Bitnami package
gitlab
pkg:bitnami/gitlab
Vulnerabilities (1,073)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-8970 | — | >= 11.6.0, < 17.2.9 | 17.2.9 | Oct 11, 2024 | An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances. | ||
| CVE-2024-5005 | — | >= 11.4.0, < 17.2.9 | 17.2.9 | Oct 11, 2024 | An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the AP | ||
| CVE-2024-9164 | — | >= 12.5.0, < 17.2.9 | 17.2.9 | Oct 11, 2024 | An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. | ||
| CVE-2024-6530 | — | >= 17.1.0, < 17.2.9 | 17.2.9 | Oct 10, 2024 | A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When adding a authorizing an application, it can be made to render as HTML under specific | ||
| CVE-2024-8977 | — | >= 15.10.0, < 17.2.9 | 17.2.9 | Oct 10, 2024 | An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks. | ||
| CVE-2024-9596 | — | >= 16.6.0, < 17.2.9 | 17.2.9 | Oct 10, 2024 | An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance. | ||
| CVE-2024-9623 | — | >= 8.16.0, < 17.2.9 | 17.2.9 | Oct 10, 2024 | An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository. | ||
| CVE-2023-3441 | — | >= 8.0.0, < 16.4.0 | 16.4.0 | Oct 1, 2024 | An issue has been discovered in GitLab EE/CE affecting all versions starting from 8.0 before 16.4. The product did not sufficiently warn about security implications of granting merge rights to protected branches. | ||
| CVE-2024-8974 | — | >= 15.6.0, < 17.2.8 | 17.2.8 | Sep 26, 2024 | Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project." | ||
| CVE-2024-4278 | — | >= 16.5.0, < 17.2.8 | 17.2.8 | Sep 26, 2024 | An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy settin | ||
| CVE-2024-4283 | — | >= 11.1.0, < 17.1.7 | 17.1.7 | Sep 16, 2024 | An issue has been discovered in GitLab EE affecting all versions starting from 11.1 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow. | ||
| CVE-2024-6685 | — | >= 16.7.0, < 17.1.7 | 17.1.7 | Sep 16, 2024 | An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, where group runners information was disclosed to unauthorised group members. | ||
| CVE-2024-8311 | — | >= 17.2.0, < 17.2.5 | 17.2.5 | Sep 12, 2024 | An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 which allows authenticated users to bypass variable overwrite protection via inclusion of a CI/CD template. | ||
| CVE-2024-4472 | — | >= 16.5.0, < 17.1.7 | 17.1.7 | Sep 12, 2024 | An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs. | ||
| CVE-2024-6678 | — | >= 8.14.0, < 17.1.7 | 17.1.7 | Sep 12, 2024 | An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances. | ||
| CVE-2024-8641 | — | >= 13.7.0, < 17.1.7 | 17.1.7 | Sep 12, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It may have been possible for an attacker with a victim's CI_JOB_TOKEN to obtain a GitLab session token belonging to t | ||
| CVE-2024-8631 | — | >= 16.6.0, < 17.1.7 | 17.1.7 | Sep 12, 2024 | A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include o | ||
| CVE-2024-8754 | — | >= 16.9.7, < 17.1.7 | 17.1.7 | Sep 12, 2024 | An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT au | ||
| CVE-2024-8635 | — | >= 16.8.0, < 17.1.7 | 17.1.7 | Sep 12, 2024 | A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven De | ||
| CVE-2024-2743 | — | >= 13.3.0, < 17.1.7 | 17.1.7 | Sep 12, 2024 | An issue was discovered in GitLab-EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variables. |
- CVE-2024-8970Oct 11, 2024affected >= 11.6.0, < 17.2.9fixed 17.2.9
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.
- CVE-2024-5005Oct 11, 2024affected >= 11.4.0, < 17.2.9fixed 17.2.9
An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the AP
- CVE-2024-9164Oct 11, 2024affected >= 12.5.0, < 17.2.9fixed 17.2.9
An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches.
- CVE-2024-6530Oct 10, 2024affected >= 17.1.0, < 17.2.9fixed 17.2.9
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When adding a authorizing an application, it can be made to render as HTML under specific
- CVE-2024-8977Oct 10, 2024affected >= 15.10.0, < 17.2.9fixed 17.2.9
An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks.
- CVE-2024-9596Oct 10, 2024affected >= 16.6.0, < 17.2.9fixed 17.2.9
An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance.
- CVE-2024-9623Oct 10, 2024affected >= 8.16.0, < 17.2.9fixed 17.2.9
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository.
- CVE-2023-3441Oct 1, 2024affected >= 8.0.0, < 16.4.0fixed 16.4.0
An issue has been discovered in GitLab EE/CE affecting all versions starting from 8.0 before 16.4. The product did not sufficiently warn about security implications of granting merge rights to protected branches.
- CVE-2024-8974Sep 26, 2024affected >= 15.6.0, < 17.2.8fixed 17.2.8
Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project."
- CVE-2024-4278Sep 26, 2024affected >= 16.5.0, < 17.2.8fixed 17.2.8
An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy settin
- CVE-2024-4283Sep 16, 2024affected >= 11.1.0, < 17.1.7fixed 17.1.7
An issue has been discovered in GitLab EE affecting all versions starting from 11.1 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.
- CVE-2024-6685Sep 16, 2024affected >= 16.7.0, < 17.1.7fixed 17.1.7
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, where group runners information was disclosed to unauthorised group members.
- CVE-2024-8311Sep 12, 2024affected >= 17.2.0, < 17.2.5fixed 17.2.5
An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 which allows authenticated users to bypass variable overwrite protection via inclusion of a CI/CD template.
- CVE-2024-4472Sep 12, 2024affected >= 16.5.0, < 17.1.7fixed 17.1.7
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs.
- CVE-2024-6678Sep 12, 2024affected >= 8.14.0, < 17.1.7fixed 17.1.7
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.
- CVE-2024-8641Sep 12, 2024affected >= 13.7.0, < 17.1.7fixed 17.1.7
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It may have been possible for an attacker with a victim's CI_JOB_TOKEN to obtain a GitLab session token belonging to t
- CVE-2024-8631Sep 12, 2024affected >= 16.6.0, < 17.1.7fixed 17.1.7
A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include o
- CVE-2024-8754Sep 12, 2024affected >= 16.9.7, < 17.1.7fixed 17.1.7
An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT au
- CVE-2024-8635Sep 12, 2024affected >= 16.8.0, < 17.1.7fixed 17.1.7
A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven De
- CVE-2024-2743Sep 12, 2024affected >= 13.3.0, < 17.1.7fixed 17.1.7
An issue was discovered in GitLab-EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variables.
Page 17 of 54