VYPR

Bitnami package

gitlab

pkg:bitnami/gitlab

Vulnerabilities (1,073)

  • CVE-2024-8970Oct 11, 2024
    affected >= 11.6.0, < 17.2.9fixed 17.2.9

    An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.

  • CVE-2024-5005Oct 11, 2024
    affected >= 11.4.0, < 17.2.9fixed 17.2.9

    An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the AP

  • CVE-2024-9164Oct 11, 2024
    affected >= 12.5.0, < 17.2.9fixed 17.2.9

    An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches.

  • CVE-2024-6530Oct 10, 2024
    affected >= 17.1.0, < 17.2.9fixed 17.2.9

    A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When adding a authorizing an application, it can be made to render as HTML under specific

  • CVE-2024-8977Oct 10, 2024
    affected >= 15.10.0, < 17.2.9fixed 17.2.9

    An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks.

  • CVE-2024-9596Oct 10, 2024
    affected >= 16.6.0, < 17.2.9fixed 17.2.9

    An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance.

  • CVE-2024-9623Oct 10, 2024
    affected >= 8.16.0, < 17.2.9fixed 17.2.9

    An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository.

  • CVE-2023-3441Oct 1, 2024
    affected >= 8.0.0, < 16.4.0fixed 16.4.0

    An issue has been discovered in GitLab EE/CE affecting all versions starting from 8.0 before 16.4. The product did not sufficiently warn about security implications of granting merge rights to protected branches.

  • CVE-2024-8974Sep 26, 2024
    affected >= 15.6.0, < 17.2.8fixed 17.2.8

    Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project."

  • CVE-2024-4278Sep 26, 2024
    affected >= 16.5.0, < 17.2.8fixed 17.2.8

    An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy settin

  • CVE-2024-4283Sep 16, 2024
    affected >= 11.1.0, < 17.1.7fixed 17.1.7

    An issue has been discovered in GitLab EE affecting all versions starting from 11.1 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.

  • CVE-2024-6685Sep 16, 2024
    affected >= 16.7.0, < 17.1.7fixed 17.1.7

    An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, where group runners information was disclosed to unauthorised group members.

  • CVE-2024-8311Sep 12, 2024
    affected >= 17.2.0, < 17.2.5fixed 17.2.5

    An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 which allows authenticated users to bypass variable overwrite protection via inclusion of a CI/CD template.

  • CVE-2024-4472Sep 12, 2024
    affected >= 16.5.0, < 17.1.7fixed 17.1.7

    An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs.

  • CVE-2024-6678Sep 12, 2024
    affected >= 8.14.0, < 17.1.7fixed 17.1.7

    An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.

  • CVE-2024-8641Sep 12, 2024
    affected >= 13.7.0, < 17.1.7fixed 17.1.7

    An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It may have been possible for an attacker with a victim's CI_JOB_TOKEN to obtain a GitLab session token belonging to t

  • CVE-2024-8631Sep 12, 2024
    affected >= 16.6.0, < 17.1.7fixed 17.1.7

    A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include o

  • CVE-2024-8754Sep 12, 2024
    affected >= 16.9.7, < 17.1.7fixed 17.1.7

    An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT au

  • CVE-2024-8635Sep 12, 2024
    affected >= 16.8.0, < 17.1.7fixed 17.1.7

    A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven De

  • CVE-2024-2743Sep 12, 2024
    affected >= 13.3.0, < 17.1.7fixed 17.1.7

    An issue was discovered in GitLab-EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variables.

Page 17 of 54