CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 1CVE-2023-2022 – Missing Authorization in GitLab
https://notcve.org/view.php?id=CVE-2023-2022
02 Aug 2023 — An issue has been discovered in GitLab CE/EE affecting all versions starting before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2, which leads to developers being able to create pipeline schedules on protected branches even if they don't have access to merge • https://gitlab.com/gitlab-org/gitlab/-/issues/407166 • CWE-262: Not Using Password Aging CWE-284: Improper Access Control •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 1CVE-2023-3401 – Improper Control of Generation of Code ('Code Injection') in GitLab
https://notcve.org/view.php?id=CVE-2023-3401
02 Aug 2023 — An issue has been discovered in GitLab affecting all versions before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code. • https://gitlab.com/gitlab-org/gitlab/-/issues/416252 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.0EPSS: 0%CPEs: 6EXPL: 0CVE-2023-2001
https://notcve.org/view.php?id=CVE-2023-2001
07 Jun 2023 — An issue has been discovered in GitLab CE/EE affecting all versions before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker was able to spoof protected tags, which could potentially lead a victim to download malicious code. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2001.json • CWE-290: Authentication Bypass by Spoofing •
CVSS: 5.0EPSS: 0%CPEs: 6EXPL: 0CVE-2023-2013
https://notcve.org/view.php?id=CVE-2023-2013
07 Jun 2023 — An issue has been discovered in GitLab CE/EE affecting all versions starting from 1.2 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2013.json • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-2181
https://notcve.org/view.php?id=CVE-2023-2181
12 May 2023 — An issue has been discovered in GitLab affecting all versions before 15.9.8, 15.10.0 before 15.10.7, and 15.11.0 before 15.11.3. A malicious developer could use a git feature called refs/replace to smuggle content into a merge request which would not be visible during review in the UI. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2181.json •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 1CVE-2023-0155
https://notcve.org/view.php?id=CVE-2023-0155
03 May 2023 — An issue has been discovered in GitLab CE/EE affecting all versions before 15.8.5, 15.9.4, 15.10.1. Open redirects was possible due to framing arbitrary content on any page allowing user controlled markdown • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0155.json • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-0756
https://notcve.org/view.php?id=CVE-2023-0756
03 May 2023 — An issue has been discovered in GitLab affecting all versions before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. The main branch of a repository with a specially crafted name allows an attacker to create repositories with malicious code, victims who clone or download these repositories will execute arbitrary code on their systems. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0756.json •
CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2018-17451
https://notcve.org/view.php?id=CVE-2018-17451
15 Apr 2023 — An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is Cross Site Request Forgery (CSRF) in the Slack integration for issuing slash commands. • https://about.gitlab.com/blog/categories/releases • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2018-17454
https://notcve.org/view.php?id=CVE-2018-17454
15 Apr 2023 — An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is stored XSS on the issue details screen. • https://about.gitlab.com/blog/categories/releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2018-17455
https://notcve.org/view.php?id=CVE-2018-17455
15 Apr 2023 — An issue was discovered in GitLab Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Attackers could obtain sensitive information about group names, avatars, LDAP settings, and descriptions via an insecure direct object reference to the "merge request approvals" feature. • https://about.gitlab.com/blog/categories/releases • CWE-639: Authorization Bypass Through User-Controlled Key •