Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-22206

Summary
Assigner-GitLab
Assigner Org ID-ceab7361-8a18-47b1-92ba-4d7d25f6715a
Published At-06 May, 2021 | 13:25
Updated At-03 Aug, 2024 | 18:37
Rejected At-
Credits

An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text,

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitLab
Assigner Org ID:ceab7361-8a18-47b1-92ba-4d7d25f6715a
Published At:06 May, 2021 | 13:25
Updated At:03 Aug, 2024 | 18:37
Rejected At:
▼CVE Numbering Authority (CNA)

An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text,

Affected Products
Vendor
GitLab Inc.GitLab
Product
GitLab
Versions
Affected
  • >=11.6, <13.9.7
  • >=13.10.0, <13.10.4
  • >=13.11.0, <13.11.2
Problem Types
TypeCWE IDDescription
textN/ACleartext storage of sensitive information in memory in GitLab
Type: text
CWE ID: N/A
Description: Cleartext storage of sensitive information in memory in GitLab
Metrics
VersionBase scoreBase severityVector
3.16.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Version: 3.1
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Thanks [jlneel](https://hackerone.com/jlneel) for reporting this vulnerability through our HackerOne bug bounty program
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://gitlab.com/gitlab-org/gitlab/-/issues/230864
x_refsource_MISC
https://hackerone.com/reports/928074
x_refsource_MISC
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22206.json
x_refsource_CONFIRM
Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/230864
Resource:
x_refsource_MISC
Hyperlink: https://hackerone.com/reports/928074
Resource:
x_refsource_MISC
Hyperlink: https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22206.json
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://gitlab.com/gitlab-org/gitlab/-/issues/230864
x_refsource_MISC
x_transferred
https://hackerone.com/reports/928074
x_refsource_MISC
x_transferred
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22206.json
x_refsource_CONFIRM
x_transferred
Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/230864
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://hackerone.com/reports/928074
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22206.json
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@gitlab.com
Published At:06 May, 2021 | 14:15
Updated At:13 May, 2021 | 13:22

An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text,

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.9MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Secondary3.16.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Primary2.04.0MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:N
Type: Primary
Version: 3.1
Base score: 4.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Type: Primary
Version: 2.0
Base score: 4.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
CPE Matches
GitLab Inc.
gitlab
>>gitlab>>Versions from 11.6.0(inclusive) to 13.9.7(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 11.6.0(inclusive) to 13.9.7(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 13.10.0(inclusive) to 13.10.4(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 13.10.0(inclusive) to 13.10.4(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 13.11.0(inclusive) to 13.11.2(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 13.11.0(inclusive) to 13.11.2(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
Weaknesses
CWE IDTypeSource
CWE-312Primarynvd@nist.gov
CWE ID: CWE-312
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22206.jsoncve@gitlab.com
Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/230864cve@gitlab.com
Broken Link
https://hackerone.com/reports/928074cve@gitlab.com
Permissions Required
Third Party Advisory
Hyperlink: https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22206.json
Source: cve@gitlab.com
Resource:
Vendor Advisory
Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/230864
Source: cve@gitlab.com
Resource:
Broken Link
Hyperlink: https://hackerone.com/reports/928074
Source: cve@gitlab.com
Resource:
Permissions Required
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

224Records found
CVE-2019-15594
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-4.3||MEDIUM
EPSS-0.34% / 55.98%
||
7 Day CHG~0.00%
Published-14 Feb, 2020 | 21:29
Updated-05 Aug, 2024 | 00:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

