U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): cpe:2.3:a:gitlab:gitlab:15.5.5:*:*:*:enterprise:*:*:*
  • CPE Name Search: true
There are 134 matching records.
Displaying matches 121 through 134.
Vuln ID Summary CVSS Severity
CVE-2022-4342

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak masked webhook secrets by changing target URL of the webhook.

Published: January 11, 2023; 11:15:10 PM -0500
V3.1: 3.8 LOW
V2.0:(not available)
CVE-2022-4167

Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group owner loses the ability to revoke them.

Published: January 11, 2023; 11:15:10 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2022-4131

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in how the application parses user agents.

Published: January 11, 2023; 11:15:10 PM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2022-4037

An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A race condition can lead to verified email forgery and takeover of third-party accounts when using GitLab as an OAuth provider.

Published: January 11, 2023; 11:15:09 PM -0500
V3.1: 8.5 HIGH
V2.0:(not available)
CVE-2022-3870

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. GitLab allows unauthenticated users to download user avatars using the victim's user ID, on private instances that restrict public level visibility.

Published: January 11, 2023; 11:15:08 PM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2022-3613

An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A crafted Prometheus Server query can cause high resource consumption and may lead to Denial of Service.

Published: January 11, 2023; 11:15:08 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2022-3573

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. Due to the improper filtering of query parameters in the wiki changes page, an attacker can execute arbitrary JavaScript on the self-hosted instances running without strict CSP.

Published: January 11, 2023; 11:15:08 PM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-3514

An issue has been discovered in GitLab CE/EE affecting all versions starting from 6.6 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in the submodule URL parser.

Published: January 11, 2023; 11:15:08 PM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2021-32823

In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with <user_input>.constantize there is a potential for a CPU-based DoS. In version 2.4.10 bindata improved the creation time of Bits and Integers.

Published: June 23, 2021; 8:15:08 PM -0400
V3.1: 3.7 LOW
V2.0: 4.3 MEDIUM
CVE-2021-22201

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server.

Published: April 02, 2021; 1:15:12 PM -0400
V3.1: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2021-22198

An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects.

Published: April 02, 2021; 1:15:12 PM -0400
V3.1: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2021-22197

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other

Published: April 02, 2021; 1:15:12 PM -0400
V3.1: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2021-22196

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name.

Published: April 02, 2021; 1:15:12 PM -0400
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2019-6781

An Improper Input Validation issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It was possible to use the profile name to inject a potentially malicious link into notification emails.

Published: May 17, 2019; 12:29:05 PM -0400
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM