FreshPorts - VuXML

Gitlab reports:

Stored XSS in DataDog Integration

Invited group members continue to have project access even after invited group is deleted

Specially crafted requests to apollo_upload_server middleware leads to denial of service

Privilege escalation of an external user through project token

Missing access control allows non-admin users to add/remove Jira Connect Namespaces

User enumeration on private instances

Member e-mails can be revealed via project import/export feature

Stored XSS in Jira integration

Stored XSS in markdown via the Design reference

ge 14.2.0 lt 14.2.2

ge 14.1.0 lt 14.1.4

ge 0 lt 14.0.9

Gitlab reports:

Account take over via SCIM email change

Stored XSS in Jira integration

Quick action commands susceptible to XSS

IP allowlist bypass when using Trigger tokens

IP allowlist bypass when using Project Deploy Tokens

Improper authorization in the Interactive Web Terminal

Subgroup member can list members of parent group

Group member lock bypass

ge 15.0.0 lt 15.0.1

ge 14.10.0 lt 14.10.4

ge 11.10.0 lt 14.9.5

Gitlab reports:

Arbitrary file write while creating workspace

ReDoS in Cargo.toml blob viewer

Arbitrary API PUT requests via HTML injection in user's name

Disclosure of the public email in Tags RSS Feed

Non-Member can update MR Assignees of owned MRs

ge 16.8.0 lt 16.8.1

ge 16.7.0 lt 16.7.4

ge 16.6.0 lt 16.6.6

ge 12.7.0 lt 16.5.8

Gitlab reports:

Static passwords inadvertently set during OmniAuth-based registration

Stored XSS in notes

Stored XSS on Multi-word milestone reference

Denial of service caused by a specially crafted RDoc file

GitLab Pages access tokens can be reused on multiple domains

GitLab Pages uses default (disabled) server Timeouts and a weak TCP Keep-Alive timeout

Incorrect include in pipeline definition exposes masked CI variables in UI

Regular expression denial of service in release asset link

Latest Commit details from private projects leaked to guest users via Merge Requests

CI/CD analytics are available even when public pipelines are disabled

Absence of limit for the number of tags that can be added to a runner can cause performance issues

Client DoS through rendering crafted comments

Blind SSRF Through Repository Mirroring

Bypass of branch restriction in Asana integration

Readable approval rules by Guest user

Redact InvalidURIError error messages

Project import maps members' created_by_id users based on source user ID

ge 14.9.0 lt 14.9.2

ge 14.8.0 lt 14.8.5

ge 0 lt 14.7.7

Gitlab reports:

Bypassing CODEOWNERS approval allowing to steal protected variables

Guest with manage group access tokens can rotate and see group access token with owner permissions

ge 16.9.0 lt 16.9.2

ge 16.8.0 lt 16.8.4

ge 11.3.0 lt 16.7.7

Gitlab reports:

Stored XSS in Mermaid when viewing Markdown files

Stored XSS in default branch name

Perform Git actions with an impersonation token even if impersonation is disabled

Tag and branch name confusion allows Developer to access protected CI variables

New subscriptions generate OAuth tokens on an incorrect OAuth client application

Ability to list and delete impersonation tokens for your own user

Pipelines page is partially visible for users that have no right to see CI/CD

Improper email validation on an invite URL

Unauthorised user was able to add meta data upon issue creation

Unauthorized user can trigger deployment to a protected environment

Guest in private project can see CI/CD Analytics

Guest users can create issues for Sentry errors and track their status

Private user email disclosure via group invitation

Projects are allowed to add members with email address domain that should be blocked by group settings

Misleading username could lead to impersonation in using SSH Certificates

Unauthorized user is able to access and view project vulnerability reports

Denial of service in repository caused by malformed commit author

ge 14.1.0 lt 14.1.2

ge 14.0.0 lt 14.0.7

ge 0 lt 13.12.9

Gitlab reports:

Runner registration token disclosure through Quick Actions

Unprivileged users can add other users to groups through an API endpoint

Inaccurate display of Snippet contents can be potentially misleading to users

Environment variables can be leaked via the sendmail delivery method

Unauthenticated user enumeration on GraphQL API

Adding a mirror with SSH credentials can leak password

Denial of Service via user comments

ge 14.8.0 lt 14.8.2

ge 14.7.0 lt 14.7.4

ge 0 lt 14.6.5

Gitlab reports:

Stored-XSS injected in Wiki page via Banzai pipeline

DOS using crafted emojis

ge 16.10.0 lt 16.10.1

ge 16.9.0 lt 16.9.3

< 16.8.5

Gitlab reports:

Privilege escalation for external users when OIDC is enabled under certain conditions

Account takeover through open redirect for Group SAML accounts

Users on banned IP addresses can still commit to projects

User with developer role (group) can modify Protected branches setting on imported project and leak group CI/CD variables

The Gitlab web interface does not guarantee file integrity when downloading source code or installation packages from a tag or from a release.

