GitLab GitLab Version Control Server
stack.watch can notify you when security vulnerabilities are reported in any GitLab product. You can add multiple products that you use with GitLab to create your own personal software stack watcher.
Products by GitLab Sorted by Most Security Vulnerabilities since 2018
@gitlab Tweets
"Scratch paper, check. Whiteboard, check. Chex Mix, check."
You can still use Sheldon's recipe for #brainstorming… https://t.co/xkf05UrxsF
Tue Jul 07 20:05:03 +0000 2020
Tue Jul 07 20:05:03 +0000 2020
RT @putadent: Another showcase of @PrometheusIO 2.19 memory improvements this time @gitlab!!
https://t.co/1S38ojKdA2
I'm going to assum…
Tue Jul 07 20:02:24 +0000 2020
Tue Jul 07 20:02:24 +0000 2020
RT @j4yav: The next public @GitLab #CICD coffee chat has been scheduled for July 30! ☕
Please sign up at https://t.co/CROF4KHMuk if you're…
Tue Jul 07 20:02:14 +0000 2020
Tue Jul 07 20:02:14 +0000 2020
Get a holistic guide to #GitOps and the Cloud Operating Model with @HashiCorp ➕ GitLab!
��️ July 8th @ 9am PT
➡️… https://t.co/WuODKoOIy8
Tue Jul 07 17:48:02 +0000 2020
Tue Jul 07 17:48:02 +0000 2020
By the Year
In 2020 there have been 145 vulnerabilities in GitLab with an average score of 6.3 out of ten. Last year GitLab had 165 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in GitLab in 2020 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2020 is greater by 0.02.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2020 | 145 | 6.27 |
| 2019 | 165 | 6.25 |
| 2018 | 33 | 7.06 |
It may take a day or so for new GitLab vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.
Latest GitLab Security Vulnerabilities
Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1
CVE-2020-13264
5.3 - Medium
- June 19, 2020
Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1 allows other group maintainers to view Kubernetes cluster token
Information Leak
An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1
CVE-2020-13263
8.8 - High
- June 19, 2020
An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions.
AuthZ
Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1
CVE-2020-13261
2.7 - Low
- June 19, 2020
Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 allows other administrators to view Amazon EKS credentials via HTML source code
Insufficiently Protected Credentials
Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1
CVE-2020-13262
6.1 - Medium
- June 19, 2020
Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a link
XSS
User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1
CVE-2020-13265
5.3 - Medium
- June 19, 2020
User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification
Insufficient Verification of Data Authenticity
OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1
CVE-2020-13272
8.8 - High
- June 19, 2020
OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow
AuthZ
A Denial of Service vulnerability
CVE-2020-13273
7.5 - High
- June 19, 2020
A Denial of Service vulnerability allowed exhausting the system resources in GitLab CE/EE 12.0 and later through 13.0.1
Uncontrolled Resource Consumption ('Resource Exhaustion')
A user with an unverified email address could request an access to domain restricted groups in GitLab EE 12.2 and later through 13.0.1
CVE-2020-13275
8.1 - High
- June 19, 2020
A user with an unverified email address could request an access to domain restricted groups in GitLab EE 12.2 and later through 13.0.1
AuthZ
User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1
CVE-2020-13276
4.3 - Medium
- June 19, 2020
User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1
AuthZ
A security issue allowed achieving Denial of Service attacks through memory exhaustion by uploading malicious artifacts in all previous GitLab versions through 13.0.1
CVE-2020-13274
7.5 - High
- June 19, 2020
A security issue allowed achieving Denial of Service attacks through memory exhaustion by uploading malicious artifacts in all previous GitLab versions through 13.0.1
Uncontrolled Resource Consumption ('Resource Exhaustion')
An authorization issue in the mirroring logic
CVE-2020-13277
6.5 - Medium
- June 19, 2020
An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5
AuthZ
A Stored Cross-Site Scripting vulnerability
CVE-2020-13267
6.1 - Medium
- June 10, 2020
A Stored Cross-Site Scripting vulnerability allowed the execution on Javascript payloads on the Metrics Dashboard in GitLab CE/EE 12.8 and later through 13.0.1
XSS
A Reflected Cross-Site Scripting vulnerability
CVE-2020-13269
6.1 - Medium
- June 10, 2020
A Reflected Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code on the Static Site Editor in GitLab CE/EE 12.10 and later through 13.0.1
XSS
A Stored Cross-Site Scripting vulnerability
CVE-2020-13271
6.1 - Medium
- June 10, 2020
A Stored Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code in the blobs API in all previous GitLab CE/EE versions through 13.0.1
XSS
A specially crafted request could be used to confirm the existence of files hosted on object storage services
CVE-2020-13268
5.3 - Medium
- June 10, 2020
A specially crafted request could be used to confirm the existence of files hosted on object storage services, without disclosing their contents. This vulnerability affects GitLab CE/EE 12.10 and later through 13.0.1
Improper Input Validation
Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1
CVE-2020-13270
8.8 - High
- June 10, 2020
Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API
Incorrect Default Permissions
Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1
CVE-2020-13266
4.3 - Medium
- June 09, 2020
Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions
AuthZ
GitLab EE 12.8 and later
CVE-2020-12448
5.3 - Medium
- May 07, 2020
GitLab EE 12.8 and later allows Exposure of Sensitive Information to an Unauthorized Actor via NuGet.
Directory traversal
GitLab 12.6 through 12.9 is vulnerable to a privilege escalation
CVE-2020-12275
5.3 - Medium
- April 29, 2020
GitLab 12.6 through 12.9 is vulnerable to a privilege escalation that allows an external user to create a personal snippet through the API.
Improper Privilege Management
GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin notification feature.
CVE-2020-12276
4.8 - Medium
- April 29, 2020
GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin notification feature.
XSS