Bitnami package
gitlab
pkg:bitnami/gitlab
Vulnerabilities (1,073)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-3950 | — | >= 10.3.0, < 18.5.5 | 18.5.5 | Jan 9, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection. | ||
| CVE-2025-9222 | — | >= 18.2.2, < 18.5.5 | 18.5.5 | Jan 9, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown. | ||
| CVE-2025-10569 | — | >= 8.3.0, < 18.5.5 | 18.5.5 | Jan 9, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls. | ||
| CVE-2025-11246 | — | >= 15.4.0, < 18.5.5 | 18.5.5 | Jan 9, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating | ||
| CVE-2025-13772 | — | >= 18.4.0, < 18.5.5 | 18.5.5 | Jan 9, 2026 | GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace iden | ||
| CVE-2025-13761 | — | >= 18.6.0, < 18.6.3 | 18.6.3 | Jan 9, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to | ||
| CVE-2025-13781 | — | >= 18.5.0, < 18.5.5 | 18.5.5 | Jan 9, 2026 | GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in | ||
| CVE-2025-12029 | — | >= 15.11.0, < 18.4.6 | 18.4.6 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by in | ||
| CVE-2025-12734 | — | >= 15.6.0, < 18.4.6 | 18.4.6 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to, under certain conditions, render content in dialogs to other users by injecting malicious HT | ||
| CVE-2025-4097 | — | >= 11.10.0, < 18.4.6 | 18.4.6 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images. | ||
| CVE-2025-8405 | — | >= 17.1.0, < 18.4.6 | 18.4.6 | Dec 11, 2025 | GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML int | ||
| CVE-2025-11247 | — | >= 13.2.0, < 18.4.6 | 18.4.6 | Dec 11, 2025 | GitLab has remediated an issue in GitLab EE affecting all versions from 13.2 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to disclose sensitive information from private projects by executing specifically crafted GraphQL q | ||
| CVE-2025-11984 | — | >= 13.1.0, < 18.4.6 | 18.4.6 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain con | ||
| CVE-2025-12562 | — | >= 11.10.0, < 18.4.6 | 18.4.6 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted GraphQL queries that bypass query | ||
| CVE-2025-12716 | — | >= 18.4.0, < 18.4.6 | 18.4.6 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by creating | ||
| CVE-2025-13978 | — | >= 17.5.0, < 18.4.6 | 18.4.6 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests. | ||
| CVE-2025-14157 | — | >= 6.3.0, < 18.4.6 | 18.4.6 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with large content parameters | ||
| CVE-2024-9183 | — | >= 18.4.0, < 18.4.5 | 18.4.5 | Dec 5, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 prior to 18.4.5, 18.5 prior to 18.5.3, and 18.6 prior to 18.6.1 that could have allowed an authenticated user to obtain credentials from higher-privileged users and perform actions in their context un | ||
| CVE-2025-6195 | — | >= 13.7.0, < 18.4.5 | 18.4.5 | Nov 26, 2025 | GitLab has remediated an issue in GitLab EE affecting all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user to view information from security reports under certain configuration conditions. | ||
| CVE-2025-7449 | — | >= 8.3.0, < 18.4.5 | 18.4.5 | Nov 26, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with specific permissions to cause a denial of service condition through HTTP response processing |
- CVE-2025-3950Jan 9, 2026affected >= 10.3.0, < 18.5.5fixed 18.5.5
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection.
- CVE-2025-9222Jan 9, 2026affected >= 18.2.2, < 18.5.5fixed 18.5.5
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.
- CVE-2025-10569Jan 9, 2026affected >= 8.3.0, < 18.5.5fixed 18.5.5
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls.
- CVE-2025-11246Jan 9, 2026affected >= 15.4.0, < 18.5.5fixed 18.5.5
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating
- CVE-2025-13772Jan 9, 2026affected >= 18.4.0, < 18.5.5fixed 18.5.5
GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace iden
- CVE-2025-13761Jan 9, 2026affected >= 18.6.0, < 18.6.3fixed 18.6.3
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to
- CVE-2025-13781Jan 9, 2026affected >= 18.5.0, < 18.5.5fixed 18.5.5
GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in
- CVE-2025-12029Dec 11, 2025affected >= 15.11.0, < 18.4.6fixed 18.4.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by in
- CVE-2025-12734Dec 11, 2025affected >= 15.6.0, < 18.4.6fixed 18.4.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to, under certain conditions, render content in dialogs to other users by injecting malicious HT
- CVE-2025-4097Dec 11, 2025affected >= 11.10.0, < 18.4.6fixed 18.4.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images.
- CVE-2025-8405Dec 11, 2025affected >= 17.1.0, < 18.4.6fixed 18.4.6
GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML int
- CVE-2025-11247Dec 11, 2025affected >= 13.2.0, < 18.4.6fixed 18.4.6
GitLab has remediated an issue in GitLab EE affecting all versions from 13.2 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to disclose sensitive information from private projects by executing specifically crafted GraphQL q
- CVE-2025-11984Dec 11, 2025affected >= 13.1.0, < 18.4.6fixed 18.4.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain con
- CVE-2025-12562Dec 11, 2025affected >= 11.10.0, < 18.4.6fixed 18.4.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted GraphQL queries that bypass query
- CVE-2025-12716Dec 11, 2025affected >= 18.4.0, < 18.4.6fixed 18.4.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by creating
- CVE-2025-13978Dec 11, 2025affected >= 17.5.0, < 18.4.6fixed 18.4.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests.
- CVE-2025-14157Dec 11, 2025affected >= 6.3.0, < 18.4.6fixed 18.4.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with large content parameters
- CVE-2024-9183Dec 5, 2025affected >= 18.4.0, < 18.4.5fixed 18.4.5
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 prior to 18.4.5, 18.5 prior to 18.5.3, and 18.6 prior to 18.6.1 that could have allowed an authenticated user to obtain credentials from higher-privileged users and perform actions in their context un
- CVE-2025-6195Nov 26, 2025affected >= 13.7.0, < 18.4.5fixed 18.4.5
GitLab has remediated an issue in GitLab EE affecting all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user to view information from security reports under certain configuration conditions.
- CVE-2025-7449Nov 26, 2025affected >= 8.3.0, < 18.4.5fixed 18.4.5
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with specific permissions to cause a denial of service condition through HTTP response processing
Page 7 of 54