Vulnerabilities > Gitlab
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-10-05 | CVE-2021-39891 | Improper Cross-boundary Removal of Sensitive Data vulnerability in Gitlab In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure. | 4.9 |
2021-10-05 | CVE-2021-39866 | Unspecified vulnerability in Gitlab A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens. | 5.4 |
2021-10-05 | CVE-2021-39867 | Server-Side Request Forgery (SSRF) vulnerability in Gitlab In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks. | 8.1 |
2021-10-05 | CVE-2021-39869 | Unspecified vulnerability in Gitlab In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project. | 6.5 |
2021-10-05 | CVE-2021-39872 | Improper Authentication vulnerability in Gitlab In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration. | 6.5 |
2021-10-05 | CVE-2021-39875 | Unspecified vulnerability in Gitlab In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint. | 5.3 |
2021-10-05 | CVE-2021-39878 | Cross-site Scripting vulnerability in Gitlab A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code. | 5.4 |
2021-10-05 | CVE-2021-39882 | Cleartext Transmission of Sensitive Information vulnerability in Gitlab In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user. | 5.3 |
2021-10-05 | CVE-2021-39884 | Unspecified vulnerability in Gitlab In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project. | 4.3 |
2021-10-05 | CVE-2021-39888 | Unspecified vulnerability in Gitlab In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates. | 4.3 |