CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-0921 – Allocation of Resources Without Limits or Throttling in GitLab
https://notcve.org/view.php?id=CVE-2023-0921
06 Jun 2023 — A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0921.json • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-2181
https://notcve.org/view.php?id=CVE-2023-2181
12 May 2023 — An issue has been discovered in GitLab affecting all versions before 15.9.8, 15.10.0 before 15.10.7, and 15.11.0 before 15.11.3. A malicious developer could use a git feature called refs/replace to smuggle content into a merge request which would not be visible during review in the UI. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2181.json •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-1178
https://notcve.org/view.php?id=CVE-2023-1178
03 May 2023 — An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromised when source code or installation packages are pulled from a tag or from a release containing a ref to another commit. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1178.json • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-1204
https://notcve.org/view.php?id=CVE-2023-1204
03 May 2023 — An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A user could use an unverified email as a public email and commit email by sending a specifically crafted request on user update settings. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1204.json •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 1CVE-2023-0155
https://notcve.org/view.php?id=CVE-2023-0155
03 May 2023 — An issue has been discovered in GitLab CE/EE affecting all versions before 15.8.5, 15.9.4, 15.10.1. Open redirects was possible due to framing arbitrary content on any page allowing user controlled markdown • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0155.json • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-1836
https://notcve.org/view.php?id=CVE-2023-1836
03 May 2023 — A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. When viewing an XML file in a repository in "raw" mode, it can be made to render as HTML if viewed under specific circumstances • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1836.json • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-0756
https://notcve.org/view.php?id=CVE-2023-0756
03 May 2023 — An issue has been discovered in GitLab affecting all versions before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. The main branch of a repository with a specially crafted name allows an attacker to create repositories with malicious code, victims who clone or download these repositories will execute arbitrary code on their systems. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0756.json •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2023-2069
https://notcve.org/view.php?id=CVE-2023-2069
03 May 2023 — An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. A user with the role of developer could use the import project feature to leak CI/CD variables. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2069.json • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-4376
https://notcve.org/view.php?id=CVE-2022-4376
03 May 2023 — An issue has been discovered in GitLab affecting all versions before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Under certain conditions, an attacker may be able to map a private email of a GitLab user to their GitLab account on an instance. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4376.json •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2018-15472
https://notcve.org/view.php?id=CVE-2018-15472
15 Apr 2023 — An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. The diff formatter using rouge can block for a long time in Sidekiq jobs without any timeout. • https://about.gitlab.com/blog/categories/releases •