maps members' created_by_id users based on source user ID

ge 14.9.0 lt 14.9.2

ge 14.8.0 lt 14.8.5

ge 0 lt 14.7.7

Gitlab reports:

Remote Command Execution via Github import

ge 15.3.0 lt 15.3.1

ge 15.2.0 lt 15.2.3

ge 11.3.4 lt 15.1.5

Gitlab reports:

View Names of Private Groups

Persistent XSS in Environments

SSRF in Prometheus integration

Unauthorized Promotion of Milestones

Exposure of Confidential Issue Title

Persisent XSS in Markdown Fields via Mermaid Script

Persistent XSS in Markdown Fields via Unrecognized HTML Tags

Symlink Race Condition in Pages

Unauthorized Changes by Guest User in Issues

Unauthorized Comments on Locked Issues

Improper Enforcement of Token Scope

CRLF Injection in Project Mirroring

XSS in OAuth Authorization

SSRF in Webhooks

Send Email on Email Address Change

Workhorse Logs Contained Tokens

Unauthorized Publishing of Draft Comments

Guest Can Set Weight of a New Issue

Disclosure of Private Group's Members and Milestones

Persisent XSS in Operations

Reporter Can View Operations Page

ge 11.5.0 lt 11.5.1

ge 11.4.0 lt 11.4.8

ge 0 lt 11.3.11

Gitlab reports:

DoS using Webhook connections

CSRF on GraphQL API allows executing mutations through GET requests

Private projects information disclosure

Denial of service of user profile page

Single sign-on users not getting blocked

Some users can push to Protected Branch with Deploy keys

A deactivated user can access data through GraphQL

Reflected XSS in release edit page

Clipboard DOM-based XSS

Stored XSS on Audit Log

Forks of public projects by project members could leak codebase

Improper text rendering

HTML Injection in full name field

ge 14.0.0 lt 14.0.2

ge 13.12.0 lt 13.12.6

ge 8.0.0 lt 13.11.6

Gitlab reports:

JWT token leak via Workhorse

Stored XSS in wiki pages

Group Maintainers are able to use the Group CI/CD Variables API

Insecure storage of GitLab session keys

ge 13.9.0 lt 13.9.2

ge 13.8.0 lt 13.8.5

< 13.7.8

Gitlab reports:

Remote Code Execution Vulnerability in GitLab Projects Import

ge 11.0.0 lt 11.0.4

ge 10.8.0 lt 10.8.6

ge 8.9.0 lt 10.7.7

Gitlab reports:

Email Confirmation not Required on Sign-up

ge 12.8.0 lt 12.8.6

Gitlab reports:

Directory Traversal in Templates API

ge 11.5.0 lt 11.5.3

ge 11.4.0 lt 11.4.10

ge 8.11.0 lt 11.3.12

Gitlab reports:

Arbitrary File Read when Moving an Issue

Memory Exhaustion via Excessive Logging of Invite Email Error

Denial of Service Through Project Import Feature

User Controlled Git Configuration Settings Resulting in SSRF

Stored XSS in Issue Reference Number Tooltip

Stored XSS in Issues List via Milestone Title

Improper Access Control After Group Transfer

Bypass Email Verification Required for OAuth Flow

Confusion When Using Hexadecimal Branch Names

Insufficient OAuth Revocation

Improper Access Control for Project Sharing

Stored XSS in Jobs Page

Improper Access Control of Applications Page

SSRF into Shared Runner

Update Kramdown Gem

< 13.3.0

Gitlab reports:

Group Runner Registration Token Exposure

ge 11.9.0 lt 11.9.7

ge 11.8.0 lt 11.8.7

ge 10.4.0 lt 11.7.11

Gitlab reports:

Ability to steal a user's API access token through GitLab Pages

Prometheus denial of service via HTTP request with custom method

Unauthorized user is able to access private repository information under specific conditions

