2024

2023

2022

2021

2020

CVE-2020-11505 (v3: 7.5) 22 Apr 2020
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 12.7.9, 12.8.x before 12.8.9, and 12.9.x before 12.9.3. A Workhorse bypass could lead to NuGet package and file disclosure (Exposure of Sensitive Information) via request smuggling.
CVE-2020-11506 (v3: 7.5) 22 Apr 2020
An issue was discovered in GitLab 10.7.0 and later through 12.9.2. A Workhorse bypass could lead to job artifact uploads and file disclosure (Exposure of Sensitive Information) via request smuggling.
CVE-2020-10975 (v3: 4.3) 8 Apr 2020
GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page.
CVE-2020-10976 (v3: 7.5) 8 Apr 2020
GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when querying a merge request widget.
CVE-2020-10978 (v3: 5.3) 8 Apr 2020
GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public project and then moved to a private project through Web-UI and GraphQL API.
CVE-2020-10979 (v3: 4.3) 8 Apr 2020
GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pipelines metrics to unauthorized users.
CVE-2020-10955 (v3: 6.5) 27 Mar 2020
GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders.
CVE-2020-10080 (v3: 5.3) 13 Mar 2020
GitLab 8.3 through 12.8.1 allows Information Disclosure. It was possible for certain non-members to access the Contribution Analytics page of a private group.
CVE-2020-10084 (v3: 5.3) 13 Mar 2020
GitLab EE 11.6 through 12.8.1 allows Information Disclosure. Sending a specially crafted request to the vulnerability_feedback endpoint could result in the exposure of a private project namespace
CVE-2020-10085 (v3: 5.3) 13 Mar 2020
GitLab 12.3.5 through 12.8.1 allows Information Disclosure. A particular view was exposing merge private merge request titles.
CVE-2020-10087 (v3: 7.5) 13 Mar 2020
GitLab before 12.8.2 allows Information Disclosure. Badge images were not being proxied, causing mixed content warnings as well as leaking the IP address of the user.
CVE-2020-10090 (v3: 5.3) 13 Mar 2020
GitLab 11.7 through 12.8.1 allows Information Disclosure. Under certain group conditions, group epic information was unintentionally being disclosed.
CVE-2020-6833 (v3: 7.5) 5 Feb 2020
An issue was discovered in GitLab EE 11.3 and later. A GitLab Workhorse bypass could lead to package and file disclosure via request smuggling.
CVE-2020-7969 (v3: 7.5) 5 Feb 2020
GitLab EE 8.0 and later through 12.7.2 allows Information Disclosure.
CVE-2020-7974 (v3: 5.3) 5 Feb 2020
GitLab EE 10.1 through 12.7.2 allows Information Disclosure.
CVE-2020-7976 (v3: 5.3) 5 Feb 2020
GitLab EE 12.4 and later through 12.7.2 has Incorrect Access Control.
CVE-2020-6832 (v3: 5.3) 13 Jan 2020
An issue was discovered in GitLab Enterprise Edition (EE) 8.9.0 through 12.6.1. Using the project import feature, it was possible for someone to obtain issues from private projects.

