CVE-2023-0756
https://notcve.org/view.php?id=CVE-2023-0756
An issue has been discovered in GitLab affecting all versions before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. The main branch of a repository with a specially crafted name allows an attacker to create repositories with malicious code, victims who clone or download these repositories will execute arbitrary code on their systems. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0756.json https://gitlab.com/gitlab-org/gitlab/-/issues/390910 https://hackerone.com/reports/1864278 •
CVE-2023-1178
https://notcve.org/view.php?id=CVE-2023-1178
An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromised when source code or installation packages are pulled from a tag or from a release containing a ref to another commit. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1178.json https://gitlab.com/gitlab-org/gitlab/-/issues/381815 https://hackerone.com/reports/1778009 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-1265
https://notcve.org/view.php?id=CVE-2023-1265
An issue has been discovered in GitLab affecting all versions starting from 11.9 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. The condition allows for a privileged attacker, under certain conditions, to obtain session tokens from all users of a GitLab instance. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1265.json https://gitlab.com/gitlab-org/gitlab/-/issues/394960 https://hackerone.com/reports/1888690 • CWE-384: Session Fixation •
CVE-2023-1836
https://notcve.org/view.php?id=CVE-2023-1836
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. When viewing an XML file in a repository in "raw" mode, it can be made to render as HTML if viewed under specific circumstances • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1836.json https://gitlab.com/gitlab-org/gitlab/-/issues/404613 https://hackerone.com/reports/1923293 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-3375
https://notcve.org/view.php?id=CVE-2022-3375
An issue has been discovered in GitLab affecting all versions starting from 11.10 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible to disclose the branch names when attacker has a fork of a project that was switched to private. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3375.json https://gitlab.com/gitlab-org/gitlab/-/issues/376041 https://hackerone.com/reports/1710533 •