CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 1CVE-2024-8970 – Incorrect Authorization in GitLab
https://notcve.org/view.php?id=CVE-2024-8970
11 Oct 2024 — An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances. • https://gitlab.com/gitlab-org/gitlab/-/issues/490916 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2024-5005 – Incorrect Provision of Specified Functionality in GitLab
https://notcve.org/view.php?id=CVE-2024-5005
11 Oct 2024 — An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the API. • https://gitlab.com/gitlab-org/gitlab/-/issues/462108 • CWE-684: Incorrect Provision of Specified Functionality •
CVSS: 9.6EPSS: 0%CPEs: 3EXPL: 1CVE-2024-9164 – Missing Authentication for Critical Function in GitLab
https://notcve.org/view.php?id=CVE-2024-9164
11 Oct 2024 — An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. • https://gitlab.com/gitlab-org/gitlab/-/issues/493946 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.3EPSS: 0%CPEs: 3EXPL: 1CVE-2024-6530 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
https://notcve.org/view.php?id=CVE-2024-6530
10 Oct 2024 — A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When adding a authorizing an application, it can be made to render as HTML under specific circumstances. • https://gitlab.com/gitlab-org/gitlab/-/issues/471049 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 1CVE-2024-8977 – Server-Side Request Forgery (SSRF) in GitLab
https://notcve.org/view.php?id=CVE-2024-8977
10 Oct 2024 — An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks. • https://gitlab.com/gitlab-org/gitlab/-/issues/491060 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-9596 – Inclusion of Sensitive Information in Source Code in GitLab
https://notcve.org/view.php?id=CVE-2024-9596
10 Oct 2024 — An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance. • https://gitlab.com/gitlab-org/gitlab/-/issues/493355 • CWE-540: Inclusion of Sensitive Information in Source Code •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-9623 – Incorrect Authorization in GitLab
https://notcve.org/view.php?id=CVE-2024-9623
10 Oct 2024 — An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository. • https://gitlab.com/gitlab-org/gitlab/-/issues/459995 • CWE-863: Incorrect Authorization •
CVSS: 6.6EPSS: 0%CPEs: 1EXPL: 2CVE-2023-3441 – Exposure of Sensitive Information Due to Incompatible Policies in GitLab
https://notcve.org/view.php?id=CVE-2023-3441
01 Oct 2024 — An issue has been discovered in GitLab EE/CE affecting all versions starting from 8.0 before 16.4. The product did not sufficiently warn about security implications of granting merge rights to protected branches. Se ha descubierto un problema en GitLab EE/CE que afecta a todas las versiones a partir de la 8.0 hasta la 16.4. El producto no advertía lo suficiente sobre las implicaciones de seguridad de otorgar derechos de fusión a ramas protegidas. • https://gitlab.com/gitlab-org/gitlab/-/issues/416482 • CWE-213: Exposure of Sensitive Information Due to Incompatible Policies •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2024-4099 – Improper Encoding or Escaping of Output in GitLab
https://notcve.org/view.php?id=CVE-2024-4099
26 Sep 2024 — An issue has been discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. An AI feature was found to read unsanitized content in a way that could have allowed an attacker to hide prompt injection. • https://gitlab.com/gitlab-org/gitlab/-/issues/457798 • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-8974 – Incorrect Provision of Specified Functionality in GitLab
https://notcve.org/view.php?id=CVE-2024-8974
26 Sep 2024 — Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project." • https://gitlab.com/gitlab-org/gitlab/-/issues/482843 • CWE-684: Incorrect Provision of Specified Functionality •