GitLab is a popular Git-based Source Code Management system (SCM) provided by GitLab Inc. as both a cloud and an on-premise service. GitLab has Continuous Integration and Continuous Development (CI/CD) capabilities offering automatic builds, tests and deployments through a configuration file named `.gitlab-ci.yml`.

When exposed with the web application, this file can be used by an attacker to gain access to sensitive information.

An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration by unauthenticated users through the GraphQL API.

GitLab CE/EE versions starting from 10.5 before 13.10.5, 13.11 before 13.11.5 and 13.12 before 13.12.2 suffer from a server-side request forgery vulnerability when requests to the internal network for webhooks are enabled. An unauthenticated attacker could leverage this issue to make the target server perform blind network requests to arbitrary hosts.

This is an informational notice that the scanner was able to detect public projects on the target GitLab instance.

This is an informational notice that the scanner was able to detect a GitLab public sign-up page on the target instance.

This is an informational notice that the scanner was able to detect public snippets on the target GitLab instance.

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9 through 13.8.8 / 13.9.6 / 13.10.3. This is the result of improper validation of image files by a 3rd-party file parser Exif-Tool, resulting in a remote command execution.

ID	Name	Product	Family	Published	Updated	Severity
113142	GitLab CI Configuration Detected	Web App Scanning	Data Exposure	2/15/2022	2/15/2022	medium
113210	GitLab 13.x < 14.6.5 / 14.7.x < 14.7.4 / 14.8.x < 14.8.2 User Enumeration	Web App Scanning	Component Vulnerability	3/24/2022	4/15/2022	medium
113091	GitLab 10.5.x < 13.10.5 / 13.11.x < 13.11.5 / 13.12.x < 13.12.2 Server-Side Request Forgery	Web App Scanning	Component Vulnerability	4/21/2022	4/21/2022	high
114617	GitLab Public Projects Detected	Web App Scanning	Web Applications	3/11/2025	3/11/2025	info
114616	GitLab Public Sign-Up Detected	Web App Scanning	Web Applications	3/11/2025	3/11/2025	info
114619	GitLab Public Snippets Detected	Web App Scanning	Web Applications	3/11/2025	3/11/2025	info
113044	GitLab 11.9.x < 13.8.8 / 13.9.x < 13.9.6 / 13.10.x < 13.10.3 Remote Code Execution	Web App Scanning	Component Vulnerability	11/9/2021	3/23/2022	critical

Detections

Analytics

Plugins Search

medium

medium

high

info

info

info

critical