CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-2013
https://notcve.org/view.php?id=CVE-2023-2013
An issue has been discovered in GitLab CE/EE affecting all versions starting from 1.2 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2013.json https://gitlab.com/gitlab-org/gitlab/-/issues/406844 https://hackerone.com/reports/1940441 •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-0921
https://notcve.org/view.php?id=CVE-2023-0921
A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0921.json https://gitlab.com/gitlab-org/gitlab/-/issues/392433 https://hackerone.com/reports/1869839 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-2132
https://notcve.org/view.php?id=CVE-2023-2132
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A DollarMathPostFilter Regular Expression Denial of Service in was possible by sending crafted payloads to the preview_markdown endpoint. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2132.json https://gitlab.com/gitlab-org/gitlab/-/issues/407586 https://hackerone.com/reports/1934711 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 10.0EPSS: 19%CPEs: 2EXPL: 5CVE-2023-2825 – GitLab Authenticated File Read
https://notcve.org/view.php?id=CVE-2023-2825
An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups. • https://github.com/cc3305/CVE-2023-2825 https://github.com/Occamsec/CVE-2023-2825 https://github.com/Rubikcuv5/CVE-2023-2825 https://github.com/caopengyan/CVE-2023-2825 https://github.com/Tornad0007/CVE-2023-2825-Gitlab https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2825.json https://gitlab.com/gitlab-org/gitlab/-/issues/412371 https://hackerone.com/reports/1994725 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •