Versions
>=14.0, <14.0.2
>=13.5
>=13.12, <13.12.6
before 12.1.2
>=13.5 to <13.5.5
before 12.2.6
>=13.2, <13.4.7
>=13.3, <13.3.9
<13.3.9
before 12.3.2
before 12.0.4
<13.5.2
>=8.4 to <13.4.7
>=10.2, <13.3.9
<13.4.5
>=13.6, <13.6.2
before 12.2.8
>=13.4
before 11.11.6
>=13.6 to <13.6.2
before 12.3.5
>=13.7, <13.11.6
>=13.4, <13.4.5
>=8.12
>=13.5, <13.5.2
before 12.1.12
>=13.5, <13.5.5
before 12.1.14
Recent CVEs
CVE-2021-22240
Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled
CVE-2020-26412
Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before 13.6.2.
CVE-2020-26416
Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.
CVE-2020-13349
An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
CVE-2020-13348
An issue has been discovered in GitLab EE affecting all versions starting from 10.2. Required CODEOWNERS approval could be bypassed by targeting a branch without the CODEOWNERS file. Affected versions are >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
CVE-2020-26406
Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
CVE-2019-15581
An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules.
CVE-2019-15582
An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment.