2024

2023

2022

2021

CVE-2021-22263 (v3: 6.5) 11 Oct 2021
An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user account with 'external' status which is granted 'Maintainer' role on any project on the GitLab instance where 'project tokens' are allowed may elevate its privilege to 'Internal' and access Internal projects.

2020

CVE-2020-12275 (v3: 5.3) 29 Apr 2020
GitLab 12.6 through 12.9 is vulnerable to a privilege escalation that allows an external user to create a personal snippet through the API.
CVE-2020-8113 (v3: 9.8) 6 Mar 2020
GitLab 10.7 and later through 12.7.2 has Incorrect Access Control.

2019

CVE-2019-12429 (v3: 6.5) 10 Mar 2020
An issue was discovered in GitLab Community and Enterprise Edition 11.9 through 11.11. Unprivileged users were able to access labels, status and merge request counts of confidential issues via the milestone details page. It has Improper Access Control.
CVE-2019-5462 (v3: 8.8) 28 Jan 2020
A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed.
CVE-2019-5468 (v3: 8.8) 28 Jan 2020
An privilege escalation issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 when Mattermost slash commands are used with a blocked account.
CVE-2019-5472 (v3: 7.5) 28 Jan 2020
An authorization issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 that prevented owners and maintainer to delete epic comments.
CVE-2019-18462 (v3: 4.3) 26 Nov 2019
An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4. It has Insecure Permissions.
CVE-2019-15741 (v3: 9.8) 16 Sep 2019
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-6960 (v3: 9.8) 9 Sep 2019
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. Access to the internal wiki is permitted when an external wiki service is enabled.

2018

2017

CVE-2017-11438 (v3: 6.3) 2 Aug 2017
GitLab Community Edition (CE) and Enterprise Edition (EE) before 9.0.11, 9.1.8, 9.2.8 allow an authenticated user with the ability to create a group to add themselves to any project that is inside a subgroup.

2016

2015