Bitnami package
gitlab
pkg:bitnami/gitlab
Vulnerabilities (1,073)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-25293 | — | < 17.9.2 | 17.9.2 | Mar 12, 2025 | ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case the | ||
| CVE-2025-1540 | — | >= 17.5.0, < 17.8.2 | 17.8.2 | Mar 6, 2025 | An issue has been discovered in GitLab CE/EE for Self-Managed and Dedicated instances affecting all versions from 17.5 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. It was possible for a user added as an External to read and clone internal projects under certai | ||
| CVE-2025-0555 | — | >= 16.6.0, < 17.9.1 | 17.9.1 | Mar 3, 2025 | A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows an attacker to bypass security controls and execute arbitrary scripts in a users browser under specific conditions. | ||
| CVE-2024-10925 | — | >= 16.2.0, < 17.9.1 | 17.9.1 | Mar 3, 2025 | A vulnerability in GitLab-EE affecting all versions from 16.2 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows a Guest user to read Security policy YAML | ||
| CVE-2025-0475 | — | >= 15.10.0, < 17.9.1 | 17.9.1 | Mar 3, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. A proxy feature could potentially allow unintended content rendering leading to XSS under specific circumstances. | ||
| CVE-2024-8186 | — | >= 16.6.0, < 17.9.1 | 17.9.1 | Mar 3, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 before 17.7.6, 17.8 before 17.8.4, and 17.9 before 17.9.1. An attacker could inject HMTL into the child item search potentially leading to XSS in certain situations. | ||
| CVE-2024-3303 | — | >= 16.0.0, < 17.8.2 | 17.8.2 | Feb 13, 2025 | An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.6.5, starting from 17.7 prior to 17.7.4, and starting from 17.8 prior to 17.8.2, which allows an attacker to exfiltrate contents of a private issue using prompt injection. | ||
| CVE-2025-1198 | — | >= 16.11.0, < 17.8.2 | 17.8.2 | Feb 13, 2025 | An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results. | ||
| CVE-2024-7102 | — | >= 16.4.0, < 17.5.0 | 17.5.0 | Feb 13, 2025 | An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.0 which allows an attacker to trigger a pipeline as another user under certain circumstances. | ||
| CVE-2024-8266 | — | >= 17.1.0, < 17.6.0 | 17.6.0 | Feb 13, 2025 | An issue was discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.6.0, which allows an attacker with maintainer role to trigger a pipeline as project owner under certain circumstances. | ||
| CVE-2024-9870 | — | >= 15.11.0, < 17.8.2 | 17.8.2 | Feb 12, 2025 | An external service interaction vulnerability in GitLab EE affecting all versions from 15.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send requests from the GitLab server to unintended services. | ||
| CVE-2025-0516 | — | >= 17.7.0, < 17.8.2 | 17.8.2 | Feb 12, 2025 | Improper Authorization in GitLab CE/EE affecting all versions from 17.7 prior to 17.7.4, 17.8 prior to 17.8.2 allow users with limited permissions to perform unauthorized actions on critical project data. | ||
| CVE-2024-12379 | — | >= 14.1.0, < 17.8.2 | 17.8.2 | Feb 12, 2025 | A denial of service vulnerability in GitLab CE/EE affecting all versions from 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to impact the availability of GitLab via unbounded symbol creation via the scopes parameter in a Personal Access T | ||
| CVE-2025-0376 | — | >= 13.3.0, < 17.8.2 | 17.8.2 | Feb 12, 2025 | An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via a change page. | ||
| CVE-2025-1212 | — | >= 8.3.0, < 17.8.2 | 17.8.2 | Feb 12, 2025 | An information disclosure vulnerability in GitLab CE/EE affecting all versions from 8.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send a crafted request to a backend server to reveal sensitive information. | ||
| CVE-2025-1042 | — | >= 15.7.0, < 17.8.2 | 17.8.2 | Feb 12, 2025 | An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way. | ||
| CVE-2024-10383 | — | >= 15.11.0, < 17.3.0 | 17.3.0 | Feb 7, 2025 | An issue has been discovered in the gitlab-web-ide-vscode-fork component distributed over CDN affecting all versions prior to 1.89.1-1.0.0-dev-20241118094343and used by all versions of GitLab CE/EE starting from 15.11 prior to 17.3 and which also temporarily affected versions 17. | ||
| CVE-2025-1072 | — | >= 7.14.1, < 17.5.2 | 17.5.2 | Feb 7, 2025 | A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14.1 prior to 17.3.7, 17.4 prior to 17.4.4, and 17.5 prior to 17.5.2. A denial of service could occur upon importing maliciously crafted content using the Fogbugz importer. | ||
| CVE-2024-2878 | — | >= 15.7.0, < 16.11.2 | 16.11.2 | Feb 5, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible for an attacker to cause a denial of service by crafting unusual search terms fo | ||
| CVE-2024-3976 | — | >= 14.0.0, < 16.11.2 | 16.11.2 | Feb 5, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose via the UI the confidential issues title and description from a publ |
- CVE-2025-25293Mar 12, 2025affected < 17.9.2fixed 17.9.2
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case the
- CVE-2025-1540Mar 6, 2025affected >= 17.5.0, < 17.8.2fixed 17.8.2
An issue has been discovered in GitLab CE/EE for Self-Managed and Dedicated instances affecting all versions from 17.5 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. It was possible for a user added as an External to read and clone internal projects under certai
- CVE-2025-0555Mar 3, 2025affected >= 16.6.0, < 17.9.1fixed 17.9.1
A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows an attacker to bypass security controls and execute arbitrary scripts in a users browser under specific conditions.