GitLab 11.8 and later contains a security vulnerability that allows a user to obtain details of restricted pipelines via the merge request endpoint.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-6997
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.55%
||
7 Day CHG~0.00%
Published-09 Sep, 2019 | 19:57
Updated-04 Aug, 2024 | 20:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting in 10.7) and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. System notes contain an access control issue that permits a guest user to view merge request titles.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-269
Improper Privilege Management
CVE-2019-6996
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.90%
||
7 Day CHG~0.00%
Published-09 Sep, 2019 | 19:56
Updated-04 Aug, 2024 | 20:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Enterprise Edition 10.x (starting in 10.6) and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. The merge request approvers section has an access control issue that permits project maintainers to view membership of private groups.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-269
Improper Privilege Management
CVE-2019-5466
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-4.3||MEDIUM
EPSS-0.34% / 56.05%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 02:39
Updated-04 Aug, 2024 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabGitLab CE/EE
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2019-6791
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.08% / 23.55%
||
7 Day CHG~0.00%
Published-09 Sep, 2019 | 20:25
Updated-04 Aug, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control (issue 3 of 3). When a project with visibility more permissive than the target group is imported, it will retain its prior visibility.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-281
Improper Preservation of Permissions
CVE-2019-5465
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-4.3||MEDIUM
EPSS-0.48% / 63.95%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 02:28
Updated-04 Aug, 2024 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab CE/EE
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-6790
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.11%
||
7 Day CHG~0.00%
Published-17 May, 2019 | 15:53
Updated-04 Aug, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Incorrect Access Control (issue 2 of 3) issue was discovered in GitLab Community and Enterprise Edition 8.14 and later but before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. Guest users were able to view the list of a group's merge requests.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-862
Missing Authorization
CVE-2019-6786
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 28.38%
||
7 Day CHG~0.00%
Published-09 Sep, 2019 | 19:28
Updated-04 Aug, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control (issue 1 of 3). The contents of an LFS object can be accessed by an unauthorized user, if the file size and OID are known.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CVE-2019-6787
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.12% / 32.26%
||
7 Day CHG~0.00%
Published-17 May, 2019 | 15:49
Updated-04 Aug, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Incorrect Access Control issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. The GitLab API allowed project Maintainers and Owners to view the trigger tokens of other project users.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CVE-2019-15580
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-6.5||MEDIUM
EPSS-0.32% / 54.78%
||
7 Day CHG~0.00%
Published-18 Dec, 2019 | 20:59
Updated-05 Aug, 2024 | 00:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information exposure vulnerability exists in gitlab.com <v12.3.2, <v12.2.6, and <v12.1.10 when using the blocking merge request feature, it was possible for an unauthenticated user to see the head pipeline data of a public project even though pipeline visibility was restricted.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabgitlab.com
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-15733
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.89%
||
7 Day CHG~0.00%
Published-16 Sep, 2019 | 17:00
Updated-05 Aug, 2024 | 00:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 7.12 through 12.2.1. The specified default branch name could be exposed to unauthorized users.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-15577
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 32.48%
||
7 Day CHG~0.00%
Published-18 Dec, 2019 | 21:00
Updated-05 Aug, 2024 | 00:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed project milestones to be disclosed via groups browsing.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabGitLab CE/EE
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2019-15591
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 43.76%
||
7 Day CHG~0.00%
Published-18 Dec, 2019 | 20:51
Updated-05 Aug, 2024 | 00:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper access control vulnerability exists in GitLab <12.3.3 that allows an attacker to obtain container and dependency scanning reports through the merge request widget even though public pipelines were disabled.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-284
Improper Access Control
CVE-2019-19262
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 24.33%
||
7 Day CHG~0.00%
Published-03 Jan, 2020 | 16:36
Updated-05 Aug, 2024 | 02:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

GitLab Enterprise Edition (EE) 11.9 and later through 12.5 has Insecure Permissions.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2019-19309
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 21.55%
||
7 Day CHG~0.00%
Published-03 Jan, 2020 | 16:38
Updated-05 Aug, 2024 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

GitLab Enterprise Edition (EE) 8.90 and later through 12.5 has Incorrect Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CVE-2019-18461
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.27%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 14:44
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.3 when a sub group epic is added to a public group. It has Incorrect Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-18447
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.27%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 16:49
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Insecure Permissions.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2019-18448
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.09% / 27.00%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 16:48
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Incorrect Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CVE-2019-18462
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.27%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 14:44
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4. It has Insecure Permissions.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2019-18450
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.27%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 16:44
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the Project labels feature. It has Insecure Permissions.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2019-18449
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.27%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 16:47
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the autocomplete feature. It has Insecure Permissions (issue 2 of 2).

