Bitnami package
gitlab
pkg:bitnami/gitlab
Vulnerabilities (1,073)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-4612 | — | >= 12.9.0, < 17.1.7 | 17.1.7 | Sep 12, 2024 | An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow. | ||
| CVE-2024-4660 | — | >= 11.2.0, < 17.1.7 | 17.1.7 | Sep 12, 2024 | An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group | ||
| CVE-2024-5435 | — | >= 15.10.0, < 17.1.7 | 17.1.7 | Sep 12, 2024 | An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration. | ||
| CVE-2024-6446 | — | >= 17.1.0, < 17.1.7 | 17.1.7 | Sep 12, 2024 | An issue has been discovered in GitLab affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. A crafted URL could be used to trick a victim to trust an attacker controlled application. | ||
| CVE-2024-6389 | — | >= 17.1.0, < 17.1.7 | 17.1.7 | Sep 12, 2024 | An issue was discovered in GitLab-CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions. | ||
| CVE-2024-8124 | — | >= 16.4.0, < 17.1.7 | 17.1.7 | Sep 12, 2024 | An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service via sending a specific POST request. | ||
| CVE-2024-8640 | — | >= 16.11.0, < 17.1.7 | 17.1.7 | Sep 12, 2024 | An issue has been discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. Due to incomplete input filtering, it was possible to inject commands into a connected Cube server. | ||
| CVE-2024-45409 | — | < 16.11.10 | 16.11.10 | Sep 10, 2024 | The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forg | ||
| CVE-2024-3127 | — | >= 12.5.0, < 17.1.6 | 17.1.6 | Aug 22, 2024 | An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups thr | ||
| CVE-2024-6502 | — | >= 8.2.0, < 17.1.6 | 17.1.6 | Aug 22, 2024 | An issue was discovered in GitLab CE/EE affecting all versions starting from 8.2 prior to 17.1.6 starting from 17.2 prior to 17.2.4, and starting from 17.3 prior to 17.3.1, which allows an attacker to create a branch with the same name as a deleted tag. | ||
| CVE-2024-7110 | — | >= 17.1.0, < 17.1.6 | 17.1.6 | Aug 22, 2024 | An issue was discovered in GitLab EE affecting all versions starting 17.0 to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1 allows an attacker to execute arbitrary command in a victim's pipeline through prompt injection. | ||
| CVE-2024-8041 | — | < 17.1.6 | 17.1.6 | Aug 22, 2024 | A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1. A denial of service could occur upon importing a maliciously crafted repository using the GitHub importer. | ||
| CVE-2024-2800 | — | >= 11.3.0, < 17.0.6 | 17.0.6 | Aug 8, 2024 | ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking. | ||
| CVE-2024-3035 | — | >= 8.12.0, < 17.0.6 | 17.0.6 | Aug 8, 2024 | A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories. | ||
| CVE-2024-3114 | — | >= 11.10.0, < 17.0.6 | 17.0.6 | Aug 8, 2024 | An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server. | ||
| CVE-2024-3958 | — | < 17.0.6 | 17.0.6 | Aug 8, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engin | ||
| CVE-2024-4207 | — | >= 5.1.0, < 17.0.6 | 17.0.6 | Aug 8, 2024 | A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 prior 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if | ||
| CVE-2024-5423 | — | >= 1.0.0, < 17.0.6 | 17.0.6 | Aug 8, 2024 | Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2 which allowed an attacker to cause resource exhaustion via banzai p | ||
| CVE-2024-7554 | — | >= 13.9.0, < 17.0.6 | 17.0.6 | Aug 8, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was | ||
| CVE-2024-7610 | — | >= 15.9.0, < 17.0.6 | 17.0.6 | Aug 8, 2024 | A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsea |
- CVE-2024-4612Sep 12, 2024affected >= 12.9.0, < 17.1.7fixed 17.1.7
An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.
- CVE-2024-4660Sep 12, 2024affected >= 11.2.0, < 17.1.7fixed 17.1.7
An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group
- CVE-2024-5435Sep 12, 2024affected >= 15.10.0, < 17.1.7fixed 17.1.7
An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration.
- CVE-2024-6446Sep 12, 2024affected >= 17.1.0, < 17.1.7fixed 17.1.7
An issue has been discovered in GitLab affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. A crafted URL could be used to trick a victim to trust an attacker controlled application.
- CVE-2024-6389Sep 12, 2024affected >= 17.1.0, < 17.1.7fixed 17.1.7
An issue was discovered in GitLab-CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions.
- CVE-2024-8124Sep 12, 2024affected >= 16.4.0, < 17.1.7fixed 17.1.7
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service via sending a specific POST request.
- CVE-2024-8640Sep 12, 2024affected >= 16.11.0, < 17.1.7fixed 17.1.7
An issue has been discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. Due to incomplete input filtering, it was possible to inject commands into a connected Cube server.
- CVE-2024-45409Sep 10, 2024affected < 16.11.10fixed 16.11.10
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forg
- CVE-2024-3127Aug 22, 2024affected >= 12.5.0, < 17.1.6fixed 17.1.6
An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups thr
- CVE-2024-6502Aug 22, 2024affected >= 8.2.0, < 17.1.6fixed 17.1.6
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.2 prior to 17.1.6 starting from 17.2 prior to 17.2.4, and starting from 17.3 prior to 17.3.1, which allows an attacker to create a branch with the same name as a deleted tag.
- CVE-2024-7110Aug 22, 2024affected >= 17.1.0, < 17.1.6fixed 17.1.6
An issue was discovered in GitLab EE affecting all versions starting 17.0 to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1 allows an attacker to execute arbitrary command in a victim's pipeline through prompt injection.
- CVE-2024-8041Aug 22, 2024affected < 17.1.6fixed 17.1.6
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1. A denial of service could occur upon importing a maliciously crafted repository using the GitHub importer.
- CVE-2024-2800Aug 8, 2024affected >= 11.3.0, < 17.0.6fixed 17.0.6
ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking.
- CVE-2024-3035Aug 8, 2024affected >= 8.12.0, < 17.0.6fixed 17.0.6
A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories.
- CVE-2024-3114Aug 8, 2024affected >= 11.10.0, < 17.0.6fixed 17.0.6
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server.
- CVE-2024-3958Aug 8, 2024affected < 17.0.6fixed 17.0.6
An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engin
- CVE-2024-4207Aug 8, 2024affected >= 5.1.0, < 17.0.6fixed 17.0.6
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 prior 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if
- CVE-2024-5423Aug 8, 2024affected >= 1.0.0, < 17.0.6fixed 17.0.6
Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2 which allowed an attacker to cause resource exhaustion via banzai p
- CVE-2024-7554Aug 8, 2024affected >= 13.9.0, < 17.0.6fixed 17.0.6
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was
- CVE-2024-7610Aug 8, 2024affected >= 15.9.0, < 17.0.6fixed 17.0.6
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsea
Page 18 of 54