Vulnerabilities > Gitlab > Gitlab > 14.0.11
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-10-05 | CVE-2021-39869 | Information Exposure vulnerability in Gitlab In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project. | 4.3 |
2021-10-05 | CVE-2021-39875 | Information Exposure vulnerability in Gitlab In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint. | 5.0 |
2021-10-05 | CVE-2021-39884 | Unspecified vulnerability in Gitlab In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project. | 4.0 |
2021-10-05 | CVE-2021-39888 | Unspecified vulnerability in Gitlab In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates. | 4.3 |
2021-10-04 | CVE-2021-39883 | Unspecified vulnerability in Gitlab Improper authorization checks in all versions of GitLab EE starting from 13.11 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows subgroup members to see epics from all parent subgroups. | 4.3 |
2021-10-04 | CVE-2021-39885 | Cross-site Scripting vulnerability in Gitlab A Stored XSS in merge request creation page in all versions of Gitlab EE starting from 13.7 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious approval rule names | 5.4 |
2021-10-04 | CVE-2021-39900 | Information Exposure Through Log Files vulnerability in Gitlab Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs. | 4.0 |
2021-06-24 | CVE-2021-32823 | In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. | 3.7 |