CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 1CVE-2017-0926 – Debian Security Advisory 4145-1
https://notcve.org/view.php?id=CVE-2017-0926
18 Mar 2018 — Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login. Gitlab Community Edition 10.3 es vulnerable a un problema de autorización incorrecta en el componente Oauth sign-in que resulta en el inicio de sesión de un usuario no autorizado. Several vulnerabilities have been discovered in Gitlab, a software platform to collaborate on code. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 3%CPEs: 7EXPL: 0CVE-2017-0916 – Debian Security Advisory 4145-1
https://notcve.org/view.php?id=CVE-2017-0916
18 Mar 2018 — Gitlab Community Edition version 10.3 is vulnerable to a lack of input validation in the system_hook_push queue through web hook component resulting in remote code execution. Gitlab Community Edition 10.3 es vulnerable a una falta de validación de entradas en la cola system_hook_push mediante el componente de enlace web que resulta en la ejecución remota de código. Several vulnerabilities have been discovered in Gitlab, a software platform to collaborate on code. • https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-8540
https://notcve.org/view.php?id=CVE-2014-8540
05 Jan 2018 — The groups API in GitLab 6.x and 7.x before 7.4.3 allows remote authenticated guest users to modify ownership of arbitrary groups by leveraging improper permission checks. La API de grupos en GitLab 6.x y 7.x anteriores a la 7.4.3 permite que los usuarios guest autenticados remotos modifiquen la propiedad de grupos arbitrarios aprovechándose de las comprobaciones incorrectas de permisos. • http://www.openwall.com/lists/oss-security/2014/10/31/2 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.9EPSS: 0%CPEs: 8EXPL: 0CVE-2017-17716
https://notcve.org/view.php?id=CVE-2017-17716
17 Dec 2017 — GitLab 9.4.x before 9.4.2 does not support LDAP SSL certificate verification, but a verify_certificates LDAP option was mentioned in the 9.4 release announcement. This issue occurred because code was not merged. This is related to use of the omniauth-ldap library and the gitlab_omniauth-ldap gem. GitLab en versiones 9.4.x anteriores a la 9.4.2 no es compatible con la verificación de certificados SSL LDAP, pero se mencionó la opción LDAP verify_certificates en el anuncio del lanzamiento de la versión 9.4. Es... • https://about.gitlab.com/2017/07/22/gitlab-9-4-released/#security---add-ldap-ssl-certificate-verification • CWE-295: Improper Certificate Validation •
CVSS: 8.8EPSS: 1%CPEs: 96EXPL: 1CVE-2017-12426
https://notcve.org/view.php?id=CVE-2017-12426
14 Aug 2017 — GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote attackers to execute arbitrary code via a crafted SSH URL in a project import. GitLab Community Edition (CE) y Enterprise Edition (EE) en versiones anteriores a la 8.17.8, 9.0.x en versiones anteriores a la 9.0.13, 9.1.x en versiones anteriores a la 9.1.10, 9.2.x en versiones anteriores a la 9.2.10, 9.3.x en ver... • https://github.com/sm-paul-schuette/CVE-2017-12426 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 175EXPL: 0CVE-2017-11437
https://notcve.org/view.php?id=CVE-2017-11437
02 Aug 2017 — GitLab Enterprise Edition (EE) before 8.17.7, 9.0.11, 9.1.8, 9.2.8, and 9.3.8 allows an authenticated user with the ability to create a project to use the mirroring feature to potentially read repositories belonging to other users. GitLab Enterprise Edition (EE) en sus versiones anteriores a la 8.17.7 y las versiones 9.0.11, 9.1.8, 9.2.8 y 9.3.8 permite que un usuario autenticado con la capacidad para crear un proyecto utilice la función de replicación para poder acceder a repositorios de otros usuarios. • https://about.gitlab.com/2017/07/19/gitlab-9-dot-3-dot-8-released • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.5EPSS: 0%CPEs: 54EXPL: 0CVE-2017-11438
https://notcve.org/view.php?id=CVE-2017-11438
02 Aug 2017 — GitLab Community Edition (CE) and Enterprise Edition (EE) before 9.0.11, 9.1.8, 9.2.8 allow an authenticated user with the ability to create a group to add themselves to any project that is inside a subgroup. GitLab Community Edition (CE) y Enterprise Edition (EE) anteriores a la 9.0.11, 9.0.11, 9.1.8 y 9.2.8 permiten que un usuario autenticado con la capacidad para crear un grupo se añada a sí mismo en cualquier proyecto que se sitúe dentro de un subgrupo. • https://about.gitlab.com/2017/07/19/gitlab-9-dot-3-dot-8-released • CWE-269: Improper Privilege Management •
CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 1CVE-2017-8778
https://notcve.org/view.php?id=CVE-2017-8778
04 May 2017 — GitLab before 8.14.9, 8.15.x before 8.15.6, and 8.16.x before 8.16.5 has XSS via a SCRIPT element in an issue attachment or avatar that is an SVG document. GitLab anteriores a 8.14.9, 8.15.x anteriores a 8.15.6 y 8.16.x anteriores a 8.16.5 tienen XSS a través de un elemento SCRIPT en un archivo adjunto o un avatar que es un documento SVG. • https://about.gitlab.com/2017/02/15/gitlab-8-dot-16-dot-5-security-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 59EXPL: 1CVE-2017-0882
https://notcve.org/view.php?id=CVE-2017-0882
28 Mar 2017 — Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC. Multiples versiones de GitLab exponen credenciales de usuario confidenciales al asignar un usuario a una solicitud de emisión o de combinación. Una correción fue incluida en las versiones 8.15.8, 8.16.7 y 8.17.4, que se publicaron el 20 de marzo de 2017 a las 23:59 UTC. • http://www.securityfocus.com/bid/97157 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.2EPSS: 0%CPEs: 22EXPL: 2CVE-2016-9469
https://notcve.org/view.php?id=CVE-2016-9469
28 Mar 2017 — Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects on a GitLab instance. For GitLab instances with publicly available projects this vulnerability could be exploited by an unauthenticated user. A fix was included in versions 8.14.3, 8.13.8, and 8.12.11, which were released on December 5th 2016 at 3:59 PST. The GitLab versions vulnerable to this are 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3... • https://about.gitlab.com/2016/12/05/cve-2016-9469 • CWE-264: Permissions, Privileges, and Access Controls CWE-749: Exposed Dangerous Method or Function •