2019

CVE-2019-13006 (v3: 4.3) 10 Mar 2020
An issue was discovered in GitLab Community and Enterprise Edition 9.0 and through 12.0.2. Users with access to issues, but not the repository were able to view the number of related merge requests on an issue. It has Incorrect Access Control.
CVE-2019-13002 (v3: 4.3) 10 Mar 2020
An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.0.2. Unauthorized users were able to read pipeline information of the last merge request. It has Incorrect Access Control.
CVE-2019-12431 (v3: 4.3) 10 Mar 2020
An issue was discovered in GitLab Community and Enterprise Edition 8.13 through 11.11. Restricted users could access the metadata of private milestones through the Search API. It has Improper Access Control.
CVE-2019-12432 (v3: 4.3) 10 Mar 2020
An issue was discovered in GitLab Community and Enterprise Edition 8.13 through 11.11. Non-member users who subscribed to issue notifications could access the title of confidential issues through the unsubscription page. It allows Information Disclosure.
CVE-2019-12434 (v3: 4.3) 10 Mar 2020
An issue was discovered in GitLab Community and Enterprise Edition 10.6 through 11.11. Users could guess the URL slug of private projects through the contrast of the destination URLs of issues linked in comments. It allows Information Disclosure.
CVE-2019-15592 (v3: 4.3) 14 Feb 2020
GitLab 12.2.2 and below contains a security vulnerability that allows a guest user in a private project to see the merge request ID associated to an issue via the activity timeline.
CVE-2019-15594 (v3: 4.3) 14 Feb 2020
GitLab 11.8 and later contains a security vulnerability that allows a user to obtain details of restricted pipelines via the merge request endpoint.
CVE-2019-15578 (v3: 5.3) 28 Jan 2020
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge requests.
CVE-2019-15579 (v3: 5.3) 28 Jan 2020
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) where the assignee(s) of a confidential issue in a private project would be disclosed to a guest via milestones.
CVE-2019-15582 (v3: 5.3) 28 Jan 2020
An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment.
CVE-2019-15583 (v3: 7.5) 28 Jan 2020
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). When an issue was moved to a public project from a private one, the associated private labels and the private project namespace would be disclosed through the GitLab API.
CVE-2019-15590 (v3: 7.5) 28 Jan 2020
An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration
CVE-2019-5465 (v3: 4.3) 28 Jan 2020
An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID.
CVE-2019-5466 (v3: 4.3) 28 Jan 2020
An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names.
CVE-2019-5470 (v3: 7.5) 28 Jan 2020
An information disclosure issue was discovered GitLab versions < 12.1.2, < 12.0.4, and < 11.11.6 in the security dashboard which could result in disclosure of vulnerability feedback information.
CVE-2019-20147 (v3: 5.3) 13 Jan 2020
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 9.1 through 12.6.1. It has Incorrect Access Control.
CVE-2019-20148 (v3: 5.3) 13 Jan 2020
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 8.13 through 12.6.1. It has Incorrect Access Control.
CVE-2019-19629 (v3: 7.5) 5 Jan 2020
In GitLab EE 10.5 through 12.5.3, 12.4.5, and 12.3.8, when transferring a public project to a private group, private code would be disclosed via the Group Search API provided by the Elasticsearch integration.
CVE-2019-19312 (v3: 5.8) 5 Jan 2020
GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access Control. After a project changed to private, previously forked repositories were still able to get information about the private project through the API.
CVE-2019-19256 (v3: 5.3) 3 Jan 2020
GitLab Enterprise Edition (EE) 12.2 and later through 12.5 has Incorrect Access Control.
CVE-2019-19257 (v3: 5.3) 3 Jan 2020
GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 1 of 2).
CVE-2019-19258 (v3: 5.3) 3 Jan 2020
GitLab Enterprise Edition (EE) 10.8 and later through 12.5 has Incorrect Access Control.
CVE-2019-19309 (v3: 4.3) 3 Jan 2020
GitLab Enterprise Edition (EE) 8.90 and later through 12.5 has Incorrect Access Control.
CVE-2019-19086 (v3: 4.3) 3 Jan 2020
Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 1 of 2).
CVE-2019-19087 (v3: 4.3) 3 Jan 2020
Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 2 of 2).
CVE-2019-19254 (v3: 5.3) 3 Jan 2020
GitLab Community Edition (CE) and Enterprise Edition (EE). 9.6 and later through 12.5 has Incorrect Access Control.
CVE-2019-15576 (v3: 7.5) 18 Dec 2019
An information disclosure vulnerability exists in GitLab CE/EE
CVE-2019-15577 (v3: 4.3) 18 Dec 2019
An information disclosure vulnerability exists in GitLab CE/EE
CVE-2019-15580 (v3: 6.5) 18 Dec 2019
An information exposure vulnerability exists in gitlab.com
CVE-2019-15591 (v3: 6.5) 18 Dec 2019
An improper access control vulnerability exists in GitLab <12.3.3 that allows an attacker to obtain container and dependency scanning reports through the merge request widget even though public pipelines were disabled.
CVE-2019-5487 (v3: 5.3) 18 Dec 2019
An improper access control vulnerability exists in Gitlab EE
CVE-2019-18448 (v3: 6.5) 26 Nov 2019
An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Incorrect Access Control.
CVE-2019-18449 (v3: 4.3) 26 Nov 2019
An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the autocomplete feature. It has Insecure Permissions (issue 2 of 2).
CVE-2019-18456 (v3: 5.3) 26 Nov 2019
An issue was discovered in GitLab Community and Enterprise Edition 8.17 through 12.4 in the Search feature provided by Elasticsearch integration.. It has Insecure Permissions (issue 1 of 4).
CVE-2019-18460 (v3: 7.5) 26 Nov 2019
An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.4 in the Comments Search feature provided by the Elasticsearch integration. It has Incorrect Access Control.
CVE-2019-18461 (v3: 4.3) 26 Nov 2019
An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.3 when a sub group epic is added to a public group. It has Incorrect Access Control.
CVE-2019-15729 (v3: 7.5) 17 Sep 2019
An issue was discovered in GitLab Community and Enterprise Edition 8.18 through 12.2.1. An internal endpoint unintentionally disclosed information about the last pipeline that ran for a merge request.
CVE-2019-15734 (v3: 4.3) 16 Sep 2019
An issue was discovered in GitLab Community and Enterprise Edition 8.6 through 12.2.1. Under very specific conditions, commit titles and team member comments could become viewable to users who did not have permission to access these.
CVE-2019-15738 (v3: 5.3) 16 Sep 2019
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. Under certain conditions, merge request IDs were being disclosed via email.
CVE-2019-15740 (v3: 5.3) 16 Sep 2019
An issue was discovered in GitLab Community and Enterprise Edition 7.9 through 12.2.1. EXIF Geolocation data was not being removed from certain image uploads.
CVE-2019-15725 (v3: 7.5) 16 Sep 2019
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. An IDOR in the epic notes API that could result in disclosure of private milestones, labels, and other information.
CVE-2019-15726 (v3: 5.3) 16 Sep 2019
An issue was discovered in GitLab Community and Enterprise Edition through 12.2.1. Embedded images and media files in markdown could be pointed to an arbitrary server, which would reveal the IP address of clients requesting the file from that server.
CVE-2019-15727 (v3: 5.3) 16 Sep 2019
An issue was discovered in GitLab Community and Enterprise Edition 11.2 through 12.2.1. Insufficient permission checks were being applied when displaying CI results, potentially exposing some CI metrics data to unauthorized users.
CVE-2019-15732 (v3: 5.3) 16 Sep 2019
An issue was discovered in GitLab Community and Enterprise Edition 12.2 through 12.2.1. The project import API could be used to bypass project visibility restrictions.
CVE-2019-15733 (v3: 4.3) 16 Sep 2019
An issue was discovered in GitLab Community and Enterprise Edition 7.12 through 12.2.1. The specified default branch name could be exposed to unauthorized users.
CVE-2019-6782 (v3: 7.5) 9 Sep 2019
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 1 of 6). An authorization issue allows the contributed project information of a private profile to be viewed.
CVE-2019-6788 (v3: 7.5) 9 Sep 2019
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 3 of 6). For installations using GitHub or Bitbucket OAuth integrations, it is possible to use a covert redirect to obtain the user OAuth token for those services.
CVE-2019-6789 (v3: 4.3) 9 Sep 2019
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 4 of 6). In some cases, users without project permissions will receive emails after a project move. For private projects, this will disclose the new project namespace to an unauthorized user.
CVE-2019-6792 (v3: 5.3) 9 Sep 2019
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Path Disclosure. When an error is encountered on project import, the error message will display instance internal information.
CVE-2019-6794 (v3: 4.3) 9 Sep 2019
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 5 of 6). A project guest user can view the last commit status of the default branch.