Banned group member continues to have access to the public projects of a public group with the access level as same as before the ban.

The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code.

XSS and content injection and iframe injection when viewing raw files on iOS devices

Authenticated users can find other users by their private email

ge 15.11.0 lt 15.11.1

ge 15.10.0 lt 15.10.5

ge 9.0 lt 15.9.6

Gitlab reports:

ReDoS via EpicReferenceFilter in any Markdown fields

New commits to private projects visible in forks created while project was public

New commits to private projects visible in forks created while project was public

Maintainer can leak masked webhook secrets by manipulating URL masking

Information disclosure of project import errors

Sensitive information disclosure via value stream analytics controller

Bypassing Code Owners branch protection rule in GitLab

HTML injection in email address

Webhook token leaked in Sidekiq logs if log format is 'default'

Private email address of service desk issue creator disclosed via issues API

ge 16.1.0 lt 16.1.1

ge 16.0.0 lt 16.0.6

ge 15.11.0 lt 15.11.10

ge 7.14.0 lt 15.10.8

Attacker can add other projects policy bot as member to their own project and use that bot to trigger pipelines in victims project

Group import allows impersonation of users in CI pipelines

Developers can bypass code owners approval by changing a MR's base branch

Leaking source code of restricted project through a fork

Third party library Consul requires enable-script-checks to be False to enable patch

Service account not deleted when namespace is deleted allowing access to internal projects

Enforce SSO settings bypassed for public projects for Members without identity

Removed project member can write to protected branches

Unauthorised association of CI jobs for Machine Learning experiments

Force pipelines to not have access to protected variables and will likely fail using tags

Maintainer can create a fork relationship between existing projects

Disclosure of masked CI variables via processing CI/CD configuration of forks

Asset Proxy Bypass using non-ASCII character in asset URI

Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches

Removed Developer can continue editing the source code of a public project

A project reporter can leak owner's Sentry instance projects

Math rendering in markdown can escape container and hijack clicks

ge 16.4.0 lt 16.4.1

ge 16.3.0 lt 16.3.5

ge 8.15 lt 16.2.8

Gitlab reports:

Attacker can abuse scan execution policies to run pipelines as another user

ge 16.3.0 lt 16.3.4

ge 13.12.0 lt 16.2.7

Gitlab reports:

Revoke access to confidential notes todos

Pipeline subscriptions trigger new pipelines with the wrong author

Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email

Import via git protocol allows to bypass checks on repository

Unauthenticated IP allowlist bypass when accessing job artifacts through GitLab Pages

Maintainer can leak Packagist and other integration access tokens by changing integration URL

Unauthenticated access to victims Grafana datasources through path traversal

Unauthorized users can filter issues by contact and organization

Malicious Maintainer may change the visibility of project or a group

Stored XSS in job error messages

Enforced group MFA can be bypassed when using Resource Owner Password Credentials grant

Non project members can view public project's Deploy Keys

IDOR in project with Jira integration leaks project owner's other projects Jira issues

Group Bot Users and Tokens not deleted after group deletion

Email invited members can join projects even after the member lock has been enabled

Datadog integration returns user emails

ge 15.2.0 lt 15.2.1

ge 15.1.0 lt 15.1.4

ge 0 lt 15.0.5

Gitlab reports:

Privilege escalation of "external user" to internal access through group service account

Maintainer can leak sentry token by changing the configured URL (fix bypass)

Google Cloud Logging private key showed in plain text in GitLab UI leaking to other group owners

Information disclosure via project import endpoint

Developer can leak DAST scanners "Site Profile" request headers and auth password

Project forking outside current group

User is capable of creating Model experiment and updating existing run's status in public project

ReDoS in bulk import API

Pagination for Branches and Tags can be skipped leading to DoS

Internal Open Redirection Due to Improper handling of "../" characters

Subgroup Member With Reporter Role Can Edit Group Labels

Banned user can delete package registries

ge 16.3.0 lt 16.3.1

ge 16.2.0 lt 16.2.5

ge 4.1.0 lt 16.1.5

Gitlab reports:

DAST API scanner exposes Authorization headers in vulnerabilities

Group IP allow-list not fully respected by the Package Registry

Deploy keys and tokens may bypass External Authorization service if it is enabled

Repository import still allows to import 40 hexadecimal branches

Webhook secret tokens leaked in webhook logs

Maintainer can leak webhook secret token by changing the webhook URL

Cross-site scripting in Jira Integration affecting self-hosted instances without strict CSP

Release names visible in public projects despite release set as project members only

Sidekiq background job DoS by uploading malicious NuGet packages

SSRF in Web Terminal advertise_address

ge 15.6.0 lt 15.6.1

ge 15.5.0 lt 15.5.5

ge 9.3.0 lt 15.4.6

Gitlab reports:

Malicious Runner Attachment via GraphQL

ge 15.11.0 lt 15.11.2

ge 15.10.0 lt 15.10.6

ge 9.0 lt 15.9.7

Gitlab reports:

XSS and ReDoS in Markdown via Banzai pipeline of Jira

Members with admin_group_member custom permission can add members with higher role

Release Description visible in public projects despite release set as project members only through atom response

Manipulate the repository content in the UI (CVE-2023-3401 bypass)

External user can abuse policy bot to gain access to internal projects

Client-side DOS via Mermaid Flowchart

Developers can update pipeline schedules to use protected branches even if they don't have permission to merge

Users can install Composer packages from public projects even when Package registry is turned off

Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches

Guest users can react (emojis) on confidential work items which they cant see in a project

ge 16.6.0 lt 16.6.1

ge 16.5.0 lt 16.5.3

ge 8.13.0 lt 16.4.3

Gitlab reports:

Denial of Service via arbitrarily large Issue descriptions

CSRF via file upload allows an attacker to take over a repository

Sidekiq background job DoS by uploading malicious CI job artifact zips

Sidekiq background job DoS by uploading a malicious Helm package

ge 15.8.0 lt 15.8.1

ge 15.7.0 lt 15.7.6

ge 12.4.0 lt 15.6.7

Gitlab reports:

Stored XSS via ipynb files

Pipeline schedules on imported projects can be set to automatically active after import

Potential Denial of service via Workhorse

Improper Access Control allows Merge Request creator to bypass locked status

Projects API discloses ID and name of private groups

Severity of an incident can be changed by a guest user

System root password accidentally written to log file

Potential DoS via a malformed TIFF image

Bypass of CODEOWNERS Merge Request approval requirement

Change project visibility to a restricted option

Project exports leak external webhook token value

SCIM token is visible after creation

Invited group members, with access inherited from parent group, continue to have project access even after invited subgroup is transfered

Regular expression denial of service issue when cleaning namespace path

Prevent creation of scopeless apps using applications API

Webhook data exposes assignee's private email address

ge 14.4.0 lt 14.4.1

ge 14.3.0 lt 14.3.4

ge 0 lt 14.2.6

Gitlab reports:

Remote Command Execution via GitHub import

Stored XSS via labels color

Content injection via Incidents Timeline description

Lack of length validation in Snippets leads to Denial of Service

Group IP allow-list not fully respected by the Package Registry

Abusing Gitaly.GetTreeEntries calls leads to denial of service

Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags

Regular Expression Denial of Service via special crafted input

Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events

Regex backtracking through the Commit message field

Read repository content via LivePreview feature

Denial of Service via the Create branch API

Denial of Service via Issue preview

IDOR in Zentao integration leaked issue details

Brute force attack may guess a password even when 2FA is enabled

ge 15.3.0 lt 15.3.2

ge 15.2.0 lt 15.2.4

ge 10.0.0 lt 15.1.6

Gitlab reports:

Denial of Service via cloning an issue

Arbitrary PUT request as victim user through Sentry error list

Content injection via External Status Checks

Project maintainers can access Datadog API Key from logs

Unsafe serialization of Json data could lead to sensitive data leakage

Import bug allows importing of private local git repos

Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)

Unauthorized users able to create issues in any project

Bypass group IP restriction on Dependency Proxy

Healthcheck endpoint allow list can be bypassed when accessed over HTTP in an HTTPS enabled system

Disclosure of Todo details to guest users

A user's primary email may be disclosed through group member events webhooks

Content manipulation due to branch/tag name confusion with the default branch name

