VYPR

Bitnami package

gitlab

pkg:bitnami/gitlab

Vulnerabilities (1,073)

  • CVE-2024-5528Feb 5, 2025
    affected < 17.1.2fixed 17.1.2

    An issue was discovered in GitLab CE/EE affecting all versions prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows a subdomain takeover in GitLab Pages.

  • CVE-2024-9631Feb 5, 2025
    affected >= 13.6.0, < 17.4.2fixed 17.4.2

    An issue was discovered in GitLab CE/EE affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, where viewing diffs of MR with conflicts can be slow.

  • CVE-2024-6356Feb 5, 2025
    affected >= 16.0.0, < 17.2.2fixed 17.2.2

    An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which allowed cross project access for Security policy bot.

  • CVE-2024-1539Feb 5, 2025
    affected >= 15.2.0, < 16.11.2fixed 16.11.2

    An issue has been discovered in GitLab EE affecting all versions starting from 15.2 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose updates to issues to a banned group member using the API.

  • CVE-2023-6386Feb 5, 2025
    affected >= 15.11.0, < 16.6.7fixed 16.6.7

    A denial of service vulnerability was identified in GitLab CE/EE, affecting all versions from 15.11 prior to 16.6.7, 16.7 prior to 16.7.5 and 16.8 prior to 16.8.2 which allows an attacker to spike the GitLab instance resource usage resulting in service degradation.

  • CVE-2023-6195Jan 30, 2025
    affected >= 15.5.0, < 16.9.7fixed 16.9.7

    An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.5 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. GitLab was vulnerable to Server Side Request Forgery when an attacker uses a malicious URL in th

  • CVE-2024-1211Jan 30, 2025
    affected >= 10.6.0, < 16.9.7fixed 16.9.7

    An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 in which cross-site request forgery may have been possible on GitLab instances configured to use

  • CVE-2025-0290Jan 28, 2025
    affected >= 15.0.0, < 17.6.4fixed 17.6.4

    An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.0 prior to 17.5.5, from 17.6 prior to 17.6.3, and from 17.7 prior to 17.7.1. Under certain conditions, processing of CI artifacts metadata could cause background jobs to become unresponsive.

  • CVE-2024-11931Jan 24, 2025
    affected >= 17.0.0, < 17.6.4fixed 17.6.4

    An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI variables

  • CVE-2025-0314Jan 24, 2025
    affected >= 17.2.0, < 17.6.4fixed 17.6.4

    An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. Improper rendering of certain file types lead to cross-site scripting.

  • CVE-2024-13041Jan 9, 2025
    affected >= 16.4.0, < 17.5.5fixed 17.5.5

    An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. When a user is created via the SAML provider, the external groups setting overrides the external provider

  • CVE-2024-6324Jan 9, 2025
    affected >= 15.7.0, < 17.5.5fixed 17.5.5

    An issue was discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. It was possible to trigger a DoS by creating cyclic references between epics.

  • CVE-2024-12431Jan 8, 2025
    affected >= 15.5.0, < 17.5.5fixed 17.5.5

    An issue was discovered in GitLab CE/EE affecting all versions starting from 15.5 before 17.5.5, 17.6 before 17.6.3, and 17.7 before 17.7.1, in which unauthorized users could manipulate the status of issues in public projects.

  • CVE-2025-0194Jan 8, 2025
    affected >= 17.4.0, < 17.5.5fixed 17.5.5

    An issue was discovered in GitLab CE/EE affecting all versions starting from 17.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. Under certain conditions, access tokens may have been logged when API requests were made in a specific ma

  • CVE-2023-5117Dec 25, 2024
    affected < 17.6.0fixed 17.6.0

    An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in which users were unaware that files uploaded to comments on confidential issues and epics of public projects could be accessed without authentication via a direct link to the uploaded file URL.

  • CVE-2024-8116Dec 16, 2024
    affected >= 16.9.0, < 17.4.6fixed 17.4.6

    An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. By using a specific GraphQL query, under specific conditions an unauthorized user can retrieve branch names.

  • CVE-2024-8650Dec 16, 2024
    affected >= 15.0.0, < 17.4.6fixed 17.4.6

    An issue was discovered in GitLab CE/EE affecting all versions from 15.0 prior to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2 that allowed non-member users to view unresolved threads marked as internal notes in public projects merge requests.

  • CVE-2024-8179Dec 12, 2024
    affected >= 17.3.0, < 17.4.6fixed 17.4.6

    An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. Improper output encoding could lead to XSS if CSP is not enabled.

  • CVE-2024-8233Dec 12, 2024
    affected >= 9.4.0, < 17.4.6fixed 17.4.6

    An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could cause a denial of service with requests for diff files on a commit or merge request.

  • CVE-2024-8647Dec 12, 2024
    affected >= 15.2.0, < 17.4.6fixed 17.4.6

    An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted installs, it was possible to leak the anti-CSRF-token to an external site while the Harbor integration was enabled.

Page 15 of 54