CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2022-4138
https://notcve.org/view.php?id=CVE-2022-4138
A Cross Site Request Forgery issue has been discovered in GitLab CE/EE affecting all versions before 15.6.7, all versions starting from 15.7 before 15.7.6, and all versions starting from 15.8 before 15.8.1. An attacker could take over a project if an Owner or Maintainer uploads a file to a malicious project. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4138.json https://gitlab.com/gitlab-org/gitlab/-/issues/383709 https://hackerone.com/reports/1778009 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-3411
https://notcve.org/view.php?id=CVE-2022-3411
A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3411.json https://gitlab.com/gitlab-org/gitlab/-/issues/376247 https://hackerone.com/reports/1685995 • CWE-1284: Improper Validation of Specified Quantity in Input •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-3759
https://notcve.org/view.php?id=CVE-2022-3759
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. An attacker may upload a crafted CI job artifact zip file in a project that uses dynamic child pipelines and make a sidekiq job allocate a lot of memory. In GitLab instances where Sidekiq is memory-limited, this may cause Denial of Service. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3759.json https://gitlab.com/gitlab-org/gitlab/-/issues/379633 https://hackerone.com/reports/1736230 •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-0518
https://notcve.org/view.php?id=CVE-2023-0518
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. It was possible to trigger a DoS attack by uploading a malicious Helm chart. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0518.json https://gitlab.com/gitlab-org/gitlab/-/issues/383082 https://hackerone.com/reports/1766973 •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2022-4255
https://notcve.org/view.php?id=CVE-2022-4255
An info leak issue was identified in all versions of GitLab EE from 13.7 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which exposes user email id through webhook payload. Se identificó un problema de fuga de información en todas las versiones de GitLab EE desde la 13.7 anterior a la 15.4.6, la 15.5 anterior a la 15.5.5 y la 15.6 anterior a la 15.6.1 que expone la identificación del correo electrónico del usuario a través de el payload del webhook. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4255.json https://gitlab.com/gitlab-org/gitlab/-/issues/373819 •