Bitnami package
gitlab
pkg:bitnami/gitlab
Vulnerabilities (1,073)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-4972 | — | >= 18.0.0 | — | Jul 10, 2025 | An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated users with invitation privileges to bypass group-level user invitation restrictions by manipulating group invitation functionality | ||
| CVE-2025-6168 | — | >= 18.0.0 | — | Jul 10, 2025 | An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated maintainers to bypass group-level user invitation restrictions by sending crafted API requests. | ||
| CVE-2025-6948 | — | >= 17.11.0, < 18.0.1 | 18.0.1 | Jul 10, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content. | ||
| CVE-2025-1754 | — | >= 17.2.0, < 18.0.1 | 18.0.1 | Jun 26, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed unauthenticated attackers to upload arbitrary files to public projects by sending crafted API requests, potentially lea | ||
| CVE-2025-2938 | — | >= 17.3.0, < 18.0.1 | 18.0.1 | Jun 26, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to gain elevated project privileges by requesting access to projects where role modifications durin | ||
| CVE-2025-3279 | — | >= 10.7.0, < 18.0.1 | 18.0.1 | Jun 26, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests. | ||
| CVE-2025-5315 | — | >= 17.2.0, < 18.0.1 | 18.0.1 | Jun 26, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API reques | ||
| CVE-2025-5846 | — | >= 16.10.0, < 18.0.1 | 18.0.1 | Jun 26, 2025 | An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypas | ||
| CVE-2023-5600 | — | >= 16.0.0, < 16.3.6 | 16.3.6 | Jun 20, 2025 | An issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. Arbitrary access to the titles of an private specific references could be leaked throug | ||
| CVE-2024-4994 | — | >= 16.1.0, < 16.11.5 | 16.11.5 | Jun 20, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbit | ||
| CVE-2024-4025 | — | >= 7.10.0, < 16.11.5 | 16.11.5 | Jun 20, 2025 | A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions from 7.10 prior before 16.11.5, version 17.0 before 17.0.3, and 17.1 before 17.1.1. It is possible for an attacker to cause a denial of service using a crafted markdown page. | ||
| CVE-2025-2443 | — | >= 16.6.0, < 17.11.1 | 17.11.1 | Jun 20, 2025 | An issue has been discovered in GitLab EE that allows for cross-site-scripting attack and content security policy bypass in a user's browser under specific conditions, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1. | ||
| CVE-2025-5121 | — | >= 17.11.0, < 18.0.2 | 18.0.2 | Jun 20, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.4 and 18.0 before 18.0.2. A missing authorization check may have allowed compliance frameworks to be applied to projects outside the compliance framework's group. | ||
| CVE-2024-7586 | — | >= 17.0.0, < 17.2.2 | 17.2.2 | Jun 20, 2025 | An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, where webhook deletion audit log preserved auth credentials. | ||
| CVE-2025-5982 | — | >= 12.0.0, < 18.0.2 | 18.0.2 | Jun 12, 2025 | An issue has been discovered in GitLab EE affecting all versions from 12.0 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Under certain conditions users could bypass IP access restrictions and view sensitive information. | ||
| CVE-2024-9512 | — | < 18.0.2 | 18.0.2 | Jun 12, 2025 | An issue has been discovered in GitLab EE affecting all versions prior to 17.10.8, 17.11 prior to 17.11.4, and 18.0 prior to 18.0.2. It may have been possible for private repository to be cloned in case of race condition when a secondary node is out of sync. | ||
| CVE-2025-0673 | — | >= 17.7.0, < 18.0.2 | 18.0.2 | Jun 12, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2, allow an attacker to trigger an infinite redirect loop, potentially leading to a denial of service condition. | ||
| CVE-2025-5195 | — | >= 17.9.0, < 18.0.2 | 18.0.2 | Jun 12, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. It was possible for authenticated users to access arbitrary compliance frameworks, leading to unauthorized data disclosure. | ||
| CVE-2025-1478 | — | >= 8.13.0, < 18.0.2 | 18.0.2 | Jun 12, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in Board Names could be used to trigger a denial of service. | ||
| CVE-2025-1516 | — | >= 8.7.0, < 18.0.2 | 18.0.2 | Jun 12, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 8.7 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Improper input validation in Tokens Names could be used to trigger a denial of service. |
- CVE-2025-4972Jul 10, 2025affected >= 18.0.0
An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated users with invitation privileges to bypass group-level user invitation restrictions by manipulating group invitation functionality
- CVE-2025-6168Jul 10, 2025affected >= 18.0.0
An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated maintainers to bypass group-level user invitation restrictions by sending crafted API requests.
