Bitnami package
gitlab
pkg:bitnami/gitlab
Vulnerabilities (1,073)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-4011 | — | >= 16.1.0, < 16.11.5 | 16.11.5 | Jun 26, 2024 | An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives. | ||
| CVE-2024-4557 | — | >= 1.0.0, < 16.11.5 | 16.11.5 | Jun 26, 2024 | Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an attacker to cause resource exhaustion via banzai | ||
| CVE-2024-4901 | — | >= 16.9.0, < 16.11.5 | 16.11.5 | Jun 26, 2024 | An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit notes. | ||
| CVE-2024-5655 | — | >= 15.8.0, < 16.11.5 | 16.11.5 | Jun 26, 2024 | An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to trigger a pipeline as another user under certain circumstances. | ||
| CVE-2024-5430 | — | >= 16.10.0, < 16.11.5 | 16.11.5 | Jun 26, 2024 | An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows a project maintainer can delete the merge request approval policy via graphQL. | ||
| CVE-2024-6323 | — | >= 16.11.0, < 16.11.5 | 16.11.5 | Jun 26, 2024 | Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project. | ||
| CVE-2024-5469 | — | >= 16.10.0, < 16.10.6 | 16.10.6 | Jun 14, 2024 | DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 and 16.11.0 prior to 16.11.3 allows an attacker to crash KAS via crafted gRPC requests. | ||
| CVE-2024-1736 | — | >= 15.8.0, < 16.10.7 | 16.10.7 | Jun 12, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's CI/CD pipeline editor could allow for denial of service attacks through maliciously craf | ||
| CVE-2024-1495 | — | >= 13.1.0, < 16.10.7 | 16.10.7 | Jun 12, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.1 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. It was possible for an attacker to cause a denial of service using maliciously crafted file. | ||
| CVE-2024-1963 | — | >= 8.4.0, < 16.10.7 | 16.10.7 | Jun 12, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's Asana integration allowed an attacker to potentially cause a regular e | ||
| CVE-2024-4201 | — | >= 5.1.0, < 16.10.7 | 16.10.7 | Jun 12, 2024 | A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 16.10.7, all versions starting from 16.11 before 16.111.4, all versions starting from 17.0 before 17.0.2. When viewing an XML file in a repository in raw mode, it can be mad | ||
| CVE-2024-5318 | — | >= 11.11.0, < 16.10.6 | 16.10.6 | May 24, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.11 prior to 16.10.6, starting from 16.11 prior to 16.11.3, and starting from 17.0 prior to 17.0.1. A Guest user can view dependency lists of private projects through job artifacts. | ||
| CVE-2023-6502 | — | < 16.10.6 | 16.10.6 | May 23, 2024 | A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. It is possible for an attacker to cause a denial of service using a crafted wiki page. | ||
| CVE-2023-7045 | — | >= 13.11.0, < 16.10.6 | 16.10.6 | May 23, 2024 | A CSRF vulnerability exists within GitLab CE/EE from versions 13.11 before 16.10.6, from 16.11 before 16.11.3, from 17.0 before 17.0.1. By leveraging this vulnerability, an attacker could exfiltrate anti-CSRF tokens via the Kubernetes Agent Server (KAS). | ||
| CVE-2024-1947 | — | >= 13.2.4, < 16.10.6 | 16.10.6 | May 23, 2024 | A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls. | ||
| CVE-2024-5258 | — | >= 16.10.0, < 16.10.6 | 16.10.6 | May 23, 2024 | An authorization vulnerability exists within GitLab from versions 16.10 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1 where an authenticated attacker could utilize a crafted naming convention to bypass pipeline authorization logic. | ||
| CVE-2024-2874 | — | < 16.10.6 | 16.10.6 | May 23, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. A runner registered with a crafted description has the potential to disrupt the loading of targeted GitLab web resources. | ||
| CVE-2024-4835 | — | >= 15.11.0, < 16.10.6 | 16.10.6 | May 23, 2024 | A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information. | ||
| CVE-2023-6682 | — | >= 16.9.0, < 16.9.7 | 16.9.7 | May 9, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. A problem with the processing logic for Discord Integrations Chat Messages can lead to a regular | ||
| CVE-2023-6688 | — | >= 16.11.0, < 16.11.2 | 16.11.2 | May 9, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.11 prior to 16.11.2. A problem with the processing logic for Google Chat Messages integration may lead to a regular expression DoS attack on the server. |
- CVE-2024-4011Jun 26, 2024affected >= 16.1.0, < 16.11.5fixed 16.11.5
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives.
