Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-3819

Summary
Assigner-GitLab
Assigner Org ID-ceab7361-8a18-47b1-92ba-4d7d25f6715a
Published At-09 Nov, 2022 | 00:00
Updated At-01 May, 2025 | 19:20
Rejected At-
Credits

An improper authorization issue in GitLab CE/EE affecting all versions from 15.0 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a malicious users to set emojis on internal notes they don't have access to.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
ā–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitLab
Assigner Org ID:ceab7361-8a18-47b1-92ba-4d7d25f6715a
Published At:09 Nov, 2022 | 00:00
Updated At:01 May, 2025 | 19:20
Rejected At:
ā–¼CVE Numbering Authority (CNA)

An improper authorization issue in GitLab CE/EE affecting all versions from 15.0 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a malicious users to set emojis on internal notes they don't have access to.

Affected Products
Vendor
GitLab Inc.GitLab
Product
GitLab
Versions
Affected
  • >=15.0, <15.3.5
  • >=15.4, <15.4.4
  • >=15.5, <15.5.2
Problem Types
TypeCWE IDDescription
textN/AImproper authorization in GitLab
Type: text
CWE ID: N/A
Description: Improper authorization in GitLab
Metrics
VersionBase scoreBase severityVector
3.13.5LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
This vulnerability has been discovered internally by the GitLab team
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://gitlab.com/gitlab-org/gitlab/-/issues/365847
N/A
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3819.json
N/A
Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/365847
Resource: N/A
Hyperlink: https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3819.json
Resource: N/A
ā–¼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://gitlab.com/gitlab-org/gitlab/-/issues/365847
x_transferred
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3819.json
x_transferred
Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/365847
Resource:
x_transferred
Hyperlink: https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3819.json
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-863CWE-863 Incorrect Authorization
Type: CWE
CWE ID: CWE-863
Description: CWE-863 Incorrect Authorization
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
ā–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@gitlab.com
Published At:10 Nov, 2022 | 00:15
Updated At:01 May, 2025 | 20:15

An improper authorization issue in GitLab CE/EE affecting all versions from 15.0 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a malicious users to set emojis on internal notes they don't have access to.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.13.5LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CPE Matches
GitLab Inc.
gitlab
>>gitlab>>Versions from 15.0.0(inclusive) to 15.3.5(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 15.0.0(inclusive) to 15.3.5(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 15.4.0(inclusive) to 15.4.4(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 15.4.0(inclusive) to 15.4.4(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 15.5.0(inclusive) to 15.5.2(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 15.5.0(inclusive) to 15.5.2(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
Weaknesses
CWE IDTypeSource
CWE-863Primarynvd@nist.gov
CWE-863Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-863
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-863
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3819.jsoncve@gitlab.com
Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/365847cve@gitlab.com
Broken Link
Vendor Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3819.jsonaf854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/365847af854a3a-2127-422b-91ae-364da2661108
Broken Link
Vendor Advisory
Hyperlink: https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3819.json
Source: cve@gitlab.com
Resource:
Vendor Advisory
Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/365847
Source: cve@gitlab.com
Resource:
Broken Link
Vendor Advisory
Hyperlink: https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3819.json
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory
Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/365847
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Broken Link
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

176Records found
CVE-2023-3511
Matching Score-10
Assigner-GitLab Inc.
ShareView Details
Matching Score-10
Assigner-GitLab Inc.
CVSS Score-2||LOW
EPSS-0.40% / 31.19%
||
7 Day CHG~0.00%
Published-15 Dec, 2023 | 15:31
Updated-20 Nov, 2025 | 04:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

An issue has been discovered in GitLab EE affecting all versions starting from 8.17 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible for auditor users to fork and submit merge requests to private projects they're not a member of.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-0120
Matching Score-10
Assigner-GitLab Inc.
ShareView Details
Matching Score-10
Assigner-GitLab Inc.
CVSS Score-3.5||LOW
EPSS-0.36% / 27.64%
||
7 Day CHG~0.00%
Published-01 Sep, 2023 | 10:01
Updated-20 Nov, 2025 | 04:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

An issue has been discovered in GitLab affecting all versions starting from 10.0 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to edit labels description by an unauthorised user.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-1282
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-3.5||LOW
EPSS-0.16% / 5.72%
||
7 Day CHG~0.00%
Published-11 Feb, 2026 | 11:04
Updated-12 Feb, 2026 | 21:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to inject malicious content into project labels titles.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2022-3381
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.61% / 44.50%
||
7 Day CHG~0.00%
Published-09 Mar, 2023 | 00:00
Updated-28 Feb, 2025 | 17:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab affecting all versions starting from 10.0 to 15.7.8, 15.8 prior to 15.8.4 and 15.9 prior to 15.9.2. A crafted URL could be used to redirect users to arbitrary sites

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2022-3280
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-3.5||LOW
EPSS-0.52% / 40.18%
||
7 Day CHG~0.00%
Published-09 Nov, 2022 | 00:00
Updated-01 May, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An open redirect in GitLab CE/EE affecting all versions from 10.1 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick users into visiting a trustworthy URL and being redirected to arbitrary content.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2022-3288
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-3.5||LOW
EPSS-0.64% / 46.00%
||
7 Day CHG~0.00%
Published-17 Oct, 2022 | 00:00
Updated-13 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to manipulate pages where the content of the default branch would be expected.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-471
Modification of Assumed-Immutable Data (MAID)
CVE-2026-9694
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-2.6||LOW
EPSS-0.21% / 11.18%
||
7 Day CHG-0.13%
Published-11 Jun, 2026 | 10:19
Updated-11 Jun, 2026 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Neutralization of Substitution Characters in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions, could have allowed an unauthenticated user to impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply due to improper neutralization in email template processing.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-153
Improper Neutralization of Substitution Characters
CVE-2021-39873
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.88% / 54.29%
||
7 Day CHG~0.00%
Published-04 Oct, 2021 | 16:43
Updated-04 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In all versions of GitLab CE/EE, there exists a content spoofing vulnerability which may be leveraged by attackers to trick users into visiting a malicious website by spoofing the content in an error response.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CVE-2021-39910
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-2.6||LOW
EPSS-0.95% / 56.77%
||
7 Day CHG~0.00%
Published-13 Dec, 2021 | 15:47
Updated-04 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-3254
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-3.5||LOW
EPSS-0.15% / 4.73%
||
7 Day CHG~0.00%
Published-22 Apr, 2026 | 16:29
Updated-23 Apr, 2026 | 20:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of Rendered UI Layers or Frames in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-1021
Improper Restriction of Rendered UI Layers or Frames
CVE-2021-22232
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-3.5||LOW
EPSS-0.75% / 50.04%
||
7 Day CHG~0.00%
Published-06 Jul, 2021 | 20:43
Updated-03 Aug, 2024 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2021-22202
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-2.4||LOW
EPSS-0.48% / 37.61%
||
7 Day CHG~0.00%
Published-02 Apr, 2021 | 16:25
Updated-03 Aug, 2024 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-13266
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.55% / 41.89%
||
7 Day CHG~0.00%
Published-09 Jun, 2020 | 15:34
Updated-04 Aug, 2024 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-862
Missing Authorization
CVE-2020-13265
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.73% / 49.28%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 21:42
Updated-04 Aug, 2024 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2025-12734
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-3.5||LOW
EPSS-0.23% / 13.03%
||
7 Day CHG~0.00%
Published-11 Dec, 2025 | 07:32
Updated-23 Dec, 2025 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Encoding or Escaping of Output in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to, under certain conditions, render content in dialogs to other users by injecting malicious HTML content into merge request titles.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-116
Improper Encoding or Escaping of Output
CVE-2024-5528
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-3.5||LOW
EPSS-0.38% / 29.58%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 10:31
Updated-06 Aug, 2025 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incomplete Comparison with Missing Factors in GitLab

