CVE-2023-1084
https://notcve.org/view.php?id=CVE-2023-1084
An issue has been discovered in GitLab CE/EE affecting all versions before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A malicious project Maintainer may create a Project Access Token with Owner level privileges using a crafted request. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1084.json https://gitlab.com/gitlab-org/gitlab/-/issues/390696 https://hackerone.com/reports/1805549 •
CVE-2023-1072
https://notcve.org/view.php?id=CVE-2023-1072
An issue has been discovered in GitLab affecting all versions starting from 9.0 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible to trigger a resource depletion attack due to improper filtering for number of requests to read commits details. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1072.json https://gitlab.com/gitlab-org/gitlab/-/issues/219619 • CWE-400: Uncontrolled Resource Consumption •
CVE-2022-4138
https://notcve.org/view.php?id=CVE-2022-4138
A Cross Site Request Forgery issue has been discovered in GitLab CE/EE affecting all versions before 15.6.7, all versions starting from 15.7 before 15.7.6, and all versions starting from 15.8 before 15.8.1. An attacker could take over a project if an Owner or Maintainer uploads a file to a malicious project. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4138.json https://gitlab.com/gitlab-org/gitlab/-/issues/383709 https://hackerone.com/reports/1778009 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-4335
https://notcve.org/view.php?id=CVE-2022-4335
A blind SSRF vulnerability was identified in all versions of GitLab EE prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which allows an attacker to connect to a local host. Se identificó una vulnerabilidad blind SSRF en todas las versiones de GitLab EE anteriores a 15.4.6, 15.5 anteriores a 15.5.5 y 15.6 anteriores a 15.6.1 que permite a un atacante conectarse a un host local. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4335.json https://gitlab.com/gitlab-org/gitlab/-/issues/353018 https://hackerone.com/reports/1462437 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-4201
https://notcve.org/view.php?id=CVE-2022-4201
A blind SSRF in GitLab CE/EE affecting all from 11.3 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 allows an attacker to connect to local addresses when configuring a malicious GitLab Runner. Un blind SSRF en GitLab CE/EE que afecta a todas las versiones 11.3 anteriores a 15.4.6, 15.5 anteriores a 15.5.5 y 15.6 anteriores a 15.6.1 permite a un atacante conectarse a direcciones locales al configurar un GitLab Runner malicioso. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4201.json https://gitlab.com/gitlab-org/gitlab/-/issues/30376 • CWE-918: Server-Side Request Forgery (SSRF) •