- CVE-2025-6948Jul 10, 2025affected >= 17.11.0, < 18.0.1fixed 18.0.1
An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.
- CVE-2025-1754Jun 26, 2025affected >= 17.2.0, < 18.0.1fixed 18.0.1
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed unauthenticated attackers to upload arbitrary files to public projects by sending crafted API requests, potentially lea
- CVE-2025-2938Jun 26, 2025affected >= 17.3.0, < 18.0.1fixed 18.0.1
An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to gain elevated project privileges by requesting access to projects where role modifications durin
- CVE-2025-3279Jun 26, 2025affected >= 10.7.0, < 18.0.1fixed 18.0.1
An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests.
- CVE-2025-5315Jun 26, 2025affected >= 17.2.0, < 18.0.1fixed 18.0.1
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API reques
- CVE-2025-5846Jun 26, 2025affected >= 16.10.0, < 18.0.1fixed 18.0.1
An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypas
- CVE-2023-5600Jun 20, 2025affected >= 16.0.0, < 16.3.6fixed 16.3.6
An issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. Arbitrary access to the titles of an private specific references could be leaked throug
- CVE-2024-4994Jun 20, 2025affected >= 16.1.0, < 16.11.5fixed 16.11.5
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbit
- CVE-2024-4025Jun 20, 2025affected >= 7.10.0, < 16.11.5fixed 16.11.5
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions from 7.10 prior before 16.11.5, version 17.0 before 17.0.3, and 17.1 before 17.1.1. It is possible for an attacker to cause a denial of service using a crafted markdown page.
- CVE-2025-2443Jun 20, 2025affected >= 16.6.0, < 17.11.1fixed 17.11.1
An issue has been discovered in GitLab EE that allows for cross-site-scripting attack and content security policy bypass in a user's browser under specific conditions, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.
- CVE-2025-5121Jun 20, 2025affected >= 17.11.0, < 18.0.2fixed 18.0.2
An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.4 and 18.0 before 18.0.2. A missing authorization check may have allowed compliance frameworks to be applied to projects outside the compliance framework's group.
- CVE-2024-7586Jun 20, 2025affected >= 17.0.0, < 17.2.2fixed 17.2.2
An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, where webhook deletion audit log preserved auth credentials.
- CVE-2025-5982Jun 12, 2025affected >= 12.0.0, < 18.0.2fixed 18.0.2
An issue has been discovered in GitLab EE affecting all versions from 12.0 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Under certain conditions users could bypass IP access restrictions and view sensitive information.
- CVE-2024-9512Jun 12, 2025affected < 18.0.2fixed 18.0.2
An issue has been discovered in GitLab EE affecting all versions prior to 17.10.8, 17.11 prior to 17.11.4, and 18.0 prior to 18.0.2. It may have been possible for private repository to be cloned in case of race condition when a secondary node is out of sync.
- CVE-2025-0673Jun 12, 2025affected >= 17.7.0, < 18.0.2fixed 18.0.2
An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2, allow an attacker to trigger an infinite redirect loop, potentially leading to a denial of service condition.
- CVE-2025-5195Jun 12, 2025affected >= 17.9.0, < 18.0.2fixed 18.0.2
An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. It was possible for authenticated users to access arbitrary compliance frameworks, leading to unauthorized data disclosure.
- CVE-2025-1478Jun 12, 2025affected >= 8.13.0, < 18.0.2fixed 18.0.2
An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in Board Names could be used to trigger a denial of service.
- CVE-2025-1516Jun 12, 2025affected >= 8.7.0, < 18.0.2fixed 18.0.2
An issue has been discovered in GitLab CE/EE affecting all versions from 8.7 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Improper input validation in Tokens Names could be used to trigger a denial of service.
Page 11 of 54