Vulnerabilities > Gitlab

DATE CVE VULNERABILITY TITLE RISK
2020-01-28 CVE-2013-4582 Inclusion of Functionality from Untrusted Control Sphere vulnerability in Gitlab and Gitlab-Shell
The (1) create_branch, (2) create_tag, (3) import_project, and (4) fork_project functions in lib/gitlab_projects.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote authenticated users to include information from local files into the metadata of a Git repository via the web interface.
network
low complexity
gitlab CWE-829
4.0
2020-01-28 CVE-2019-5474 Incorrect Authorization vulnerability in Gitlab
An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions.
network
low complexity
gitlab CWE-863
4.0
2020-01-28 CVE-2019-5472 Unspecified vulnerability in Gitlab
An authorization issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 that prevented owners and maintainer to delete epic comments.
network
low complexity
gitlab
5.0
2020-01-28 CVE-2019-5470 Missing Authorization vulnerability in Gitlab
An information disclosure issue was discovered GitLab versions < 12.1.2, < 12.0.4, and < 11.11.6 in the security dashboard which could result in disclosure of vulnerability feedback information.
network
low complexity
gitlab CWE-862
5.0
2020-01-28 CVE-2019-5468 Improper Privilege Management vulnerability in Gitlab
An privilege escalation issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 when Mattermost slash commands are used with a blocked account.
network
low complexity
gitlab CWE-269
6.5
2020-01-28 CVE-2019-5466 Authorization Bypass Through User-Controlled Key vulnerability in Gitlab
An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names.
network
low complexity
gitlab CWE-639
4.0
2020-01-28 CVE-2019-5465 Unspecified vulnerability in Gitlab
An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID.
network
low complexity
gitlab
4.0
2020-01-28 CVE-2019-5464 Server-Side Request Forgery (SSRF) vulnerability in Gitlab
A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized.
network
low complexity
gitlab CWE-918
7.5
2020-01-28 CVE-2019-5462 Insufficient Session Expiration vulnerability in Gitlab
A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed.
network
gitlab CWE-613
6.8
2020-01-28 CVE-2019-15590 Unspecified vulnerability in Gitlab
An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration
network
low complexity
gitlab
5.0