Bitnami package
gitlab
pkg:bitnami/gitlab
Vulnerabilities (1,073)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-2454 | — | >= 15.11.0, < 16.9.7 | 16.9.7 | May 9, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. The pins endpoint is susceptible to DoS through a crafted request. | ||
| CVE-2024-2651 | — | < 16.9.7 | 16.9.7 | May 9, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. It was possible for an attacker to cause a denial of service using maliciously crafted markdown con | ||
| CVE-2024-4539 | — | >= 15.4.0, < 16.9.7 | 16.9.7 | May 9, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 where abusing the API to filter branch and tags could lead to Denial of Service. | ||
| CVE-2024-4597 | — | >= 16.7.0, < 16.9.7 | 16.9.7 | May 9, 2024 | An issue has been discovered in GitLab EE affecting all versions from 16.7 before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. An attacker could force a user with an active SAML session to approve an MR via CSRF. | ||
| CVE-2024-4024 | — | >= 7.8.0, < 16.9.6 | 16.9.6 | Apr 25, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.8 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker with their Bitbucket account credentials ma | ||
| CVE-2024-4006 | — | >= 16.7.0, < 16.9.6 | 16.9.6 | Apr 25, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not honored by GraphQL subscriptions | ||
| CVE-2024-1347 | — | < 16.9.6 | 16.9.6 | Apr 25, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker through a crafted email address may be able to bypass domain | ||
| CVE-2024-2434 | — | >= 16.9.0, < 16.9.6 | 16.9.6 | Apr 25, 2024 | An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to 16.11.1 where path traversal could lead to DoS and restricted file read. | ||
| CVE-2024-2829 | — | >= 12.5.0, < 16.9.6 | 16.9.6 | Apr 25, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.5 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. A crafted wildcard filter in FileFinder may lead to a denial of service. | ||
| CVE-2023-6489 | — | >= 16.7.7, < 16.8.6 | 16.8.6 | Apr 12, 2024 | A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature. | ||
| CVE-2023-6678 | — | < 16.8.6 | 16.8.6 | Apr 12, 2024 | An issue has been discovered in GitLab EE affecting all versions before 16.8.6, all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. It was possible for an attacker to cause a denial of service using malicious crafted content in a junit | ||
| CVE-2024-2279 | — | >= 16.7.0, < 16.8.6 | 16.8.6 | Apr 12, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. Using the autocomplete for issues references feature a crafted payload may lead to a st | ||
| CVE-2024-3092 | — | >= 16.9.0, < 16.9.4 | 16.9.4 | Apr 12, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. A payload may lead to a Stored XSS while using the diff viewer, allowing attackers to perform arbitrary actions on behalf of vict | ||
| CVE-2023-6371 | — | < 16.8.5 | 16.8.5 | Mar 28, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. A wiki page with a crafted payload may lead to a Stored XSS, allowing attackers to perform arbitrary | ||
| CVE-2024-2818 | — | < 16.8.5 | 16.8.5 | Mar 28, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. It was possible for an attacker to cause a denial of service using malicious crafted description para | ||
| CVE-2024-0199 | — | >= 11.3.0, < 16.7.7 | 16.7.7 | Mar 7, 2024 | An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old feature branch to perform malicious actions. | ||
| CVE-2024-1299 | — | >= 16.8.0, < 16.8.4 | 16.8.4 | Mar 7, 2024 | A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with owner privileges. | ||
| CVE-2023-4895 | — | >= 12.0.0, < 16.7.6 | 16.7.6 | Feb 22, 2024 | An issue has been discovered in GitLab EE affecting all versions starting from 12.0 to 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. This vulnerability allows for bypassing the 'group ip restriction' settings to access envir | ||
| CVE-2023-6477 | — | >= 16.5.0, < 16.7.6 | 16.7.6 | Feb 21, 2024 | An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be a | ||
| CVE-2024-0410 | — | >= 15.1.0, < 16.7.6 | 16.7.6 | Feb 21, 2024 | An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1. A developer could bypass CODEOWNERS approvals by creating a merge conflict. |
- CVE-2024-2454May 9, 2024affected >= 15.11.0, < 16.9.7fixed 16.9.7
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. The pins endpoint is susceptible to DoS through a crafted request.