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2019-15734
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 35.12%
||
7 Day CHG~0.00%
Published-16 Sep, 2019 | 17:01
Updated-05 Aug, 2024 | 00:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 8.6 through 12.2.1. Under very specific conditions, commit titles and team member comments could become viewable to users who did not have permission to access these.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-15592
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-4.3||MEDIUM
EPSS-0.74% / 71.89%
||
7 Day CHG~0.00%
Published-14 Feb, 2020 | 21:27
Updated-05 Aug, 2024 | 00:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

GitLab 12.2.2 and below contains a security vulnerability that allows a guest user in a private project to see the merge request ID associated to an issue via the activity timeline.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-12429
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 23.11%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 13:10
Updated-04 Aug, 2024 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 11.9 through 11.11. Unprivileged users were able to access labels, status and merge request counts of confidential issues via the milestone details page. It has Improper Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CVE-2019-13005
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.73%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 14:57
Updated-04 Aug, 2024 | 23:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Enterprise Edition and Community Edition 1.10 through 12.0.2. The GitLab graphql service was vulnerable to multiple authorization issues that disclosed restricted user, group, and repository metadata to unauthorized users. It has Incorrect Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CVE-2019-12825
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.76%
||
7 Day CHG~0.00%
Published-17 Feb, 2020 | 13:54
Updated-04 Aug, 2024 | 23:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unauthorized Access to the Container Registry of other groups was discovered in GitLab Enterprise 12.0.0-pre. In other words, authenticated remote attackers can read Docker registries of other groups. When a legitimate user changes the path of a group, Docker registries are not adapted, leaving them in the old namespace. They are not protected and are available to all other users with no previous access to the repo.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CVE-2019-11544
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 30.66%
||
7 Day CHG~0.00%
Published-09 Sep, 2019 | 18:28
Updated-04 Aug, 2024 | 22:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 8.x, 9.x, 10.x, and 11.x before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It allows Information Disclosure. Non-member users who subscribe to notifications of an internal project with issue and repository restrictions will receive emails about restricted events.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CVE-2019-11000
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.61% / 68.76%
||
7 Day CHG~0.00%
Published-10 May, 2019 | 19:43
Updated-04 Aug, 2024 | 22:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Enterprise Edition before 11.7.11, 11.8.x before 11.8.7, and 11.9.x before 11.9.7. It allows Information Disclosure.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CVE-2019-13011
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 21.55%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 17:09
Updated-04 Aug, 2024 | 23:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Enterprise Edition 8.11.0 through 12.0.2. By using brute-force a user with access to a project, but not it's repository could create a list of merge requests template names. It has excessive algorithmic complexity.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2019-13006
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 21.55%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 16:57
Updated-04 Aug, 2024 | 23:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 9.0 and through 12.0.2. Users with access to issues, but not the repository were able to view the number of related merge requests on an issue. It has Incorrect Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CVE-2019-12431
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 21.55%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 13:41
Updated-04 Aug, 2024 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 8.13 through 11.11. Restricted users could access the metadata of private milestones through the Search API. It has Improper Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CVE-2019-12434
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 21.55%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 13:48
Updated-04 Aug, 2024 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 10.6 through 11.11. Users could guess the URL slug of private projects through the contrast of the destination URLs of issues linked in comments. It allows Information Disclosure.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-330
Use of Insufficiently Random Values
CVE-2019-13002
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.10%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 14:51
Updated-04 Aug, 2024 | 23:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.0.2. Unauthorized users were able to read pipeline information of the last merge request. It has Incorrect Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CVE-2019-12432
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 21.55%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 13:43
Updated-04 Aug, 2024 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 8.13 through 11.11. Non-member users who subscribed to issue notifications could access the title of confidential issues through the unsubscription page. It allows Information Disclosure.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-11549
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.17% / 38.32%
||
7 Day CHG~0.00%
Published-09 Sep, 2019 | 18:54
Updated-04 Aug, 2024 | 22:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. Gitaly has allows an information disclosure issue where HTTP/GIT credentials are included in logs on connection errors.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2024-7554
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.06% / 18.91%
||
7 Day CHG~0.00%
Published-08 Aug, 2024 | 10:30
Updated-29 Aug, 2024 | 15:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exposure of Sensitive Information to an Unauthorized Actor in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was made in a specific manner.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-10115
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.17% / 39.18%
||
7 Day CHG~0.00%
Published-16 May, 2019 | 14:46
Updated-04 Aug, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Insecure Permissions issue (issue 2 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The GitLab Releases feature could allow guest users access to private information like release details and code information.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2019-10116
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.72%
||
7 Day CHG~0.00%
Published-16 May, 2019 | 14:55
Updated-04 Aug, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Insecure Permissions issue (issue 3 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. Guests of a project were allowed to see Related Branches created for an issue.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2019-19087
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 13.67%
||
7 Day CHG~0.00%
Published-03 Jan, 2020 | 15:38
Updated-05 Aug, 2024 | 02:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 2 of 2).

