| CVE-2022-2539 |
Medium |
Yes |
Unknown |
Unauthorized users can filter issues by contact and organization |
| CVE-2022-2534 |
Low |
Yes |
Unknown |
GitLab was returning contributor emails due to improper data handling in the Datadog integration |
| CVE-2022-2512 |
Medium |
Yes |
Unknown |
Membership changes are not reflected in TODO for confidential notes, allowing a former project members to read updates via TODOs |
| CVE-2022-2500 |
Medium |
Yes |
Unknown |
stored XSS in job error messages allows attackers to perform arbitrary actions on behalf of victims at client side |
| CVE-2022-2497 |
Medium |
Yes |
Unknown |
A malicious maintainer could exfiltrate an integration's access token by modifying the integration URL such that authenticated requests are sent to an... |
| CVE-2022-2456 |
Medium |
Yes |
Unknown |
It may be possible for malicious group or project maintainers to change their corresponding group or project visibility by crafting a malicious POST request |
| CVE-2022-2417 |
Medium |
Yes |
Unknown |
gitlab allows an authenticated and authorised user to import a project that includes branch names which are 40 hexadecimal characters, which could be abused... |
| CVE-2022-2326 |
Medium |
Yes |
Unknown |
It may be possible to gain access to a private project through an email invite by using other user's email address as an unverified secondary email |
| CVE-2022-2307 |
Low |
Yes |
Unknown |
gitlab allows a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited |
| CVE-2022-2303 |
Medium |
Yes |
Unknown |
It may be possible for group members to bypass 2FA enforcement enabled at the group level by using Resource Owner Password Credentials grant to obtain an... |
| CVE-2022-2095 |
Medium |
Yes |
Unknown |
gitlab allows a malicious authenticated user to view a public project's Deploy Key's public fingerprint and name when that key has write permission |