Security Research — CVEs
42 CVEs discovered in GitLab via the HackerOne Bug Bounty Program
Active participant in the GitLab Bug Bounty Program on HackerOne, with 42 CVEs discovered across access control, information disclosure, XSS, and authentication bypass categories.
| CVE | Description | GitLab Release | Date |
|---|---|---|---|
| CVE-2021-39898 | Project export leaked external webhook token | 14.4.1 | 2021-10-28 |
| CVE-2020-13301 | Stored XSS on standalone vulnerability page | 13.3.3 | 2020-09-02 |
| CVE-2020-13307 | Sessions not revoked on 2FA activation | 13.3.3 | 2020-09-02 |
| CVE-2020-13297 | 2FA for groups bypass via API | 13.3.3 | 2020-09-02 |
| CVE-2020-13326 | GitHub project import restriction bypass via API | 13.1.2 | 2020-07-01 |
| CVE-2020-13264 | Kubernetes cluster token visible to other group maintainers | 13.0.1 | 2020-05-27 |
| CVE-2020-13267 | Stored XSS on Metrics Dashboard | 13.0.1 | 2020-05-27 |
| CVE-2020-13261 | Amazon EKS credentials disclosed in HTML source | 13.0.1 | 2020-05-27 |
| CVE-2020-12452 | API call could make admin audit log inaccessible | 12.10.2 | 2020-04-30 |
| CVE-2020-10979 | Restricted CI pipeline metrics visible to members | 12.9.1 | 2020-03-26 |
| CVE-2020-10976 | Restricted pipeline status leaked via MR widget | 12.9.1 | 2020-03-26 |
| CVE-2020-10092 | XSS in Grafana integration view | 12.8.2 | 2020-03-04 |
| CVE-2020-8113 | Docker registry improperly accessible via deploy tokens | 12.8.2 | 2020-03-04 |
| CVE-2020-10085 | Private MR titles exposed via widget | 12.8.2 | 2020-03-04 |
| CVE-2020-7969 | Unexpired Todos disclosed confidential issues/MRs | 12.7.4 | 2020-01-30 |
| CVE-2020-7976 | Grafana token displayed in plaintext | 12.7.4 | 2020-01-30 |
| CVE-2019-20143 | Unauthenticated access to release milestones/issues | 12.6.2 | 2020-01-02 |
| CVE-2019-19087 | Restricted project comments guessable via Elasticsearch | 12.5.1 | 2019-11-27 |
| CVE-2019-19314 | Tokens stored in plaintext (now encrypted) | 12.5.1 | 2019-11-27 |
| CVE-2019-18456 | Private comments disclosed via Elasticsearch group search | 12.4.1 | 2019-10-30 |
| CVE-2019-15591 | Container/dependency scanning reports visible despite disabled public pipelines | 12.3.3 | 2019-10-02 |
| CVE-2019-15580 | Unauthenticated head pipeline data disclosure via blocking MRs | 12.3.2 | 2019-09-30 |
| CVE-2019-15729 | Internal endpoint disclosed last MR pipeline info | 12.2.3 | 2019-08-29 |
| CVE-2019-15727 | CI results exposed to unauthorized users | 12.2.3 | 2019-08-29 |
| CVE-2019-15724 | HTML injection in label descriptions | 12.2.3 | 2019-08-29 |
| CVE-2019-15723 | Push rules bypass | 12.2.3 | 2019-08-29 |
| CVE-2019-5463 | CI badge images disclosed build status | 12.1.2 | 2019-07-29 |
| CVE-2019-13002 | Unauthorized read of last MR pipeline info | 12.0.3 | 2019-07-03 |
| CVE-2019-13005 | GraphQL disclosed restricted user/group/repo metadata | 12.0.3 | 2019-07-03 |
| CVE-2019-13006 | Related MR count visible without repo access | 12.0.3 | 2019-07-03 |
| CVE-2019-12431 | Restricted users could access private milestone metadata via Search API | 11.11.1 | 2019-06-03 |
| CVE-2019-11545 | Private project namespace leaked when moving issues | 11.10.2 | 2019-04-29 |
| CVE-2019-10115 | Guest users could access release details | 11.9.4 | 2019-04-01 |
| CVE-2019-9890 | Permissions issue on commit discussions/notes | 11.8.1 | 2019-03-04 |
| CVE-2019-7353 | Releases disclosed confidential issue/MR titles | 11.7.4 | 2019-02-05 |
| CVE-2019-6997 | Guest could view MR titles via system notes | 11.7.3 | 2019-01-31 |
| CVE-2019-6794 | Guest could view last commit status of default branch | 11.7.3 | 2019-01-31 |
| CVE-2019-6960 | Internal wiki accessible when external wiki enabled | 11.7.3 | 2019-01-31 |
| CVE-2019-7549 | Unauthorized pipeline job info disclosure | 11.7.3 | 2019-01-31 |
| CVE-2018-20492 | Improper access control in todos — access to confidential issues/MRs | 11.6.1 | 2018-12-31 |
| CVE-2018-20494 | Guest users could access CI job info via API | 11.6.1 | 2018-12-31 |
| CVE-2018-19493 | Persistent XSS on Environments page | 11.5.1 | 2018-11-28 |