- CVE-2024-2651May 9, 2024affected < 16.9.7fixed 16.9.7
An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. It was possible for an attacker to cause a denial of service using maliciously crafted markdown con
- CVE-2024-4539May 9, 2024affected >= 15.4.0, < 16.9.7fixed 16.9.7
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 where abusing the API to filter branch and tags could lead to Denial of Service.
- CVE-2024-4597May 9, 2024affected >= 16.7.0, < 16.9.7fixed 16.9.7
An issue has been discovered in GitLab EE affecting all versions from 16.7 before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. An attacker could force a user with an active SAML session to approve an MR via CSRF.
- CVE-2024-4024Apr 25, 2024affected >= 7.8.0, < 16.9.6fixed 16.9.6
An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.8 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker with their Bitbucket account credentials ma
- CVE-2024-4006Apr 25, 2024affected >= 16.7.0, < 16.9.6fixed 16.9.6
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not honored by GraphQL subscriptions
- CVE-2024-1347Apr 25, 2024affected < 16.9.6fixed 16.9.6
An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker through a crafted email address may be able to bypass domain
- CVE-2024-2434Apr 25, 2024affected >= 16.9.0, < 16.9.6fixed 16.9.6
An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to 16.11.1 where path traversal could lead to DoS and restricted file read.
- CVE-2024-2829Apr 25, 2024affected >= 12.5.0, < 16.9.6fixed 16.9.6
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.5 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. A crafted wildcard filter in FileFinder may lead to a denial of service.
- CVE-2023-6489Apr 12, 2024affected >= 16.7.7, < 16.8.6fixed 16.8.6
A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature.
- CVE-2023-6678Apr 12, 2024affected < 16.8.6fixed 16.8.6
An issue has been discovered in GitLab EE affecting all versions before 16.8.6, all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. It was possible for an attacker to cause a denial of service using malicious crafted content in a junit
- CVE-2024-2279Apr 12, 2024affected >= 16.7.0, < 16.8.6fixed 16.8.6
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. Using the autocomplete for issues references feature a crafted payload may lead to a st
- CVE-2024-3092Apr 12, 2024affected >= 16.9.0, < 16.9.4fixed 16.9.4
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. A payload may lead to a Stored XSS while using the diff viewer, allowing attackers to perform arbitrary actions on behalf of vict
- CVE-2023-6371Mar 28, 2024affected < 16.8.5fixed 16.8.5
An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. A wiki page with a crafted payload may lead to a Stored XSS, allowing attackers to perform arbitrary
- CVE-2024-2818Mar 28, 2024affected < 16.8.5fixed 16.8.5
An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. It was possible for an attacker to cause a denial of service using malicious crafted description para
- CVE-2024-0199Mar 7, 2024affected >= 11.3.0, < 16.7.7fixed 16.7.7
An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old feature branch to perform malicious actions.
- CVE-2024-1299Mar 7, 2024affected >= 16.8.0, < 16.8.4fixed 16.8.4
A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with owner privileges.
- CVE-2023-4895Feb 22, 2024affected >= 12.0.0, < 16.7.6fixed 16.7.6
An issue has been discovered in GitLab EE affecting all versions starting from 12.0 to 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. This vulnerability allows for bypassing the 'group ip restriction' settings to access envir
- CVE-2023-6477Feb 21, 2024affected >= 16.5.0, < 16.7.6fixed 16.7.6
An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be a
- CVE-2024-0410Feb 21, 2024affected >= 15.1.0, < 16.7.6fixed 16.7.6
An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1. A developer could bypass CODEOWNERS approvals by creating a merge conflict.
Page 21 of 54