CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-3758
https://notcve.org/view.php?id=CVE-2022-3758
09 Mar 2023 — An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Due to improper permissions checks an unauthorised user was able to read, add or edit a users private snippet. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3758.json • CWE-276: Incorrect Default Permissions •
CVSS: 5.3EPSS: 1%CPEs: 6EXPL: 0CVE-2023-0223
https://notcve.org/view.php?id=CVE-2023-0223
09 Mar 2023 — An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Non-project members could retrieve release descriptions via the API, even if the release visibility is restricted to project members only in the project settings. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0223.json •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-1072
https://notcve.org/view.php?id=CVE-2023-1072
09 Mar 2023 — An issue has been discovered in GitLab affecting all versions starting from 9.0 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible to trigger a resource depletion attack due to improper filtering for number of requests to read commits details. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1072.json • CWE-400: Uncontrolled Resource Consumption •
CVSS: 3.3EPSS: 1%CPEs: 6EXPL: 0CVE-2023-1084
https://notcve.org/view.php?id=CVE-2023-1084
09 Mar 2023 — An issue has been discovered in GitLab CE/EE affecting all versions before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A malicious project Maintainer may create a Project Access Token with Owner level privileges using a crafted request. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1084.json •
CVSS: 6.4EPSS: 1%CPEs: 6EXPL: 0CVE-2022-4289
https://notcve.org/view.php?id=CVE-2022-4289
09 Mar 2023 — An issue has been discovered in GitLab affecting all versions starting from 15.3 before 15.7.8, versions of 15.8 before 15.8.4, and version 15.9 before 15.9.2. Google IAP details in Prometheus integration were not hidden, could be leaked from instance, group, or project settings to other users. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4289.json •
CVSS: 6.4EPSS: 0%CPEs: 6EXPL: 0CVE-2022-4007
https://notcve.org/view.php?id=CVE-2022-4007
08 Mar 2023 — A issue has been discovered in GitLab CE/EE affecting all versions from 15.3 prior to 15.7.8, version 15.8 prior to 15.8.4, and version 15.9 prior to 15.9.2 A cross-site scripting vulnerability was found in the title field of work items that allowed attackers to perform arbitrary actions on behalf of victims at client side. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4007.json • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-3411
https://notcve.org/view.php?id=CVE-2022-3411
13 Feb 2023 — A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3411.json • CWE-400: Uncontrolled Resource Consumption CWE-1284: Improper Validation of Specified Quantity in Input •
CVSS: 9.4EPSS: 0%CPEs: 6EXPL: 0CVE-2022-4138
https://notcve.org/view.php?id=CVE-2022-4138
13 Feb 2023 — A Cross Site Request Forgery issue has been discovered in GitLab CE/EE affecting all versions before 15.6.7, all versions starting from 15.7 before 15.7.6, and all versions starting from 15.8 before 15.8.1. An attacker could take over a project if an Owner or Maintainer uploads a file to a malicious project. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4138.json • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-3759
https://notcve.org/view.php?id=CVE-2022-3759
13 Feb 2023 — An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. An attacker may upload a crafted CI job artifact zip file in a project that uses dynamic child pipelines and make a sidekiq job allocate a lot of memory. In GitLab instances where Sidekiq is memory-limited, this may cause Denial of Service. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3759.json • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-0518
https://notcve.org/view.php?id=CVE-2023-0518
13 Feb 2023 — An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. It was possible to trigger a DoS attack by uploading a malicious Helm chart. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0518.json • CWE-400: Uncontrolled Resource Consumption •