Bitnami package
gitlab
pkg:bitnami/gitlab
Vulnerabilities (1,073)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-0362 | — | >= 7.7.0, < 17.10.4 | 17.10.4 | Apr 10, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions, an attacker could potentially trick users into unintentionally authorizing sensitive actions on their behalf. | ||
| CVE-2025-2469 | — | >= 17.9.0, < 17.10.4 | 17.10.4 | Apr 10, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.9.6, and 17.10 before 17.10.4. The runtime profiling data of a specific service was accessible to unauthenticated users. | ||
| CVE-2024-11129 | — | >= 17.1.0, < 17.10.4 | 17.10.4 | Apr 10, 2025 | An issue has been discovered in GitLab EE affecting all versions from 17.1 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. This allows attackers to perform targeted searches with sensitive keywords to get the count of issues containing the searched term." | ||
| CVE-2025-1677 | — | < 17.10.4 | 17.10.4 | Apr 10, 2025 | A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all up to 17.8.7, 17.9 prior to 17.9.6 and 17.10 prior to 17.10.4 A denial of service could occur upon injecting oversized payloads into CI pipeline exports. | ||
| CVE-2025-2408 | — | >= 13.12.0, < 17.10.4 | 17.10.4 | Apr 10, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 13.12 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions users could bypass IP access restrictions and view sensitive information. | ||
| CVE-2024-10307 | — | >= 12.10.0, < 17.10.1 | 17.10.1 | Mar 28, 2025 | An issue has been discovered in GitLab EE/CE affecting all versions from 12.10 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A maliciously crafted file can cause uncontrolled CPU consumption when viewing the associated merge request. | ||
| CVE-2024-12619 | — | >= 16.0.0, < 17.10.1 | 17.10.1 | Mar 28, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1, allowing internal users to gain unauthorized access to internal projects. | ||
| CVE-2025-2867 | — | >= 17.8.0, < 17.8.6 | 17.8.6 | Mar 27, 2025 | An issue has been discovered in the GitLab Duo with Amazon Q affecting all versions from 17.8 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A specifically crafted issue could manipulate AI-assisted development features to potentially expose sensitive project data t | ||
| CVE-2024-9773 | — | >= 14.9.0, < 17.10.1 | 17.10.1 | Mar 27, 2025 | An issue was discovered in GitLab EE affecting all versions starting from 14.9 before 17.8.6, all versions starting from 17.9 before 17.8.3, all versions starting from 17.10 before 17.10.1. An input validation issue in the Harbor registry integration could have allowed a maintain | ||
| CVE-2025-0811 | — | >= 17.7.0, < 17.10.1 | 17.10.1 | Mar 27, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Improper rendering of certain file types leads to cross-site scripting. | ||
| CVE-2025-2242 | — | >= 17.4.0, < 17.10.1 | 17.10.1 | Mar 27, 2025 | An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain eleva | ||
| CVE-2025-2255 | — | >= 13.5.0, < 17.10.1 | 17.10.1 | Mar 27, 2025 | An issue has been discovered in Gitlab EE/CE for AppSec affecting all versions from 13.5.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Certain error messages could allow Cross-Site Scripting attacks (XSS). for AppSec. | ||
| CVE-2024-7296 | — | >= 16.5.0, < 17.9.2 | 17.9.2 | Mar 13, 2025 | An issue was discovered in GitLab EE affecting all versions from 16.5 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2 which allowed a user with a custom permission to approve pending membership requests beyond the maximum number of allowed users. | ||
| CVE-2025-1257 | — | >= 12.3.0, < 17.9.2 | 17.9.2 | Mar 13, 2025 | An issue was discovered in GitLab EE affecting all versions starting with 12.3 before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. A vulnerability in certain GitLab instances could allow an attacker to cause a denial of service condition by manipulating specific API in | ||
| CVE-2024-8402 | — | >= 17.2.0, < 17.9.2 | 17.9.2 | Mar 13, 2025 | An issue was discovered in GitLab EE affecting all versions starting from 17.2 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. An input validation issue in the Google Cloud IAM integration feature could have enabled a M | ||
| CVE-2024-12380 | — | >= 11.5.0, < 17.9.2 | 17.9.2 | Mar 13, 2025 | An issue was discovered in GitLab EE/CE affecting all versions starting from 11.5 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. Certain user inputs in repository mirroring settings could potentially expose sensitive a | ||
| CVE-2024-13054 | — | < 17.9.2 | 17.9.2 | Mar 13, 2025 | An issue was discovered in GitLab CE/EE affecting all versions before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. where a denial of service vulnerability could allow an attacker to cause a system reboot under certain conditions. | ||
| CVE-2025-0652 | — | >= 16.9.0, < 17.9.2 | 17.9.2 | Mar 13, 2025 | An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access confidential information intended for intern | ||
| CVE-2025-25292 | — | < 17.9.2 | 17.9.2 | Mar 12, 2025 | ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can ge | ||
| CVE-2025-25291 | — | < 17.9.2 | 17.9.2 | Mar 12, 2025 | ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can ge |
- CVE-2025-0362Apr 10, 2025affected >= 7.7.0, < 17.10.4fixed 17.10.4
An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions, an attacker could potentially trick users into unintentionally authorizing sensitive actions on their behalf.