An issue was discovered in GitLab CE/EE affecting all versions prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows a subdomain takeover in GitLab Pages.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-1023
Incomplete Comparison with Missing Factors
CWE ID-CWE-697
Incorrect Comparison
CVE-2023-2013
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-2.6||LOW
EPSS-0.69% / 47.95%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 00:00
Updated-07 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab CE/EE affecting all versions starting from 1.2 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-1021
Improper Restriction of Rendered UI Layers or Frames
CVE-2023-2001
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.58% / 43.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 00:00
Updated-07 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab CE/EE affecting all versions before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker was able to spoof protected tags, which could potentially lead a victim to download malicious code.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2023-2030
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-3.5||LOW
EPSS-0.38% / 30.04%
||
7 Day CHG~0.00%
Published-12 Jan, 2024 | 13:57
Updated-20 Nov, 2025 | 04:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Verification of Cryptographic Signature in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2023-0508
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-3.1||LOW
EPSS-0.76% / 50.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 00:00
Updated-07 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the NPM package API.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CVE-2021-39879
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-2.2||LOW
EPSS-0.40% / 31.61%
||
7 Day CHG~0.00%
Published-04 Oct, 2021 | 16:42
Updated-04 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2021-39881
Matching Score-8
Assigner-GitLab Inc.
ShareView Details
Matching Score-8
Assigner-GitLab Inc.
CVSS Score-3.5||LOW
EPSS-0.85% / 53.29%
||
7 Day CHG~0.00%
Published-05 Oct, 2021 | 13:40
Updated-04 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CVE-2026-2619
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 24.92%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 22:25
Updated-14 Apr, 2026 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user with auditor privileges to modify vulnerability flag data in private projects due to incorrect authorization.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2018-20498
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.66% / 46.65%
||
7 Day CHG~0.00%
Published-30 Dec, 2019 | 21:24
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2018-20494
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.65% / 73.43%
||
7 Day CHG~0.00%
Published-30 Dec, 2019 | 21:24
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2018-20493
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.71% / 48.77%
||
7 Day CHG~0.00%
Published-30 Dec, 2019 | 21:24
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-4315
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-5||MEDIUM
EPSS-0.80% / 51.97%
||
7 Day CHG~0.00%
Published-08 Mar, 2023 | 00:00
Updated-04 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab DAST analyzer affecting all versions starting from 2.0 before 3.0.55, which sends custom request headers with every request on the authentication page.

Action-Not Available
Vendor-GitLab Inc.
Product-dynamic_application_security_testing_analyzerGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-5377
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.25%
||
7 Day CHG~0.00%
Published-22 Apr, 2026 | 16:04
Updated-23 Apr, 2026 | 20:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in public projects due to improper access control in the issue description rendering process.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-1752
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 22.60%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 22:25
Updated-14 Apr, 2026 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper authorization checks in the API.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-1540
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-3.1||LOW
EPSS-0.22% / 12.31%
||
7 Day CHG~0.00%
Published-06 Mar, 2025 | 08:31
Updated-06 Aug, 2025 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

An issue has been discovered in GitLab CE/EE for Self-Managed and Dedicated instances affecting all versions from 17.5 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. It was possible for a user added as an External to read and clone internal projects under certain circumstances."

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-9957
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-2.7||LOW
EPSS-0.31% / 22.80%
||
7 Day CHG~0.00%
Published-22 Apr, 2026 | 16:05
Updated-23 Apr, 2026 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user with project owner permissions to bypass group fork prevention settings due to improper authorization checks.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-4006
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.47% / 36.85%
||
7 Day CHG~0.00%
Published-25 Apr, 2024 | 13:30
Updated-02 Jun, 2026 | 04:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not honored by GraphQL subscriptions

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-2501
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.82% / 52.45%
||
7 Day CHG~0.00%
Published-05 Aug, 2022 | 15:12
Updated-03 Aug, 2024 | 00:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper access control issue in GitLab EE affecting all versions from 12.0 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an attacker to bypass IP allow-listing and download artifacts. This attack only bypasses IP allow-listing, proper permissions are still required.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-0765
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.34% / 25.83%
||
7 Day CHG~0.00%
Published-24 Jul, 2025 | 06:33
Updated-08 Aug, 2025 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an unauthorized user to access custom service desk email addresses.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-8970
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-8.2||HIGH
EPSS-0.59% / 43.74%
||
7 Day CHG~0.00%
Published-11 Oct, 2024 | 12:30
Updated-13 Dec, 2024 | 01:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-8974
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-2.6||LOW
EPSS-0.27% / 18.22%
||
7 Day CHG~0.00%
Published-26 Sep, 2024 | 23:02
Updated-04 Oct, 2024 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Provision of Specified Functionality in GitLab

Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project."

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-684
Incorrect Provision of Specified Functionality
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-9623
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.33% / 24.62%
||
7 Day CHG~0.00%
Published-10 Oct, 2024 | 09:30
Updated-16 Oct, 2024 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-9807
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 9.08%
||
7 Day CHG-0.01%
Published-28 May, 2026 | 07:34
Updated-29 May, 2026 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed a blocked Project Access Token to continue accessing private resources due to incorrect authorization enforcement.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-6713
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.32% / 23.77%
||
7 Day CHG+0.10%
Published-27 May, 2026 | 17:55
Updated-27 May, 2026 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an unauthorized user to enumerate private projects due to incorrect authorization checks.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-0652
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 30.65%
||
7 Day CHG~0.00%
Published-13 Mar, 2025 | 05:55
Updated-08 Aug, 2025 | 01:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access confidential information intended for internal use only.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-6269
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 8.37%
||
7 Day CHG-0.11%
Published-11 Jun, 2026 | 10:20
Updated-15 Jun, 2026 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to modify hidden merge requests due to incorrect authorization enforcements.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-6277
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 7.84%
||
7 Day CHG-0.13%
Published-11 Jun, 2026 | 10:20
Updated-11 Jun, 2026 | 17:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 13.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with Security Manager-role permissions to manage project security configuration even when the relevant feature was in a disabled state, due to incorrect authorization enforcement.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-22211
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-3.1||LOW
EPSS-0.56% / 42.30%
||
7 Day CHG~0.00%
Published-05 May, 2021 | 22:03
Updated-03 Aug, 2024 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-2095
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.73% / 49.47%
||
7 Day CHG~0.00%
Published-05 Aug, 2022 | 15:12
Updated-03 Aug, 2024 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper access control check in GitLab CE/EE affecting all versions starting from 13.7 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious authenticated user to view a public project's Deploy Key's public fingerprint and name when that key has write permission. Note that GitLab never asks for nor stores the private key.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-22239
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-5||MEDIUM
EPSS-0.57% / 42.85%
||
7 Day CHG~0.00%
Published-09 Sep, 2021 | 14:41
Updated-03 Aug, 2024 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unauthorized user was able to insert metadata when creating new issue on GitLab CE/EE 14.0 and later.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-1935
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.65% / 46.33%
||
7 Day CHG~0.00%
Published-06 Jun, 2022 | 16:50
Updated-03 Aug, 2024 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Trigger Token to misuse it from any location even when IP address restrictions were configured

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-22256
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.73% / 49.41%
||
7 Day CHG+0.02%
Published-25 Aug, 2021 | 18:30
Updated-03 Aug, 2024 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper authorization in GitLab CE/EE affecting all versions since 12.6 allowed guest users to create issues for Sentry errors and track their status

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-1460
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-6.1||MEDIUM
EPSS-1.09% / 61.10%
||
7 Day CHG~0.00%
Published-11 May, 2022 | 14:45
Updated-03 Aug, 2024 | 00:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not performing correct authorizations on scheduled pipelines allowing a malicious user to run a pipeline in the context of another user.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-1983
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.55% / 41.62%
||
7 Day CHG~0.00%
Published-01 Jul, 2022 | 15:56
Updated-03 Aug, 2024 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allowed an attacker already in possession of a valid Deploy Key or a Deploy Token to misuse it from any location to access Container Registries even when IP address restrictions were configured.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-1417
Matching Score-6
Assigner-GitLab Inc.
ShareView Details
Matching Score-6
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.92% / 55.77%
||
7 Day CHG~0.00%
Published-10 May, 2022 | 20:30
Updated-03 Aug, 2024 | 00:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in GitLab CE/EE affecting all versions starting from 8.12 before 14.8.6, all versions starting from 14.9 before 14.9.4, and all versions starting from 14.10 before 14.10.1 allows non-project members to access contents of Project Members-only Wikis via malicious CI jobs

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found