Leakage of email addresses in WebHook logs

Specially crafted output makes job logs inaccessible

Enforce editing approval rules on project level

ge 15.4.0 lt 15.4.1

ge 15.3.0 lt 15.3.4

ge 9.3.0 lt 15.2.5

Gitlab reports:

Arbitrary file read via group import feature

Stored XSS in notes

Lack of state parameter on GitHub import project OAuth

Vulnerability related fields are available to unauthorized users on GraphQL API

Deleting packages may cause table locks

IP restriction bypass via GraphQL

Repository content spoofing using Git replacement references

Users can import members from projects that they are not a maintainer on through API

Possibility to direct user to malicious site through Slack integration

Bypassing file size limits to the NPM package repository

User with expired password can still access sensitive information

Incorrect port validation allows access to services on ports 80 and 443 if GitLab is configured to run on another port

ge 14.6.0 lt 14.6.2

ge 14.5.0 lt 14.5.3

ge 7.7 lt 14.4.5

Gitlab reports:

Smuggling code changes via merge requests with refs/replace

ge 15.11.0 lt 15.11.3

ge 15.10.0 lt 15.10.7

ge 9.0 lt 15.9.8

Gitlab reports:

Stored XSS in merge request creation page

Denial-of-service attack in Markdown parser

Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown

DNS Rebinding vulnerability in Gitea importer

Exposure of trigger tokens on project exports

Improper access control for users with expired password

Access tokens are not cleared after impersonation

Reflected Cross-Site Scripting in Jira Integration

DNS Rebinding vulnerability in Fogbugz importer

Access tokens persist after project deletion

User enumeration vulnerability

Potential DOS via API requests

Pending invitations of public groups and public projects are visible to any user

Bypass Disabled Repo by URL Project Creation

Low privileged users can see names of the private groups shared in projects

API discloses sensitive info to low privileged users

Epic listing do not honour group memberships

Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed

Low privileged users can import users from projects that they they are not a maintainer on

Potential DOS via dependencies API

Create a project with unlimited repository size through malicious Project Import

Bypass disabled Bitbucket Server import source project creation

Requirement to enforce 2FA is not honored when using git commands

Content spoofing vulnerability

Improper session management in impersonation feature

Create OAuth application with arbitrary scopes through content spoofing

Lack of account lockout on change password functionality

Epic reference was not updated while moved between groups

Missing authentication allows disabling of two-factor authentication

Information disclosure in SendEntry

ge 14.3.0 lt 14.3.1

ge 14.2.0 lt 14.2.5

ge 0 lt 14.1.7

Gitlab reports:

Cross-site scripting in "Maximum page reached" page

Private project guests can read new changes using a fork

Mirror repository error reveals password in Settings UI

DOS and high resource consumption of Prometheus server through abuse of Prometheus integration proxy endpoint

Unauthenticated users can view Environment names from public projects limited to project members only

Copying information to the clipboard could lead to the execution of unexpected commands

Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL

Arbitrary HTML injection possible when :soft_email_confirmation feature flag is enabled in the latest release

Framing of arbitrary content (leading to open redirects) on any page allowing user controlled markdown

MR for security reports are available to everyone

API timeout when searching for group issues

Unauthorised user can add child epics linked to victim's epic in an unrelated group

GitLab search allows to leak internal notes

Ambiguous branch name exploitation in GitLab

Improper permissions checks for moving an issue

Private project branches names can be leaked through a fork

ge 15.10.0 lt 15.10.1

ge 15.9.0 lt 15.9.4

ge 8.1 lt 15.8.5

Gitlab reports:

Arbitrary POST requests via special HTML attributes in Jupyter Notebooks

DNS Rebinding vulnerability in Irker IRC Gateway integration

Missing certificate validation for external CI services

Blind SSRF Through Project Import

Open redirect vulnerability in Jira Integration

Issue link was disclosing the linked issue

Service desk email accessible by project non-members

Authenticated users can search other users by their private email

"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request

Deleting packages in bulk from package registries may cause table locks

Autocomplete enabled on specific pages

Possible SSRF due to not blocking shared address space

System notes reveals private project path when Issue is moved to a public project

Timeout for pages using Markdown

Certain branch names could not be protected

ge 14.7.0 lt 14.7.1

ge 14.6.0 lt 14.6.4

ge 0 lt 14.5.4

Gitlab reports:

