CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2018-8971
https://notcve.org/view.php?id=CVE-2018-8971
The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x before 10.5.6 has an incorrect omniauth-auth0 configuration, leading to signing in unintended users. La integración de Auth0 en GitLab, en versiones anteriores a la 10.3.9, versiones 10.4.x anteriores a la 10.4.6 y versiones 10.5.x anteriores a la 10.5.6 tiene una configuración omniauth-auth0 incorrecta, lo que da lugar al firmado de usuarios no deseados. • https://about.gitlab.com/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released https://www.debian.org/security/2018/dsa-4206 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2017-0920
https://notcve.org/view.php?id=CVE-2017-0920
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance. Las ediciones Community y Enterprise de Gitlab, en versiones anteriores a la 10.1.6, 10.2.6 y 10.3.4, son vulnerables a un problema de omisión de autenticación en el componente Projects::MergeRequests::CreationsController. Esto resulta en que un atacante puede ver todos los nombres de proyecto y sus respectivos espacios de nombre en una instancia de GitLab. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://hackerone.com/reports/301336 https://www.debian.org/security/2018/dsa-4206 • CWE-639: Authorization Bypass Through User-Controlled Key CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2017-0927
https://notcve.org/view.php?id=CVE-2017-0927
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the deployment keys component resulting in unauthorized use of deployment keys by guest users. Gitlab Community Edition 10.3 es vulnerable a un problema de autorización incorrecta en el componente deployment keys que resulta en el uso no autorizado de claves de implementación por parte de usuarios invitados. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://gitlab.com/gitlab-org/gitlab-ce/issues/37594 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2017-0922
https://notcve.org/view.php?id=CVE-2017-0922
Gitlab Enterprise Edition version 10.3 is vulnerable to an authorization bypass issue in the GitLab Projects::BoardsController component resulting in an information disclosure on any board object. Gitlab Enterprise Edition 10.3 es vulnerable a un problema de omisión de autenticación en el componente GitLab Projects::BoardsController que resulta en la divulgación de información en cualquier objeto board. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://hackerone.com/reports/301123 • CWE-639: Authorization Bypass Through User-Controlled Key CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2017-0914
https://notcve.org/view.php?id=CVE-2017-0914
Gitlab Community and Enterprise Editions version 10.1, 10.2, and 10.2.4 are vulnerable to a SQL injection in the MilestoneFinder component resulting in disclosure of all data in a GitLab instance's database. Las ediciones Community y Enterprise de Gitlab, en sus versiones 10.1, 10.2 y 10.2.4, son vulnerables a una inyección SQL en el componente MilestoneFinder que resulta en la divulgación de todos los datos en la base de datos de una instancia de Gitlab. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released https://hackerone.com/reports/298176 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •