| CVE-2021-39914 |
Low |
Yes |
Denial of service |
A regular expression denial of service issue in GitLab versions 8.13 to 14.2.5, 14.3.0 to 14.3.3 and 14.4.0 could cause excessive usage of resources when a... |
| CVE-2021-39913 |
Medium |
No |
Information disclosure |
Accidental logging of system root password in the migration log in all versions of GitLab CE/EE allows an attacker with local file system access to obtain... |
| CVE-2021-39912 |
Medium |
Yes |
Denial of service |
A potential denial of service vulnerability was discovered in GitLab CE/EE starting with version 13.7. Using a malformed TIFF images was possible to trigger... |
| CVE-2021-39911 |
Low |
Yes |
Information disclosure |
An improper access control flaw in GitLab CE/EE since version 13.9 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers. |
| CVE-2021-39909 |
Medium |
Yes |
Access restriction bypass |
Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE since version 11.3 allows an attacker to bypass... |
| CVE-2021-39907 |
Medium |
Yes |
Denial of service |
A potential denial of service vulnerability was discovered in GitLab CE/EE starting with version 13.7. The stripping of EXIF data from certain images... |
| CVE-2021-39906 |
High |
Yes |
Cross-site scripting |
Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf. |
| CVE-2021-39905 |
Medium |
Yes |
Information disclosure |
An information disclosure vulnerability in the GitLab CE/EE API since version 8.9.6 allows a user to see basic information on private groups that a public... |
| CVE-2021-39904 |
Medium |
Yes |
Access restriction bypass |
An Improper Access Control vulnerability in the GraphQL API in GitLab CE/EE since version 13.1 allows a Merge Request creator to resolve discussions and... |
| CVE-2021-39903 |
Medium |
Yes |
Access restriction bypass |
In all versions of GitLab CE/EE since version 13.0, a low privileged user, through an API call, can change the visibility level of a group or a project to a... |
| CVE-2021-39902 |
Medium |
Yes |
Access restriction bypass |
Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident. |
| CVE-2021-39901 |
Low |
Yes |
Information disclosure |
In all versions of GitLab CE/EE since version 11.10, an admin of a group can see the SCIM token of that group by visiting a specific endpoint. |
| CVE-2021-39898 |
Low |
Yes |
Information disclosure |
In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it... |
| CVE-2021-39897 |
Low |
Yes |
Access restriction bypass |
Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have... |
| CVE-2021-39895 |
Medium |
Yes |
Information disclosure |
In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner... |