Gitlab: Security Vulnerabilities
In GitLab before 13.0.12, 13.1.6 and 13.2.3, access grants were not revoked when a user revoked access to an application.
CVSS Score
4.2
EPSS Score
0.003
Published
2020-08-10
GitLab EE 11.3 through 13.1.2 has Incorrect Access Control because of the Maven package upload endpoint.
CVSS Score
5.3
EPSS Score
0.001
Published
2020-07-07
Client side code execution in gitlab-vscode-extension v2.2.0 allows attacker to execute code on user system
CVSS Score
8.6
EPSS Score
0.002
Published
2020-06-22
Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 allows other administrators to view Amazon EKS credentials via HTML source code
CVSS Score
5.3
EPSS Score
0.002
Published
2020-06-19
An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions.
CVSS Score
7.5
EPSS Score
0.002
Published
2020-06-19
Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1 allows other group maintainers to view Kubernetes cluster token
CVSS Score
5.3
EPSS Score
0.001
Published
2020-06-19
User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1
CVSS Score
7.4
EPSS Score
0.001
Published
2020-06-19
Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a link
CVSS Score
6.1
EPSS Score
0.002
Published
2020-06-19
User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification
CVSS Score
4.3
EPSS Score
0.001
Published
2020-06-19
OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow
CVSS Score
7.5
EPSS Score
0.001
Published
2020-06-19