ReDoS via ProjectReferenceFilter in any Markdown fields

ReDoS via AutolinkFilter in any Markdown fields

Regex DoS in Harbor Registry search

Arbitrary read of files owned by the "git" user via malicious tar.gz file upload using GitLab export functionality

Stored XSS in Web IDE Beta via crafted URL

securityPolicyProjectAssign mutation does not authorize security policy project ID

An attacker can run pipeline jobs as arbitrary user

Possible Pages Unique Domain Overwrite

Access tokens may have been logged when a query was made to an endpoint

Reflected XSS via PlantUML diagram

The main branch of a repository with a specially designed name may allow an attacker to create repositories with malicious code

Invalid 'start_sha' value on merge requests page may lead to Denial of Service

Developers can create pipeline schedules on protected branches even if they don't have access to merge

Potential DOS due to lack of pagination while loading license data

Leaking emails of newly created users

ge 16.2.0 lt 16.2.2

ge 16.1.0 lt 16.1.3

ge 9.3.0 lt 16.0.8

Gitlab reports:

Account Takeover via Password Reset without user interactions

Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user

Bypass CODEOWNERS approval removal

Workspaces able to be created under different root namespace

Commit signature validation ignores headers after signature

ge 16.7.0 lt 16.7.2

ge 16.6.0 lt 16.6.4

ge 8.13.0 lt 16.5.6

Gitlab reports:

Stored-XSS in user's profile page

User with "admin_group_members" permission can invite other groups to gain owner access

ReDoS issue in the Codeowners reference extractor

LDAP user can reset password using secondary email and login using direct authentication

Bypassing group ip restriction settings to access environment details of projects through Environments/Operations Dashboard

Users with the Guest role can change Custom dashboard projects settings for projects in the victim group

Group member with sub-maintainer role can change title of shared private deploy keys

Bypassing approvals of CODEOWNERS

ge 16.9.0 lt 16.9.1

ge 16.8.0 lt 16.8.3

ge 11.3.0 lt 16.7.6

Gitlab reports:

DAST analyzer sends custom request headers with every request

Stored-XSS with CSP-bypass via scoped labels' color

Maintainer can leak Datadog API key by changing integration URL

Uncontrolled resource consumption when parsing URLs

Issue HTTP requests when users view an OpenAPI document and click buttons

Command injection in CI jobs via branch name in CI pipelines

Open redirection

Prefill variables do not check permission of the project in external CI config

Disclosure of audit events to insufficiently permissioned group and project members

Arbitrary GFM references rendered in Jira issue description leak private/confidential resources

Award emojis API for an internal note is accessible to users without access to the note

Open redirect in pipeline artifacts when generating HTML documents

Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines

Project-level Secure Files can be written out of the target directory

ge 15.5.0 lt 15.5.2

ge 15.4.0 lt 15.4.4

ge 9.3.0 lt 15.3.5

Gitlab reports:

Stored XSS via Kroki diagram

Prometheus integration Google IAP details are not hidden, may leak account details from instance/group/project settings

Improper validation of SSO and SCIM tokens while managing groups

Maintainer can leak Datadog API key by changing Datadog site

Clipboard based XSS in the title field of work items

Improper user right checks for personal snippets

Release Description visible in public projects despite release set as project members only

Group integration settings sensitive information exposed to project maintainers

Improve pagination limits for commits

Gitlab Open Redirect Vulnerability

Maintainer may become an Owner of a project

ge 15.9.0 lt 15.9.2

ge 15.8.0 lt 15.8.4

ge 9.0.0 lt 15.7.8

Gitlab reports:

Remote Command Execution via Github import

ge 15.3.0 lt 15.3.1

ge 15.2.0 lt 15.2.3

ge 11.3.4 lt 15.1.5

Gitlab reports:

Group members with developer role can escalate their privilege to maintainer on projects that they import

When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API

Collision in access memoization leads to potential elevated privileges on groups and projects

Project access token names are returned for unauthenticated requesters

Sensitive info disclosure in logs

Disclosure of a user's custom project and group templates

ReDoS in Maven package version

Potential denial of service via the Diff feature

Regular Expression Denial of Service via user comments

Service desk email accessible by any project member

Regular Expression Denial of Service via quick actions

IDOR in "external status check" API leaks data about any status check on the instance

Default branch name visible in public projects restricting access to the source code repository

Deploy token allows access to disabled project Wiki

Regular Expression Denial of Service via deploy Slash commands

Users can reply to Vulnerability Report discussions despite Only Project Members settings

