VYPR

Bitnami package

gitlab

pkg:bitnami/gitlab

Vulnerabilities (1,073)

  • CVE-2024-4210Aug 8, 2024
    affected >= 12.6.0, < 17.0.6fixed 17.0.6

    A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 12.6 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause a denial of service using crafted adoc files.

  • CVE-2024-4784Aug 8, 2024
    affected >= 16.7.0, < 17.0.6fixed 17.0.6

    An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2 that allowed bypassing the password re-entry requirement to approve a policy.

  • CVE-2024-6329Aug 8, 2024
    affected >= 8.16.0, < 17.0.6fixed 17.0.6

    An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which causes the web interface to fail to render the diff correctly when the path is encoded.

  • CVE-2024-7057Jul 25, 2024
    affected >= 16.7.0, < 17.0.5fixed 17.0.5

    An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where job artifacts can be inappropriately exposed to users lacking the proper authorizati

  • CVE-2024-7047Jul 25, 2024
    affected >= 16.6.0, < 17.0.5fixed 17.0.5

    A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user.

  • CVE-2024-0231Jul 24, 2024
    affected >= 12.0.0, < 17.0.5fixed 17.0.5

    A resource misdirection vulnerability in GitLab CE/EE versions 12.0 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows an attacker to craft a repository import in such a way as to misdirect commits.

  • CVE-2024-5067Jul 24, 2024
    affected >= 16.11.0, < 17.0.5fixed 17.0.5

    An issue was discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where certain project-level analytics settings could be leaked in DOM to group members with Developer or hig

  • CVE-2024-7060Jul 24, 2024
    affected >= 15.4.0, < 17.0.5fixed 17.0.5

    An information disclosure vulnerability in GitLab CE/EE in project/group exports affecting all versions from 15.4 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows unauthorized users to view the resultant export.

  • CVE-2024-7091Jul 24, 2024
    affected >= 15.6.0, < 17.0.5fixed 17.0.5

    An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where it was possible to disclose limited information of an exported group or project to another user.

  • CVE-2024-6595Jul 17, 2024
    affected >= 11.8.0, < 16.11.6fixed 16.11.6

    An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to upload an NPM package with conflicting package data.

  • CVE-2024-2880Jul 11, 2024
    affected >= 16.5.0, < 16.11.6fixed 16.11.6

    An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 in which a user with `admin_group_member` custom role permission could ban group members.

  • CVE-2024-5257Jul 11, 2024
    affected >= 17.0.0, < 17.0.4fixed 17.0.4

    An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Developer user with `admin_compliance_framework` custom role may have been able to modify the URL for a group namespace.

  • CVE-2024-5470Jul 11, 2024
    affected >= 17.0.0, < 17.0.4fixed 17.0.4

    An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Guest user with `admin_push_rules` permission may have been able to create project-level deploy tokens.

  • CVE-2024-6385Jul 11, 2024
    affected >= 15.8.0, < 16.11.6fixed 16.11.6

    An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.

  • CVE-2024-2177Jul 9, 2024
    affected >= 16.3.0, < 16.11.5fixed 16.11.5

    A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload.

  • CVE-2024-1493Jun 26, 2024
    affected >= 9.2.0, < 16.11.5fixed 16.11.5

    An issue was discovered in GitLab CE/EE affecting all versions starting from 9.2 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, with the processing logic for generating link in dependency files can lead to a regular expression DoS a

  • CVE-2024-1816Jun 26, 2024
    affected >= 12.0.0, < 16.11.5fixed 16.11.5

    An issue was discovered in GitLab CE/EE affecting all versions starting from 12.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows for an attacker to cause a denial of service using a crafted OpenAPI file.

  • CVE-2024-2191Jun 26, 2024
    affected >= 16.9.0, < 16.11.5fixed 16.11.5

    An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members only.

  • CVE-2024-3115Jun 26, 2024
    affected >= 16.0.0, < 16.11.5fixed 16.11.5

    An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to access issues and epics without having an SSO session using Duo Chat.

  • CVE-2024-3959Jun 26, 2024
    affected >= 16.7.0, < 16.11.5fixed 16.11.5

    An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows private job artifacts can be accessed by any user.

Page 19 of 54