Skip to main content

Gitlab

Vendor security scorecard – 1245 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 4002
1245
CVEs
61
Critical
283
High
4
KEV
255
PoC
287
Unpatched C/H
16.0%
Patch Rate
2.6%
Avg EPSS

Severity Breakdown

CRITICAL
61
HIGH
283
MEDIUM
806
LOW
94

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2023-7028 An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. CRITICAL 10.0 93.5% 214
KEV PoC No patch
CVE-2013-4490 The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 49.8%. MEDIUM 6.5 49.8% 117
PoC
CVE-2021-22205 An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 10.0 99.7% 85
KEV PoC No patch
CVE-2022-2992 A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. CRITICAL 9.9 86.2% 84
PoC No patch
CVE-2018-18843 The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4.4 has SSRF. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 10.0 1.6% 70
PoC No patch
CVE-2018-14364 GitLab Community and Enterprise Edition before 10.7.7, 10.8.x before 10.8.6, and 11.x before 11.0.4 allows Directory Traversal with write access and resultant remote code execution via the GitLab. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 9.8 50.1% 69
PoC No patch
CVE-2018-16049 An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 9.8 2.1% 69
PoC No patch
CVE-2019-9756 An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 9.8 2.2% 69
PoC No patch
CVE-2019-6960 An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 9.8 2.1% 69
PoC No patch
CVE-2019-15741 An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 9.8 3.1% 69
PoC No patch
CVE-2021-22203 An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions starting from 13.9 before 13.9.5, and all versions starting from 13.10 before. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 9.8 1.4% 69
PoC No patch
CVE-2021-22175 When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 9.8 53.4% 69
KEV PoC No patch
CVE-2022-0735 An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. CRITICAL 9.8 13.2% 69
PoC No patch
CVE-2022-1162 A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 9.8 76.2% 69
PoC No patch
CVE-2024-45409 The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. CRITICAL 9.8 10.7% 69
PoC

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy