Bitnami package
gitlab
pkg:bitnami/gitlab
Vulnerabilities (1,073)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-11340 | — | >= 18.3.0, < 18.3.4 | 18.3.4 | Oct 9, 2025 | GitLab has remediated an issue in GitLab EE affecting all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting | ||
| CVE-2025-2934 | — | >= 5.2.0, < 18.2.8 | 18.2.8 | Oct 9, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 5.2 prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior to 18.4.2 that could have allowed an authenticated attacker to create a denial of service condition by configuring malicious webhook endpoints that | ||
| CVE-2025-8014 | — | >= 11.10.0, < 18.2.7 | 18.2.7 | Sep 27, 2025 | Denial of Service issue in GraphQL endpoints in Gitlab EE/CE affecting all versions from 11.10 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 allows unauthenticated users to potentially bypass query complexity limits leading to resource exhaustion and service dis | ||
| CVE-2025-11042 | — | >= 17.2.0, < 18.2.7 | 18.2.7 | Sep 26, 2025 | An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while using speci | ||
| CVE-2025-5069 | — | >= 17.10.0, < 18.2.7 | 18.2.7 | Sep 26, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to gain unauthorized access to confidential issues by creating a project with an identical name t | ||
| CVE-2025-10868 | — | >= 17.4.0, < 18.2.7 | 18.2.7 | Sep 26, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.4 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 where certain string conversion methods exhibit performance degradation with large inputs. | ||
| CVE-2025-7691 | — | >= 16.6.0, < 18.2.7 | 18.2.7 | Sep 26, 2025 | A privilege escalation issue has been discovered in GitLab EE affecting all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 that could have allowed a developer with specific group management permissions to escalate their privileges and obtain un | ||
| CVE-2025-9642 | — | >= 14.10.0, < 18.2.7 | 18.2.7 | Sep 26, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could allow an attacker to inject malicious content that may lead to account takeover. | ||
| CVE-2025-9958 | — | >= 14.10.0, < 18.2.7 | 18.2.7 | Sep 26, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that could have allowed Guest users to access sensitive information stored in virtual registry configurations. | ||
| CVE-2025-10858 | — | < 18.2.7 | 18.2.7 | Sep 26, 2025 | An issue was discovered in GitLab CE/EE affecting all versions before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that allows unauthenticated users to cause a Denial of Service (DoS) condition while uploading specifically crafted large JSON files. | ||
| CVE-2025-10867 | — | >= 18.1.0, < 18.2.7 | 18.2.7 | Sep 26, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to create a denial-of-service condition by exploiting an unprotected GraphQL API through repeated | ||
| CVE-2025-10871 | — | >= 16.6.0, < 18.2.7 | 18.2.7 | Sep 26, 2025 | An issue has been discovered in GitLab EE affecting all versions from 16.6 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1. Project Maintainers can exploit a vulnerability where they can assign custom roles to users with permissions exceeding their own, effectively gran | ||
| CVE-2025-1250 | — | >= 15.0.0, < 18.1.6 | 18.1.6 | Sep 12, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed an authenticated user to stall background job processing by sending specially crafted commit messages, merge request des | ||
| CVE-2025-2256 | — | >= 7.12.0, < 18.1.6 | 18.1.6 | Sep 12, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 7.12 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed unauthorized users to render the GitLab instance unresponsive to legitimate users by sending multiple concurrent large S | ||
| CVE-2025-6454 | — | >= 16.11.0, < 18.1.6 | 18.1.6 | Sep 12, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to make unintended internal requests through proxy environments by injecting crafted sequences. | ||
| CVE-2025-6769 | — | >= 15.1.0, < 18.1.6 | 18.1.6 | Sep 12, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 15.1 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to view administrator-only maintenance notes by accessing runner details through specific interfaces | ||
| CVE-2025-7337 | — | >= 7.8.0, < 18.1.6 | 18.1.6 | Sep 12, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 7.8 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed an authenticated user with Developer-level access to cause a persistent denial of service affecting all users on a GitLab | ||
