CVSS: 5.0EPSS: 0%CPEs: 6EXPL: 0CVE-2021-39914
https://notcve.org/view.php?id=CVE-2021-39914
04 Nov 2021 — A regular expression denial of service issue in GitLab versions 8.13 to 14.2.5, 14.3.0 to 14.3.3 and 14.4.0 could cause excessive usage of resources when a specially crafted username was used when provisioning a new user Un problema de denegación de servicio con expresiones regulares en GitLab versiones 8.13 a 14.2.5, 14.3.0 a 14.3.3 y 14.4.0, podía causar un uso excesivo de recursos cuando se usaba un nombre de usuario especialmente diseñado al aprovisionar un nuevo usuario • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39914.json • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 2CVE-2021-22263
https://notcve.org/view.php?id=CVE-2021-22263
11 Oct 2021 — An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user account with 'external' status which is granted 'Maintainer' role on any project on the GitLab instance where 'project tokens' are allowed may elevate its privilege to 'Internal' and access Internal projects. Se ha detectado un problema en GitLab afectando todas las versiones a partir de la 13.0 anteriores a 14.0.... • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22263.json • CWE-269: Improper Privilege Management •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-39880
https://notcve.org/view.php?id=CVE-2021-39880
05 Oct 2021 — A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE all versions starting from 11.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to deny access to all users via specially crafted requests to the apollo_upload_server middleware. Una vulnerabilidad de denegación de servicio en la gema apollo_upload_server Ruby en GitLab CE/EE todas las versiones a partir de la 11.9 antes de la 14.0.9, todas... • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39880.json •
CVSS: 7.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-22261
https://notcve.org/view.php?id=CVE-2021-22261
05 Oct 2021 — A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses Una vulnerabilidad de Cross-Site Scripting almacenada en la integración de Jira en todas las versiones de GitLab a partir de la 13.9 antes de la 14.0.9, todas las versiones a par... • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22261.json • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-22258
https://notcve.org/view.php?id=CVE-2021-22258
05 Oct 2021 — The project import/export feature in GitLab 8.9 and greater could be used to obtain otherwise private email addresses La función de importación/exportación de proyectos en GitLab versiones 8.9 y superiores, podría usarse para obtener direcciones de correo electrónico que de otro modo serían privadas • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22258.json •
CVSS: 5.4EPSS: 0%CPEs: 6EXPL: 0CVE-2021-22262
https://notcve.org/view.php?id=CVE-2021-22262
05 Oct 2021 — Missing access control in all GitLab versions starting from 13.12 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page La falta de control de acceso en todas las versiones de GitLab a partir de la 13.12 antes de la 14.0.9, en todas las versiones a partir de ... • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22262.json • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-22257
https://notcve.org/view.php?id=CVE-2021-22257
05 Oct 2021 — An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. The route for /user.keys is not restricted on instances with public visibility disabled. This allows user enumeration on such instances. Se ha detectado un problema en GitLab que afecta a todas las versiones a partir de la 14.0 anteriores a 14.0.9, todas las versiones a partir de la 14.1 anteriores a 14.1.4, todas las ve... • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22257.json •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-22264
https://notcve.org/view.php?id=CVE-2021-22264
05 Oct 2021 — An issue has been discovered in GitLab affecting all versions starting from 13.8 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. Under specialized conditions, an invited group member may continue to have access to a project even after the invited group, which the member was part of, is deleted. Se ha detectado un problema en GitLab que afecta a todas las versiones a partir de la 13.8 anteriores a 14.0.9, todas las versiones a partir de la 14.1 ant... • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22264.json •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-39889
https://notcve.org/view.php?id=CVE-2021-39889
05 Oct 2021 — In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch. En todas las versiones de GitLab EE desde la versión 14.1, debido a una vulnerabilidad de referencia directa a objetos insegura, un endpoint puede revelar el nombre de la rama protegida a un usuario malintencionado que realice una llamada a la API diseñada con el ID de ... • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39889.json • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-39870
https://notcve.org/view.php?id=CVE-2021-39870
05 Oct 2021 — In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted API call. En todas las versiones de GitLab CE/EE a partir de la versión 11.11, un atacante que realice una llamada a la API diseñada puede omitir una instancia que tenga habilitada la opción de desactivar la importación de repositorios por URL • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39870.json •