gitlab-org/gitlab-pages on GitLab
GitLab Pages daemon used to serve static websites for GitLab users
CVE History
| CVE | Published | CVSS v2 | CVSS v3 |
|---|---|---|---|
| CVE-2019-14942 | 5.9 MEDIUM | N/A | |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Cookies for GitLab Pages (which have access control) could be sent over cleartext HTTP. | |||
| CVE-2023-0042 | 6.1 MEDIUM | N/A | |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.4 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2. GitLab Pages allows redirection to arbitrary protocols. | |||
| CVE-2022-1121 | 5.3 MEDIUM | 5 MEDIUM | |
| A lack of appropriate timeouts in GitLab Pages included in GitLab CE/EE all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an attacker to cause unlimited resource consumption. | |||
| CVE-2021-22171 | 6.5 MEDIUM | 4.3 MEDIUM | |
| Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link | |||
| CVE-2018-19572 | 5.9 MEDIUM | 4.3 MEDIUM | |
| GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-time-of-use race condition that would allow unauthorized access to files in the GitLab Pages chroot environment. This is fixed in versions 11.5.1, 11.4.8, and 11.3.11. | |||