Regular expression denial of service in NuGet API

Regular expression denial of service in package uploads

Update curl dependency

CVE-2019-3881 mitigation

ge 13.7.0 lt 13.7.2

ge 13.6.0 lt 13.6.4

ge 12.2 lt 13.5.6

Gitlab reports:

Potential Denial Of Service Via Update Release Links API

Insecure Storage of Session Key In Redis

Improper Access Expiration Date Validation

Cross-Site Scripting in Multiple Pages

Unauthorized Users Can View Custom Project Template

Cross-Site Scripting in SVG Image Preview

Incomplete Handling in Account Deletion

Insufficient Rate Limiting at Re-Sending Confirmation Email

Improper Type Check in GraphQL

To-dos Are Not Redacted When Membership Changes

Guest users can modify confidentiality attribute

Command injection on runner host

Insecure Runner Configuration in Kubernetes Environments

ge 13.4.0 lt 13.4.2

ge 13.3.0 lt 13.3.7

ge 7.12 lt 13.2.10

SO-AND-SO reports:

XSS in Markdown Preview Using Mermaid

Bypass Email Verification using Salesforce Authentication

Account Takeover using SAML

Uncontrolled Resource Consumption in Markdown using Mermaid

Disclosure of Private Project Path and Labels

Disclosure of Assignees via Milestones

Disclosure of Project Path via Unsubscribe Link

Disclosure of Project Milestones via Groups

Disclosure of Private System Notes via GraphQL

GIT Command Injection via API

Bypass User Blocking via CI/CD token

IDOR Adding Groups to Protected Environments

Disclosure of Group Membership via Merge Request Approval Rules

Disclosure of Head Pipeline via Blocking Merge Request Feature

Grafana update

ge 12.3.0 lt 12.3.2

ge 12.2.0 lt 12.2.6

ge 7.12.0 lt 12.1.12

Gitlab reports:

Project Template Functionality Could Be Used to Access Restricted Project Data

Security Enhancements in GitLab Pages

ge 12.2.0 lt 12.2.5

ge 12.1.0 lt 12.1.9

ge 11.6.0 lt 12.0.9

Gitlab reports:

Group members with developer role can escalate their privilege to maintainer on projects that they import

When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API

Collision in access memoization leads to potential elevated privileges on groups and projects

Project access token names are returned for unauthenticated requesters

Sensitive info disclosure in logs

Disclosure of a user's custom project and group templates

ReDoS in Maven package version

Potential denial of service via the Diff feature

Regular Expression Denial of Service via user comments

Service desk email accessible by any project member

Regular Expression Denial of Service via quick actions

IDOR in "external status check" API leaks data about any status check on the instance

Default branch name visible in public projects restricting access to the source code repository

Deploy token allows access to disabled project Wiki

Regular Expression Denial of Service via deploy Slash commands

Users can reply to Vulnerability Report discussions despite Only Project Members settings

Unauthorised deletion of protected branches

Author can approve Merge Request after having access revoked

HTML Injection via Swagger UI

ge 14.5.0 lt 14.5.2

ge 14.4.0 lt 14.4.4

ge 0 lt 14.3.6

Gitlab reports:

Source code disclosure merge request diff

Todos improper access control

URL rel attribute not set

Persistent XSS Autocompletion

SSRF repository mirroring

CI job token LFS error message disclosure

Secret CI variable exposure

Guest user CI job disclosure

Persistent XSS label reference

Persistent XSS wiki in IE browser

SSRF in project imports with LFS

Improper access control CI/CD settings

Missing authorization control merge requests

Improper access control branches and tags

Missing authentication for Prometheus alert endpoint

ge 11.6.0 lt 11.6.1

ge 11.5.0 lt 11.5.6

ge 8.0.0 lt 11.4.13

SO-AND-SO reports:

SSRF in Kubernetes integration

ge 11.4.0 lt 11.4.4

ge 11.3.0 lt 11.3.9

ge 11.0.0 lt 11.2.8

Gitlab reports:

Kubernetes Integration Server-Side Request Forgery

Server-Side Request Forgery in Jira Integration

Improved Protection Against Credential Stuffing Attacks

Markdown Clientside Resource Exhaustion

Pipeline Status Disclosure

Group Runner Authorization Issue

CI Metrics Disclosure

User IP Disclosed by Embedded Image and Media

Label Description HTML Injection

IDOR in Epic Notes API

Push Rule Bypass

Project Visibility Restriction Bypass

Merge Request Discussion Restriction Bypass

Disclosure of Merge Request IDs

Weak Authentication In Certain Account Actions

Disclosure of Commit Title and Comments

Stored XSS via Markdown

EXIF Geolocation Data Exposure

Multiple SSRF Regressions on Gitaly

Default Branch Name Exposure

Potential Denial of Service via CI Pipelines

Privilege Escalation via Logrotate

ge 12.2.0 lt 12.2.3

ge 12.1.0 lt 12.1.8

ge 0.0.0 lt 12.0.8

Gitlab reports:

RCE in Gitlab Wiki API

SSRF in Hipchat integration

Cleartext storage of personal access tokens

Information exposure through stack trace error message

Persistent XSS autocomplete

Information exposure in stored browser history

Information exposure when replying to issues through email

Persistent XSS in License Management and Security Reports

Metrics information disclosure in Prometheus integration

Unauthorized changes to a protected branch's access levels

ge 11.4.0 lt 11.4.3

ge 11.3.0 lt 11.3.8

ge 5.3.0 lt 11.2.7

Gitlab reports:

Path Traversal to Arbitrary File Read

User Permissions Not Validated in ProjectExportWorker

XSS Vulnerability in File API

Package and File Disclosure through GitLab Workhorse

XSS Vulnerability in Create Groups

Issue and Merge Request Activity Counts Exposed

Email Confirmation Bypass Using AP

Disclosure of Forked Private Project Source Code

Private Project Names Exposed in GraphQL queries

Disclosure of Issues and Merge Requests via Todos

Denial of Service via AsciiDoc

Last Pipeline Status Exposed

Arbitrary Change of Pipeline Status

Grafana Token Displayed in Plaintext

Update excon gem

Update rdoc gem

Update rack-cors gem

Update rubyzip gem

ge 12.7.0 lt 12.7.4

ge 12.6.0 lt 12.6.6

ge 5.3 lt 12.5.9

Gitlab reports:

Remote Command Execution via Project Imports

XSS in ZenTao integration affecting self hosted instances without strict CSP

XSS in project settings page

Unallowed users can read unprotected CI variables

IP allow-list bypass to access Container Registries

2FA status is disclosed to unauthenticated users

CI variables provided to runners outside of a group's restricted IP range

IDOR in sentry issues

Reporters can manage issues in error tracking

Regular Expression Denial of Service via malicious web server responses

Unauthorized read for conan repository

Open redirect vulnerability

Group labels are editable through subproject

Release titles visible for any users if group milestones are associated with any project releases

Restrict membership by email domain bypass

Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint

ge 15.1.0 lt 15.1.1

ge 15.0.0 lt 15.0.4

ge 0 lt 14.10.5

Gitlab reports:

Persistent XSS Autocompletion

Unauthorized service template creation

ge 11.4.0 lt 11.4.6

ge 8.9.0 lt 11.3.10

Gitlab reports:

DoS potential for regex in CI/CD refs

Related branches visible in issues for guests

Persistent XSS at merge request resolve conflicts

Improper authorization control "move issue"

Guest users of private projects have access to releases

DoS potential on project languages page

Recurity assessment: information exposure through timing discrepancy

Recurity assessment: loginState HMAC issues

Recurity assessment: open redirect

PDF.js vulnerable to CVE-2018-5158

IDOR labels of private projects/groups

EXIF geolocation data not stripped from uploaded images

ge 11.9.0 lt 11.9.4

ge 11.8.0 lt 11.8.6

< 11.7.10

Gitlab reports:

