Headline
CVE-2021-22258: 2021/CVE-2021-22258.json · master · GitLab.org / cves · GitLab
The project import/export feature in GitLab 8.9 and greater could be used to obtain otherwise private email addresses
Related news
An Improper Access Control vulnerability in the GraphQL API in GitLab CE/EE since version 13.1 allows a Merge Request creator to resolve discussions and apply suggestions after a project owner has locked the Merge Request
A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens.
In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.
In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker making a crafted API call.
In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export.