| CVE-2021-39900 |
Low |
Yes |
Information disclosure |
Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary... |
| CVE-2021-39899 |
Low |
No |
Insufficient validation |
In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function.... |
| CVE-2021-39896 |
Low |
Yes |
Content spoofing |
In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as... |
| CVE-2021-39894 |
Medium |
Yes |
Cross-site request forgery |
In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server... |
| CVE-2021-39893 |
Medium |
Yes |
Denial of service |
A potential denial of service vulnerability was discovered in GitLab starting with version 9.1 that allowed parsing files without authorisation. |
| CVE-2021-39892 |
Medium |
Yes |
Information disclosure |
In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and... |
| CVE-2021-39891 |
Medium |
Yes |
Information disclosure |
In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of... |
| CVE-2021-39890 |
Low |
Yes |
Access restriction bypass |
It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above. |
| CVE-2021-39887 |
High |
Yes |
Cross-site scripting |
A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary... |
| CVE-2021-39886 |
Low |
Yes |
Information disclosure |
Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7,... |
| CVE-2021-39882 |
Medium |
Yes |
Information disclosure |
In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user. |
| CVE-2021-39881 |
Low |
Yes |
Content spoofing |
In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names... |
| CVE-2021-39879 |
Low |
No |
Authentication bypass |
Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor... |
| CVE-2021-39878 |
Medium |
Yes |
Cross-site scripting |
A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary... |
| CVE-2021-39877 |
High |
Yes |
Denial of service |
A vulnerability was discovered in GitLab starting with version 12.2 that allows an attacker to cause uncontrolled resource consumption with a specially crafted file. |
| CVE-2021-39875 |
Medium |
Yes |
Information disclosure |
In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint. |
| CVE-2021-39874 |
Medium |
Yes |
Authentication bypass |
In all versions of GitLab CE/EE since version 11.0, the requirement to enforce 2FA is not honored when using git commands. |
| CVE-2021-39873 |
Medium |
Yes |
Content spoofing |
In all versions of GitLab CE/EE, there exists a content spoofing vulnerability which may be leveraged by attackers to trick users into visiting a malicious... |
| CVE-2021-39872 |
Medium |
Yes |
Access restriction bypass |
In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab... |
| CVE-2021-39871 |
Medium |
Yes |
Access restriction bypass |
In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker... |
| CVE-2021-39870 |
Medium |
Yes |
Access restriction bypass |
In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker... |
| CVE-2021-39869 |
Medium |
Yes |
Information disclosure |
In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project. |
| CVE-2021-39868 |
Medium |
Yes |
Denial of service |
In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by... |
| CVE-2021-39867 |
Medium |
Yes |
Cross-site request forgery |
In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side... |
| CVE-2021-39866 |
Medium |
Yes |
Access restriction bypass |
A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens. |