Insecure Authentication Methods Disabled for Grafana By Default

Multiple Command-Line Flag Injection Vulnerabilities

Insecure Cookie Handling on GitLab Pages

ge 12.1.0 lt 12.1.6

ge 12.0.0 lt 12.0.6

ge 10.0.0 lt 11.11.8

Gitlab reports:

Project Runner Token Exposed Through Issues Quick Actions

ge 11.8.0 lt 11.8.3

< 11.7.7

Gitlab reports:

Remote Command Execution via GitHub import

Stored XSS via labels color

Content injection via Incidents Timeline description

Lack of length validation in Snippets leads to Denial of Service

Group IP allow-list not fully respected by the Package Registry

Abusing Gitaly.GetTreeEntries calls leads to denial of service

Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags

Regular Expression Denial of Service via special crafted input

Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events

Regex backtracking through the Commit message field

Read repository content via LivePreview feature

Denial of Service via the Create branch API

Denial of Service via Issue preview

IDOR in Zentao integration leaked issue details

Brute force attack may guess a password even when 2FA is enabled

ge 15.3.0 lt 15.3.2

ge 15.2.0 lt 15.2.4

ge 10.0.0 lt 15.1.6

Gitlab reports:

Path Traversal in NuGet Package Registry

Workhorse Bypass Leads to File Disclosure

OAuth Application Client Secrets Revealed

Code Owners Approval Rules Are Not Updated for Existing Merge Requests When Source Branch Changes

Code Owners Protection Not Enforced from Web UI

Repository Mirror Passwords Exposed To Maintainers

Admin Audit Log Page Denial of Service

Private Project ID Revealed Through Group API

Elasticsearch Credentials Logged to ELK

GitHub Personal Access Token Exposed on Integrations Page

Update Nokogiri dependency

Update OpenSSL Dependency

Update git

ge 12.10.0 lt 12.10.2

ge 12.9.0 lt 12.9.5

ge 8.4.0 lt 12.8.10

Gitlab reports:

Account take over via SCIM email change

Stored XSS in Jira integration

Quick action commands susceptible to XSS

IP allowlist bypass when using Trigger tokens

IP allowlist bypass when using Project Deploy Tokens

Improper authorization in the Interactive Web Terminal

Subgroup member can list members of parent group

Group member lock bypass

ge 15.0.0 lt 15.0.1

ge 14.10.0 lt 14.10.4

ge 11.10.0 lt 14.9.5

Gitlab reports:

Workhorse bypass allows files in /tmp to be read via Maven Repository APIs

ge 13.1.0 lt 13.1.3

ge 13.0.0 lt 13.0.9

ge 0 lt 12.10.14

Gitlab reports:

Private objects exposed through project importi

ge 12.6.0 lt 12.6.4

ge 12.5.0 lt 12.5.7

ge 8.9.0 lt 12.4.8

SO-AND-SO reports:

Remote code execution when uploading specially crafted image files

Update Rexml

ge 13.10.0 lt 13.10.3

ge 13.9.0 lt 13.9.6

ge 7.12 lt 13.8.8

Gitlab reports:

Arbitrary repo read in Gitlab project import

ge 11.6.0 lt 11.6.4

ge 11.5.0 lt 11.5.7

ge 8.9.0 lt 11.4.14

Gitlab reports:

Persistent XSS in Pipeline Tooltip

GitLab.com GCP Endpoints Exposure

Persistent XSS in Merge Request Changes View

Sensitive Data Disclosure in Sidekiq Logs

Missing CSRF in System Hooks

Orphaned Upload Files Exposure

Missing Authorization Control API Repository Storage

ge 11.2.0 lt 11.2.3

ge 11.1.0 lt 11.1.6

ge 2.7.0 lt 11.0.6