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2018-20488
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.27%
||
7 Day CHG~0.00%
Published-30 Dec, 2019 | 21:24
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-3740
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.02% / 4.47%
||
7 Day CHG~0.00%
Published-24 Jan, 2023 | 00:00
Updated-02 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. A group owner may be able to bypass External Authorization check, if it is enabled, to access git repositories and package registries by using Deploy tokens or Deploy keys .

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-285
Improper Authorization
CVE-2024-5067
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-4.4||MEDIUM
EPSS-0.07% / 20.77%
||
7 Day CHG~0.00%
Published-24 Jul, 2024 | 22:08
Updated-05 Sep, 2024 | 17:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exposure of Sensitive Information to an Unauthorized Actor in GitLab

An issue was discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where certain project-level analytics settings could be leaked in DOM to group members with Developer or higher roles.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-1042
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.02% / 4.57%
||
7 Day CHG~0.00%
Published-12 Feb, 2025 | 15:02
Updated-06 Aug, 2025 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Files or Directories Accessible to External Parties in GitLab

An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-552
Files or Directories Accessible to External Parties
CVE-2019-7549
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 33.35%
||
7 Day CHG~0.00%
Published-29 May, 2019 | 15:42
Updated-04 Aug, 2024 | 20:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 10.x and 11.x before 11.5.10, 11.6.x before 11.6.8, and 11.7.x before 11.7.3. It has Incorrect Access Control. The GitLab pipelines feature is vulnerable to authorization issues that allow unauthorized users to view job information.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CVE-2019-6794
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.55%
||
7 Day CHG~0.00%
Published-09 Sep, 2019 | 19:41
Updated-04 Aug, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 5 of 6). A project guest user can view the last commit status of the default branch.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-269
Improper Privilege Management
CVE-2019-6789
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.89%
||
7 Day CHG~0.00%
Published-09 Sep, 2019 | 19:32
Updated-04 Aug, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 4 of 6). In some cases, users without project permissions will receive emails after a project move. For private projects, this will disclose the new project namespace to an unauthorized user.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-269
Improper Privilege Management
CVE-2021-22194
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-5.7||MEDIUM
EPSS-0.04% / 8.65%
||
7 Day CHG~0.00%
Published-26 Mar, 2021 | 19:08
Updated-03 Aug, 2024 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In all versions of GitLab, marshalled session keys were being stored in Redis.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2018-18641
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.31%
||
7 Day CHG~0.00%
Published-04 Dec, 2018 | 23:00
Updated-05 Aug, 2024 | 11:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Cleartext Storage of Sensitive Information.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2023-3950
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.04% / 11.18%
||
7 Day CHG~0.00%
Published-01 Sep, 2023 | 10:30
Updated-22 May, 2025 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cleartext Storage of Sensitive Information in GitLab

An information disclosure issue in GitLab EE affecting all versions from 16.2 prior to 16.2.5, and 16.3 prior to 16.3.1 allowed other Group Owners to see the Public Key for a Google Cloud Logging audit event streaming destination, if configured. Owners can now only write the key, not read it.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2019-19314
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.06% / 18.77%
||
7 Day CHG~0.00%
Published-05 Jan, 2020 | 21:47
Updated-05 Aug, 2024 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

GitLab EE 8.4 through 12.5, 12.4.3, and 12.3.6 stored several tokens in plaintext.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • Next
Details not found