CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2022-4138
https://notcve.org/view.php?id=CVE-2022-4138
A Cross Site Request Forgery issue has been discovered in GitLab CE/EE affecting all versions before 15.6.7, all versions starting from 15.7 before 15.7.6, and all versions starting from 15.8 before 15.8.1. An attacker could take over a project if an Owner or Maintainer uploads a file to a malicious project. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4138.json https://gitlab.com/gitlab-org/gitlab/-/issues/383709 https://hackerone.com/reports/1778009 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-3411
https://notcve.org/view.php?id=CVE-2022-3411
A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3411.json https://gitlab.com/gitlab-org/gitlab/-/issues/376247 https://hackerone.com/reports/1685995 • CWE-1284: Improper Validation of Specified Quantity in Input •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 1CVE-2022-4205
https://notcve.org/view.php?id=CVE-2022-4205
In Gitlab EE/CE before 15.6.1, 15.5.5 and 15.4.6 using a branch with a hexadecimal name could override an existing hash. En Gitlab EE/CE anterior a 15.6.1, 15.5.5 y 15.4.6, el uso de una rama con un nombre hexadecimal podía anular un hash existente. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4205.json https://gitlab.com/gitlab-org/gitlab/-/issues/374082 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2022-4335
https://notcve.org/view.php?id=CVE-2022-4335
A blind SSRF vulnerability was identified in all versions of GitLab EE prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which allows an attacker to connect to a local host. Se identificó una vulnerabilidad blind SSRF en todas las versiones de GitLab EE anteriores a 15.4.6, 15.5 anteriores a 15.5.5 y 15.6 anteriores a 15.6.1 que permite a un atacante conectarse a un host local. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4335.json https://gitlab.com/gitlab-org/gitlab/-/issues/353018 https://hackerone.com/reports/1462437 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 1CVE-2022-4201
https://notcve.org/view.php?id=CVE-2022-4201
A blind SSRF in GitLab CE/EE affecting all from 11.3 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 allows an attacker to connect to local addresses when configuring a malicious GitLab Runner. Un blind SSRF en GitLab CE/EE que afecta a todas las versiones 11.3 anteriores a 15.4.6, 15.5 anteriores a 15.5.5 y 15.6 anteriores a 15.6.1 permite a un atacante conectarse a direcciones locales al configurar un GitLab Runner malicioso. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4201.json https://gitlab.com/gitlab-org/gitlab/-/issues/30376 • CWE-918: Server-Side Request Forgery (SSRF) •