2018

CVE-2018-20488 (v3: 4.3) 30 Dec 2019
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure.
CVE-2018-20495 (v3: 5.3) 30 Dec 2019
An issue was discovered in GitLab Community and Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure.
CVE-2018-19582 (v3: 4.3) 10 Jul 2019
GitLab EE, versions 11.4 before 11.4.8 and 11.5 before 11.5.1, is affected by an insecure direct object reference vulnerability that permits an unauthorized user to publish the draft merge request comments of another user.
CVE-2018-18640 (v3: 6.5) 4 Dec 2018
An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Information Exposure Through Browser Caching.
CVE-2018-18644 (v3: 6.5) 4 Dec 2018
An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows Information Exposure via a Gitlab Prometheus integration.
CVE-2018-18645 (v3: 4.3) 4 Dec 2018
An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for Information Exposure via unsubscribe links in email replies.
CVE-2018-18648 (v3: 7.5) 4 Dec 2018
An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Information Exposure Through an Error Message.
CVE-2018-17939 (v3: 7.5) 4 Dec 2018
An issue was discovered in GitLab Community and Enterprise Edition 11.1.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via the merge request JSON endpoint.
CVE-2018-17975 (v3: 5.3) 4 Dec 2018
An issue was discovered in GitLab Community Edition 11.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via the GFM markdown API.
CVE-2018-17976 (v3: 6.5) 4 Dec 2018
An issue was discovered in GitLab Community Edition 11.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via Epic change descriptions.
CVE-2018-16051 (v3: 6.5) 3 Oct 2018
An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Orphaned Upload Files Exposure.
CVE-2018-14602 (v3: 7.5) 27 Jul 2018
An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. Information Disclosure can occur because the Prometheus metrics feature discloses private project pathnames.
CVE-2018-1000196 (v3: 6.5) 5 Jun 2018
A exposure of sensitive information vulnerability exists in Jenkins Gitlab Hook Plugin 1.4.2 and older in gitlab_notifier.rb, views/gitlab_notifier/global.erb that allows attackers with local Jenkins master file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured Gitlab token.

2017

CVE-2017-0882 (v3: 6.3) 28 Mar 2017
Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC.

2016

CVE-2016-9086 (v3: 6.5) 3 Nov 2016
GitLab versions 8.9.x and above contain a critical security flaw in the "import/export project" feature of GitLab. Added in GitLab 8.9, this feature allows a user to export and then re-import their projects as tape archive files (tar). All GitLab versions prior to 8.13.0 restricted this feature to administrators only. Starting with version 8.13.0 this feature was made available to all users. This feature did not properly check for symbolic links in user-provided archives and therefore it was possible for an authenticated user to retrieve the contents of any file accessible to the GitLab service account. This included sensitive files such as those that contain secret tokens used by the GitLab service to authenticate users. GitLab CE and EE versions 8.13.0 through 8.13.2, 8.12.0 through 8.12.7, 8.11.0 through 8.11.10, 8.10.0 through 8.10.12, and 8.9.0 through 8.9.11 are affected.

2015