Unauthorised deletion of protected branches

Author can approve Merge Request after having access revoked

HTML Injection via Swagger UI

ge 14.5.0 lt 14.5.2

ge 14.4.0 lt 14.4.4

ge 0 lt 14.3.6

Gitlab reports:

Restrict group access token creation for custom roles

Project maintainers can bypass group's scan result policy block_branch_modification setting

ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax

Resource exhaustion using GraphQL vulnerabilitiesCountByDay

ge 16.8.0 lt 16.8.2

ge 16.7.0 lt 16.7.5

ge 13.3.0 lt 16.6.7

Gitlab reports:

Remote Command Execution via Project Imports

XSS in ZenTao integration affecting self hosted instances without strict CSP

XSS in project settings page

Unallowed users can read unprotected CI variables

IP allow-list bypass to access Container Registries

2FA status is disclosed to unauthenticated users

CI variables provided to runners outside of a group's restricted IP range

IDOR in sentry issues

Reporters can manage issues in error tracking

Regular Expression Denial of Service via malicious web server responses

Unauthorized read for conan repository

Open redirect vulnerability

Group labels are editable through subproject

Release titles visible for any users if group milestones are associated with any project releases

Restrict membership by email domain bypass

Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint

ge 15.1.0 lt 15.1.1

ge 15.0.0 lt 15.0.4

ge 0 lt 14.10.5

Gitlab reports:

Race condition on gitlab.com enables verified email forgery and third-party account hijacking

DOS and high resource consumption of Prometheus server through abuse of Grafana integration proxy endpoint

Maintainer can leak sentry token by changing the configured URL

Maintainer can leak masked webhook secrets by changing target URL of the webhook

Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP

Group access tokens continue to work after owner loses ability to revoke them

Users' avatar disclosure by user ID in private GitLab instances

Arbitrary Protocol Redirection in GitLab Pages

Regex DoS due to device-detector parsing user agents

Regex DoS in the Submodule Url Parser

ge 15.7.0 lt 15.7.2

ge 15.6.0 lt 15.6.4

ge 6.6.0 lt 15.5.7

Gitlab reports:

Smartcard authentication allows impersonation of arbitrary user using user's public certificate

When subgroup is allowed to merge or push to protected branches, subgroup members with the Developer role may gain the ability to push or merge

The GitLab web interface does not ensure the integrity of information when downloading the source code from installation packages or tags

Project maintainer can escalate to Project owner using project access token rotate API

Omission of Double Encoding in File Names Facilitates the Creation of Repositories with Malicious Content

Unvalidated timeSpent value leads to unable to load issues on Issue board

Developer can bypass predefined variables via REST API

Auditor users can create merge requests on projects they don't have access to

ge 16.6.0 lt 16.6.2

ge 16.5.0 lt 16.5.4

ge 8.17.0 lt 16.4.4

Gitlab reports:

Disclosure of CI/CD variables using Custom project templates

GitLab omnibus DoS crash via OOM with CI Catalogs

Parsing gitlab-ci.yml with large string via timeout input leads to Denial of Service

DoS - Blocking FIFO files in Tar archives

Titles exposed by service-desk template

Approval on protected environments can be bypassed

Version information disclosure when super_sidebar_logged_out feature flag is enabled

Add abuse detection for search syntax filter pipes

ge 16.5.0 lt 16.5.1

ge 16.4.0 lt 16.4.2

ge 11.6.0 lt 16.3.6

Gitlab reports:

Stored-XSS with CSP-bypass in Merge requests

ReDoS via FrontMatterFilter in any Markdown fields

ReDoS via InlineDiffFilter in any Markdown fields

ReDoS via DollarMathPostFilter in Markdown fields

DoS via malicious test report artifacts

Restricted IP addresses can clone repositories of public projects

Reflected XSS in Report Abuse Functionality

Privilege escalation from maintainer to owner by importing members from a project

Bypassing tags protection in GitLab

Denial of Service using multiple labels with arbitrarily large descriptions

Ability to use an unverified email for public and commit emails

Open Redirection Through HTTP Response Splitting

Disclosure of issue notes to an unauthorized user when exporting a project

Ambiguous branch name exploitation

ge 16.0.0 lt 16.0.2

ge 15.11.0 lt 15.11.7

ge 15.10.0 lt 15.10.8

ge 1.2 lt 15.9.8