Gitlab Path Traversal

An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab was not performing correct authentication on Grafana API under specific conditions allowing unauthenticated users to perform queries through a path traversal vulnerability. (2022-08-05, CVE-2022-2531)

A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token (2021-04-12, CVE-2021-22190)

An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: >=8.14, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2. (2020-11-19, CVE-2020-13355)

Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are >=12.8, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2. (2020-11-17, CVE-2020-26405)

A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable. (2020-10-07, CVE-2020-13347)

GitLab EE 12.8 and later allows Exposure of Sensitive Information to an Unauthorized Actor via NuGet. (2020-05-07, CVE-2020-12448)

GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects. (2020-04-08, CVE-2020-10977)

In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a path traversal issue. (2020-03-27, CVE-2020-10953)

GitLab 10.4 through 12.8.1 allows Directory Traversal. A particular endpoint was vulnerable to a directory traversal vulnerability, leading to arbitrary file read. (2020-03-13, CVE-2020-10086)

GitLab EE 11.11 and later through 12.7.2 allows Directory Traversal. (2020-02-05, CVE-2020-7966)

In GitLab EE 11.3 through 12.5.3, 12.4.5, and 12.3.8, insufficient parameter sanitization for the Maven package registry could lead to privilege escalation and remote code execution vulnerabilities under certain conditions. (2020-01-05, CVE-2019-19628)

Gitlab Enterprise Edition (EE) 11.3 through 12.4.2 allows Directory Traversal. (2020-01-03, CVE-2019-19088)

An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. GitLab Pages contains a directory traversal vulnerability that could lead to remote command execution. (2019-09-09, CVE-2019-6783)

An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Insecure Permissions. (2019-04-17, CVE-2019-9222)

GitLab Community and Enterprise Edition before 11.3.14, 11.4.x before 11.4.12, and 11.5.x before 11.5.5 allows Directory Traversal. (2019-04-04, CVE-2018-20229)

GitLab Community and Enterprise Edition 11.x before 11.3.13, 11.4.x before 11.4.11, and 11.5.x before 11.5.4 has Incorrect Access Control. (2019-03-28, CVE-2018-20144)

GitLab CE/EE before 11.3.12, 11.4.x before 11.4.10, and 11.5.x before 11.5.3 allows Directory Traversal in Templates API. (2019-03-26, CVE-2018-19856)

An issue was discovered in GitLab Community and Enterprise Edition before 11.4. It allows Directory Traversal. (2019-03-25, CVE-2019-6240)

GitLab Community and Enterprise Edition before 10.7.7, 10.8.x before 10.8.6, and 11.x before 11.0.4 allows Directory Traversal with write access and resultant remote code execution via the GitLab projects import component. (2018-07-18, CVE-2018-14364)

Gitlab Community and Enterprise Editions version 10.3.3 is vulnerable to an Insecure Temporary File in the project import component resulting remote code execution. (2018-03-21, CVE-2018-3710)

Relative Path Confusion means that your web server is configured to serve responses to ambiguous URLs. This configuration can possibly cause confusion about the correct relative path for the URL. It is also an issue of resources, such as images, styles etc., which are specified in the response using relative path, not the absolute URL.

If the web browser permits to parse "cross-content" response, the attacker may be able to fool the web browser into interpreting HTML into other content types, which can then lead to a cross site scripting attack (link do XSS).