CVSS: 4.9EPSS: 0%CPEs: 3EXPL: 0CVE-2022-0477
https://notcve.org/view.php?id=CVE-2022-0477
25 Apr 2022 — An issue has been discovered in GitLab affecting all versions starting from 11.9 before 14.5.4, all versions starting from 14.6.0 before 14.6.4, all versions starting from 14.7.0 before 14.7.1. GitLab was not correctly handling bulk requests to delete existing packages from the package registries which could result in a Denial of Service under specific conditions. Se ha detectado un problema en GitLab que afecta a todas las versiones a partir de la 11.9 anteriores a 14.5.4, todas las versiones a partir de l... • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0477.json •
CVSS: 3.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-1157
https://notcve.org/view.php?id=CVE-2022-1157
11 Apr 2022 — Missing sanitization of logged exception messages in all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 of GitLab CE/EE causes potential sensitive values in invalid URLs to be logged Una falta de saneo de los mensajes de excepción registrados en todas las versiones anteriores a 14.7.7, 14.8 anteriores a 14.8.5 y 14.9 anteriores a 14.9.2 de GitLab CE/EE causa el registro de posibles valores confidenciales en URLs no válidas • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1157.json • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 1CVE-2022-1193
https://notcve.org/view.php?id=CVE-2022-1193
11 Apr 2022 — Improper access control in GitLab CE/EE versions 10.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows a malicious actor to obtain details of the latest commit in a private project via Merge Requests under certain circumstances Un control de acceso inadecuado en las versiones 10.7 anterior a 14.7.7, 14.8 anterior a 14.8.5 y 14.9 anterior a 14.9.2 de GitLab CE/EE permite a un actor malintencionado obtener detalles del último commit de un proyecto privado a través de Merge Requests en de... • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1193.json • CWE-863: Incorrect Authorization •
CVSS: 8.7EPSS: 0%CPEs: 6EXPL: 0CVE-2022-1190
https://notcve.org/view.php?id=CVE-2022-1190
04 Apr 2022 — Improper handling of user input in GitLab CE/EE versions 8.3 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to exploit a stored XSS by abusing multi-word milestone references in issue descriptions, comments, etc. Un manejo inapropiado de la entrada del usuario en GitLab CE/EE versiones 8.3 anteriores a 14.7.7, 14.8 anteriores a 14.8.5 y 14.9 anteriores a 14.9.2, permitía a un atacante explotar un ataque de tipo XSS almacenado al abusar de las referencias de hitos de vari... • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1190.json • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.7EPSS: 1%CPEs: 6EXPL: 2CVE-2022-1175 – GitLab 14.9 - Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-1175
04 Apr 2022 — Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes. Una neutralización inapropiada de la entrada del usuario en GitLab CE/EE versiones 14.4 anteriores a 14.7.7, todas las versiones a partir de 14.8 anteriores a 14.8.5, todas las versiones a partir de 14.9 anteriores a 14.9.2, permitió a un atacante explotar un ataque de tip... • https://www.exploit-db.com/exploits/50889 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 30%CPEs: 6EXPL: 3CVE-2022-1162 – Gitlab 14.9 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2022-1162
04 Apr 2022 — A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts En GitLab CE/EE versiones 14.7 anteriores a 14.7.7, 14.8 anteriores a 14.8.5 y 14.9 anteriores a 14.9.2, era establecida una contraseña embebida para las cuentas registradas mediante un proveedor de OmniAuth (por ejemplo, OAuth, LDAP, SAML), permitiendo a atac... • https://www.exploit-db.com/exploits/50888 • CWE-798: Use of Hard-coded Credentials •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-1148
https://notcve.org/view.php?id=CVE-2022-1148
04 Apr 2022 — Improper authorization in GitLab Pages included with GitLab CE/EE affecting all versions from 11.5 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to steal a user's access token on an attacker-controlled private GitLab Pages website and reuse that token on the victim's other private websites Una autorización inapropiada en GitLab Pages incluida en GitLab CE/EE afectando a todas las versiones desde la 11.5 anteriores a 14.7.7, 14.8 anteriores a 14.8.5 y 14.9 anteriores a 1... • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1148.json • CWE-565: Reliance on Cookies without Validation and Integrity Checking •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2022-1121
https://notcve.org/view.php?id=CVE-2022-1121
04 Apr 2022 — A lack of appropriate timeouts in GitLab Pages included in GitLab CE/EE all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an attacker to cause unlimited resource consumption. Una falta de tiempos de espera apropiados en GitLab Pages incluidos en GitLab CE/EE todas las versiones anteriores a 14.7.7, 14.8 anteriores a 14.8.5 y 14.9 anteriores a 14.9.2, permite a un atacante causar un consumo no limitado de recursos • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1121.json • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 3.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-1111
https://notcve.org/view.php?id=CVE-2022-1111
04 Apr 2022 — A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain conditions caused imported projects to show an incorrect user in the 'Access Granted' column in the project membership pages Un error de lógica empresarial en la Importación de Proyectos en GitLab CE/EE versiones 14.9 anteriores a 14.9.2, 14.8 anteriores a 14.8.5 y 14.0 anteriores a 14.7.7 causaba, en determinadas condiciones, que los proyectos importados mostr... • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1111.json •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-1185
https://notcve.org/view.php?id=CVE-2022-1185
04 Apr 2022 — A denial of service vulnerability when rendering RDoc files in GitLab CE/EE versions 10 to 14.7.7, 14.8.0 to 14.8.5, and 14.9.0 to 14.9.2 allows an attacker to crash the GitLab web application with a maliciously crafted RDoc file Una vulnerabilidad de denegación de servicio cuando son renderizados archivos RDoc en GitLab CE/EE versiones 10 a 14.7.7, 14.8.0 a 14.8.5 y 14.9.0 a 14.9.2, permite a un atacante bloquear la aplicación web de GitLab con un archivo RDoc maliciosamente diseñado • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1185.json • CWE-787: Out-of-bounds Write •