Vulnerabilities > Gitlab

DATE CVE VULNERABILITY TITLE RISK
2021-10-05 CVE-2021-39891 Improper Cross-boundary Removal of Sensitive Data vulnerability in Gitlab
In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure.
network
low complexity
gitlab CWE-212
4.9
2021-10-05 CVE-2021-39866 Unspecified vulnerability in Gitlab
A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens.
network
low complexity
gitlab
5.4
2021-10-05 CVE-2021-39867 Server-Side Request Forgery (SSRF) vulnerability in Gitlab
In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks.
network
low complexity
gitlab CWE-918
8.1
2021-10-05 CVE-2021-39869 Unspecified vulnerability in Gitlab
In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project.
network
low complexity
gitlab
6.5
2021-10-05 CVE-2021-39872 Improper Authentication vulnerability in Gitlab
In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.
network
low complexity
gitlab CWE-287
6.5
2021-10-05 CVE-2021-39875 Unspecified vulnerability in Gitlab
In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint.
network
low complexity
gitlab
5.3
2021-10-05 CVE-2021-39878 Cross-site Scripting vulnerability in Gitlab
A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code.
network
low complexity
gitlab CWE-79
5.4
2021-10-05 CVE-2021-39882 Cleartext Transmission of Sensitive Information vulnerability in Gitlab
In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user.
network
low complexity
gitlab CWE-319
5.3
2021-10-05 CVE-2021-39884 Unspecified vulnerability in Gitlab
In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project.
network
low complexity
gitlab
4.3
2021-10-05 CVE-2021-39888 Unspecified vulnerability in Gitlab
In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates.
network
low complexity
gitlab
4.3