- CVE-2024-4557Jun 26, 2024affected >= 1.0.0, < 16.11.5fixed 16.11.5
Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an attacker to cause resource exhaustion via banzai
- CVE-2024-4901Jun 26, 2024affected >= 16.9.0, < 16.11.5fixed 16.11.5
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit notes.
- CVE-2024-5655Jun 26, 2024affected >= 15.8.0, < 16.11.5fixed 16.11.5
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to trigger a pipeline as another user under certain circumstances.
- CVE-2024-5430Jun 26, 2024affected >= 16.10.0, < 16.11.5fixed 16.11.5
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows a project maintainer can delete the merge request approval policy via graphQL.
- CVE-2024-6323Jun 26, 2024affected >= 16.11.0, < 16.11.5fixed 16.11.5
Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project.
- CVE-2024-5469Jun 14, 2024affected >= 16.10.0, < 16.10.6fixed 16.10.6
DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 and 16.11.0 prior to 16.11.3 allows an attacker to crash KAS via crafted gRPC requests.
- CVE-2024-1736Jun 12, 2024affected >= 15.8.0, < 16.10.7fixed 16.10.7
An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's CI/CD pipeline editor could allow for denial of service attacks through maliciously craf
- CVE-2024-1495Jun 12, 2024affected >= 13.1.0, < 16.10.7fixed 16.10.7
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.1 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. It was possible for an attacker to cause a denial of service using maliciously crafted file.
- CVE-2024-1963Jun 12, 2024affected >= 8.4.0, < 16.10.7fixed 16.10.7
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's Asana integration allowed an attacker to potentially cause a regular e
- CVE-2024-4201Jun 12, 2024affected >= 5.1.0, < 16.10.7fixed 16.10.7
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 16.10.7, all versions starting from 16.11 before 16.111.4, all versions starting from 17.0 before 17.0.2. When viewing an XML file in a repository in raw mode, it can be mad
- CVE-2024-5318May 24, 2024affected >= 11.11.0, < 16.10.6fixed 16.10.6
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.11 prior to 16.10.6, starting from 16.11 prior to 16.11.3, and starting from 17.0 prior to 17.0.1. A Guest user can view dependency lists of private projects through job artifacts.
- CVE-2023-6502May 23, 2024affected < 16.10.6fixed 16.10.6
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. It is possible for an attacker to cause a denial of service using a crafted wiki page.
- CVE-2023-7045May 23, 2024affected >= 13.11.0, < 16.10.6fixed 16.10.6
A CSRF vulnerability exists within GitLab CE/EE from versions 13.11 before 16.10.6, from 16.11 before 16.11.3, from 17.0 before 17.0.1. By leveraging this vulnerability, an attacker could exfiltrate anti-CSRF tokens via the Kubernetes Agent Server (KAS).
- CVE-2024-1947May 23, 2024affected >= 13.2.4, < 16.10.6fixed 16.10.6
A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls.
- CVE-2024-5258May 23, 2024affected >= 16.10.0, < 16.10.6fixed 16.10.6
An authorization vulnerability exists within GitLab from versions 16.10 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1 where an authenticated attacker could utilize a crafted naming convention to bypass pipeline authorization logic.
- CVE-2024-2874May 23, 2024affected < 16.10.6fixed 16.10.6
An issue has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. A runner registered with a crafted description has the potential to disrupt the loading of targeted GitLab web resources.
- CVE-2024-4835May 23, 2024affected >= 15.11.0, < 16.10.6fixed 16.10.6
A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.
- CVE-2023-6682May 9, 2024affected >= 16.9.0, < 16.9.7fixed 16.9.7
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. A problem with the processing logic for Discord Integrations Chat Messages can lead to a regular
- CVE-2023-6688May 9, 2024affected >= 16.11.0, < 16.11.2fixed 16.11.2
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.11 prior to 16.11.2. A problem with the processing logic for Google Chat Messages integration may lead to a regular expression DoS attack on the server.
Page 20 of 54