CVE ID request

A Common Vulnerabilities and Exposures ID (CVE ID) is a unique identifier assigned to publicly-disclosed software vulnerabilities. GitLab is a CVE Numbering Authority (CNA), which means we can assign CVE identifiers to vulnerabilities in projects hosted on GitLab.com.

For public projects, you can request a CVE identifier to keep users informed about security issues. For example, GitLab dependency scanning tools can detect when your project uses vulnerable versions of a dependency.

A common vulnerability workflow is:

1. Request a CVE for a vulnerability.
2. Reference the assigned CVE identifier in release notes.
3. Publish the vulnerability’s details after the fix is released.

Submit a CVE ID request

Prerequisites:

• The Maintainer or Owner role for the project.
• The project is hosted on GitLab.com.
• The project is public.
• The vulnerability’s issue is confidential.

To submit a CVE ID request:

1. Go to the vulnerability’s issue and select Create CVE ID Request. The new issue page of the GitLab CVE project opens.

2. In the Title box, enter a brief description of the vulnerability.

3. In the Description box, enter the following details:

   • A detailed description of the vulnerability
   • The project’s vendor and name
   • Impacted versions
   • Fixed versions
   • The vulnerability class (a CWE identifier)
   • A CVSS v3 vector

GitLab updates your CVE ID request issue when:

• Your submission is assigned a CVE.
• Your CVE is published.
• MITRE is notified that your CVE is published.
• MITRE has added your CVE in the NVD feed.

CVE assignment

After a CVE identifier is assigned, you can reference it as required. Details of the vulnerability submitted in the CVE ID request are published according to your schedule.