- CVE-2024-10925Mar 3, 2025affected >= 16.2.0, < 17.9.1fixed 17.9.1
A vulnerability in GitLab-EE affecting all versions from 16.2 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows a Guest user to read Security policy YAML
- CVE-2025-0475Mar 3, 2025affected >= 15.10.0, < 17.9.1fixed 17.9.1
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. A proxy feature could potentially allow unintended content rendering leading to XSS under specific circumstances.
- CVE-2024-8186Mar 3, 2025affected >= 16.6.0, < 17.9.1fixed 17.9.1
An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 before 17.7.6, 17.8 before 17.8.4, and 17.9 before 17.9.1. An attacker could inject HMTL into the child item search potentially leading to XSS in certain situations.
- CVE-2024-3303Feb 13, 2025affected >= 16.0.0, < 17.8.2fixed 17.8.2
An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.6.5, starting from 17.7 prior to 17.7.4, and starting from 17.8 prior to 17.8.2, which allows an attacker to exfiltrate contents of a private issue using prompt injection.
- CVE-2025-1198Feb 13, 2025affected >= 16.11.0, < 17.8.2fixed 17.8.2
An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results.
- CVE-2024-7102Feb 13, 2025affected >= 16.4.0, < 17.5.0fixed 17.5.0
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.0 which allows an attacker to trigger a pipeline as another user under certain circumstances.
- CVE-2024-8266Feb 13, 2025affected >= 17.1.0, < 17.6.0fixed 17.6.0
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.6.0, which allows an attacker with maintainer role to trigger a pipeline as project owner under certain circumstances.
- CVE-2024-9870Feb 12, 2025affected >= 15.11.0, < 17.8.2fixed 17.8.2
An external service interaction vulnerability in GitLab EE affecting all versions from 15.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send requests from the GitLab server to unintended services.
- CVE-2025-0516Feb 12, 2025affected >= 17.7.0, < 17.8.2fixed 17.8.2
Improper Authorization in GitLab CE/EE affecting all versions from 17.7 prior to 17.7.4, 17.8 prior to 17.8.2 allow users with limited permissions to perform unauthorized actions on critical project data.
- CVE-2024-12379Feb 12, 2025affected >= 14.1.0, < 17.8.2fixed 17.8.2
A denial of service vulnerability in GitLab CE/EE affecting all versions from 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to impact the availability of GitLab via unbounded symbol creation via the scopes parameter in a Personal Access T
- CVE-2025-0376Feb 12, 2025affected >= 13.3.0, < 17.8.2fixed 17.8.2
An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via a change page.
- CVE-2025-1212Feb 12, 2025affected >= 8.3.0, < 17.8.2fixed 17.8.2
An information disclosure vulnerability in GitLab CE/EE affecting all versions from 8.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send a crafted request to a backend server to reveal sensitive information.
- CVE-2025-1042Feb 12, 2025affected >= 15.7.0, < 17.8.2fixed 17.8.2
An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way.
- CVE-2024-10383Feb 7, 2025affected >= 15.11.0, < 17.3.0fixed 17.3.0
An issue has been discovered in the gitlab-web-ide-vscode-fork component distributed over CDN affecting all versions prior to 1.89.1-1.0.0-dev-20241118094343and used by all versions of GitLab CE/EE starting from 15.11 prior to 17.3 and which also temporarily affected versions 17.
- CVE-2025-1072Feb 7, 2025affected >= 7.14.1, < 17.5.2fixed 17.5.2
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14.1 prior to 17.3.7, 17.4 prior to 17.4.4, and 17.5 prior to 17.5.2. A denial of service could occur upon importing maliciously crafted content using the Fogbugz importer.
- CVE-2024-2878Feb 5, 2025affected >= 15.7.0, < 16.11.2fixed 16.11.2
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible for an attacker to cause a denial of service by crafting unusual search terms fo
- CVE-2024-3976Feb 5, 2025affected >= 14.0.0, < 16.11.2fixed 16.11.2
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose via the UI the confidential issues title and description from a publ
Page 14 of 54