- CVE-2025-2469Apr 10, 2025affected >= 17.9.0, < 17.10.4fixed 17.10.4
An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.9.6, and 17.10 before 17.10.4. The runtime profiling data of a specific service was accessible to unauthenticated users.
- CVE-2024-11129Apr 10, 2025affected >= 17.1.0, < 17.10.4fixed 17.10.4
An issue has been discovered in GitLab EE affecting all versions from 17.1 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. This allows attackers to perform targeted searches with sensitive keywords to get the count of issues containing the searched term."
- CVE-2025-1677Apr 10, 2025affected < 17.10.4fixed 17.10.4
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all up to 17.8.7, 17.9 prior to 17.9.6 and 17.10 prior to 17.10.4 A denial of service could occur upon injecting oversized payloads into CI pipeline exports.
- CVE-2025-2408Apr 10, 2025affected >= 13.12.0, < 17.10.4fixed 17.10.4
An issue has been discovered in GitLab CE/EE affecting all versions from 13.12 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions users could bypass IP access restrictions and view sensitive information.
- CVE-2024-10307Mar 28, 2025affected >= 12.10.0, < 17.10.1fixed 17.10.1
An issue has been discovered in GitLab EE/CE affecting all versions from 12.10 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A maliciously crafted file can cause uncontrolled CPU consumption when viewing the associated merge request.
- CVE-2024-12619Mar 28, 2025affected >= 16.0.0, < 17.10.1fixed 17.10.1
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1, allowing internal users to gain unauthorized access to internal projects.
- CVE-2025-2867Mar 27, 2025affected >= 17.8.0, < 17.8.6fixed 17.8.6
An issue has been discovered in the GitLab Duo with Amazon Q affecting all versions from 17.8 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A specifically crafted issue could manipulate AI-assisted development features to potentially expose sensitive project data t
- CVE-2024-9773Mar 27, 2025affected >= 14.9.0, < 17.10.1fixed 17.10.1
An issue was discovered in GitLab EE affecting all versions starting from 14.9 before 17.8.6, all versions starting from 17.9 before 17.8.3, all versions starting from 17.10 before 17.10.1. An input validation issue in the Harbor registry integration could have allowed a maintain
- CVE-2025-0811Mar 27, 2025affected >= 17.7.0, < 17.10.1fixed 17.10.1
An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Improper rendering of certain file types leads to cross-site scripting.
- CVE-2025-2242Mar 27, 2025affected >= 17.4.0, < 17.10.1fixed 17.10.1
An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain eleva
- CVE-2025-2255Mar 27, 2025affected >= 13.5.0, < 17.10.1fixed 17.10.1
An issue has been discovered in Gitlab EE/CE for AppSec affecting all versions from 13.5.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Certain error messages could allow Cross-Site Scripting attacks (XSS). for AppSec.
- CVE-2024-7296Mar 13, 2025affected >= 16.5.0, < 17.9.2fixed 17.9.2
An issue was discovered in GitLab EE affecting all versions from 16.5 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2 which allowed a user with a custom permission to approve pending membership requests beyond the maximum number of allowed users.
- CVE-2025-1257Mar 13, 2025affected >= 12.3.0, < 17.9.2fixed 17.9.2
An issue was discovered in GitLab EE affecting all versions starting with 12.3 before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. A vulnerability in certain GitLab instances could allow an attacker to cause a denial of service condition by manipulating specific API in
- CVE-2024-8402Mar 13, 2025affected >= 17.2.0, < 17.9.2fixed 17.9.2
An issue was discovered in GitLab EE affecting all versions starting from 17.2 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. An input validation issue in the Google Cloud IAM integration feature could have enabled a M
- CVE-2024-12380Mar 13, 2025affected >= 11.5.0, < 17.9.2fixed 17.9.2
An issue was discovered in GitLab EE/CE affecting all versions starting from 11.5 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. Certain user inputs in repository mirroring settings could potentially expose sensitive a
- CVE-2024-13054Mar 13, 2025affected < 17.9.2fixed 17.9.2
An issue was discovered in GitLab CE/EE affecting all versions before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. where a denial of service vulnerability could allow an attacker to cause a system reboot under certain conditions.
- CVE-2025-0652Mar 13, 2025affected >= 16.9.0, < 17.9.2fixed 17.9.2
An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access confidential information intended for intern
- CVE-2025-25292Mar 12, 2025affected < 17.9.2fixed 17.9.2
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can ge
- CVE-2025-25291Mar 12, 2025affected < 17.9.2fixed 17.9.2
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can ge
Page 13 of 54