CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-39911
https://notcve.org/view.php?id=CVE-2021-39911
04 Nov 2021 — An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers Un defecto de control de acceso inadecuado en todas las versiones de GitLab CE/EE a partir de la 13.9 antes de la 14.2.6, en todas las versiones a partir de la 14.3 antes de la 14.3.4, y en todas las versiones a partir de la... • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39911.json •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-39907
https://notcve.org/view.php?id=CVE-2021-39907
04 Nov 2021 — A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 13.7. The stripping of EXIF data from certain images resulted in high CPU usage. Se ha detectado una posible vulnerabilidad de DOS en GitLab CE/EE a partir de la versión 13.7. La eliminación de los datos EXIF de determinadas imágenes resultaba en un elevado uso de la CPU • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39907.json • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 1CVE-2021-39904
https://notcve.org/view.php?id=CVE-2021-39904
04 Nov 2021 — An Improper Access Control vulnerability in the GraphQL API in all versions of GitLab CE/EE starting from 13.1 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows a Merge Request creator to resolve discussions and apply suggestions after a project owner has locked the Merge Request Una vulnerabilidad de control de acceso inadecuado en la API GraphQL en todas las versiones de GitLab CE/EE a partir de la 13.1 antes de la 14.2.6, en todas las v... • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39904.json • CWE-863: Incorrect Authorization •
CVSS: 6.0EPSS: 0%CPEs: 6EXPL: 0CVE-2021-39895
https://notcve.org/view.php?id=CVE-2021-39895
04 Nov 2021 — In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source. En todas las versiones de GitLab CE/EE desde versión 8.0, un atacante puede configurar las programaciones de tuberías para que estén activas en una exportación d... • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39895.json •
CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 1CVE-2021-22260
https://notcve.org/view.php?id=CVE-2021-22260
04 Nov 2021 — A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf Una vulnerabilidad de Cross-Site Scripting almacenada en la integración de DataDog en todas las versiones de GitLab CE/EE a partir de la 13.7 antes de la 14.0.9, todas las versiones a partir de la 14... • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22260.json • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.0EPSS: 0%CPEs: 6EXPL: 0CVE-2021-39901
https://notcve.org/view.php?id=CVE-2021-39901
04 Nov 2021 — In all versions of GitLab CE/EE since version 11.10, an admin of a group can see the SCIM token of that group by visiting a specific endpoint. En todas las versiones de GitLab CE/EE desde versión 11.10, un administrador de un grupo puede visualizar el token SCIM de ese grupo visitando un endpoint específico • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39901.json •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2021-39913
https://notcve.org/view.php?id=CVE-2021-39913
04 Nov 2021 — Accidental logging of system root password in the migration log in all versions of GitLab CE/EE before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker with local file system access to obtain system root-level privileges El registro accidental de la contraseña de root del sistema en el registro de migración en todas las versiones de GitLab CE/EE anteriores a la 14.2.6, en todas las versiones a partir de la 14.3 antes de la 14.3.4 y e... • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39913.json • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-39912
https://notcve.org/view.php?id=CVE-2021-39912
04 Nov 2021 — A potential DoS vulnerability was discovered in GitLab CE/EE starting with version 13.7. Using a malformed TIFF images was possible to trigger memory exhaustion. Se ha detectado una potencial vulnerabilidad DoS en GitLab CE/EE a partir de la versión 13.7. Usando imágenes TIFF mal formadas era posible desencadenar el agotamiento de la memoria • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39912.json • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.7EPSS: 0%CPEs: 6EXPL: 0CVE-2021-39906
https://notcve.org/view.php?id=CVE-2021-39906
04 Nov 2021 — Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf. Una comprobación inapropiada de los archivos ipynb en GitLab CE/EE versión 13.5 y superiores, permite a un atacante ejecutar código JavaScript arbitrario en nombre de la víctima • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39906.json • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2021-39909
https://notcve.org/view.php?id=CVE-2021-39909
04 Nov 2021 — Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE starting from 11.3 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker to bypass CODEOWNERS Merge Request approval requirement under rare circumstances La falta de verificación de la propiedad de la dirección de correo electrónico en la función CODEOWNERS en todas las versiones de GitLab EE a partir de la 11.3 antes de la 14.2.6, e... • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39909.json • CWE-347: Improper Verification of Cryptographic Signature •