| CVE-2025-10094 | — | >= 10.7.0, < 18.1.6 | 18.1.6 | Sep 12, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to disrupt access to token listings and related administrative operations by creating tokens with ex | ||
| CVE-2025-2246 | — | < 18.1.5 | 18.1.5 | Aug 27, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have allowed unauthenticated users to access sensitive manual CI/CD variables by querying the GraphQL API. | ||
| CVE-2025-3601 | — | >= 8.15.0, < 18.1.5 | 18.1.5 | Aug 27, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 8.15 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have could have allowed an authenticated user to cause a Denial of Service (DoS) condition by submitting URLs that generate excessive |
- CVE-2025-11340Oct 9, 2025affected >= 18.3.0, < 18.3.4fixed 18.3.4
GitLab has remediated an issue in GitLab EE affecting all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting
- CVE-2025-2934Oct 9, 2025affected >= 5.2.0, < 18.2.8fixed 18.2.8
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 5.2 prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior to 18.4.2 that could have allowed an authenticated attacker to create a denial of service condition by configuring malicious webhook endpoints that
- CVE-2025-8014Sep 27, 2025affected >= 11.10.0, < 18.2.7fixed 18.2.7
Denial of Service issue in GraphQL endpoints in Gitlab EE/CE affecting all versions from 11.10 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 allows unauthenticated users to potentially bypass query complexity limits leading to resource exhaustion and service dis
- CVE-2025-11042Sep 26, 2025affected >= 17.2.0, < 18.2.7fixed 18.2.7
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while using speci
- CVE-2025-5069Sep 26, 2025affected >= 17.10.0, < 18.2.7fixed 18.2.7
An issue has been discovered in GitLab CE/EE affecting all versions from 17.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to gain unauthorized access to confidential issues by creating a project with an identical name t
- CVE-2025-10868Sep 26, 2025affected >= 17.4.0, < 18.2.7fixed 18.2.7
An issue has been discovered in GitLab CE/EE affecting all versions from 17.4 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 where certain string conversion methods exhibit performance degradation with large inputs.
- CVE-2025-7691Sep 26, 2025affected >= 16.6.0, < 18.2.7fixed 18.2.7
A privilege escalation issue has been discovered in GitLab EE affecting all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 that could have allowed a developer with specific group management permissions to escalate their privileges and obtain un
- CVE-2025-9642Sep 26, 2025affected >= 14.10.0, < 18.2.7fixed 18.2.7
An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could allow an attacker to inject malicious content that may lead to account takeover.
- CVE-2025-9958Sep 26, 2025affected >= 14.10.0, < 18.2.7fixed 18.2.7
An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that could have allowed Guest users to access sensitive information stored in virtual registry configurations.
- CVE-2025-10858Sep 26, 2025affected < 18.2.7fixed 18.2.7
An issue was discovered in GitLab CE/EE affecting all versions before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that allows unauthenticated users to cause a Denial of Service (DoS) condition while uploading specifically crafted large JSON files.
- CVE-2025-10867Sep 26, 2025affected >= 18.1.0, < 18.2.7fixed 18.2.7
An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to create a denial-of-service condition by exploiting an unprotected GraphQL API through repeated
- CVE-2025-10871Sep 26, 2025affected >= 16.6.0, < 18.2.7fixed 18.2.7
An issue has been discovered in GitLab EE affecting all versions from 16.6 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1. Project Maintainers can exploit a vulnerability where they can assign custom roles to users with permissions exceeding their own, effectively gran
- CVE-2025-1250Sep 12, 2025affected >= 15.0.0, < 18.1.6fixed 18.1.6
An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed an authenticated user to stall background job processing by sending specially crafted commit messages, merge request des
- CVE-2025-2256Sep 12, 2025affected >= 7.12.0, < 18.1.6fixed 18.1.6
An issue has been discovered in GitLab CE/EE affecting all versions from 7.12 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed unauthorized users to render the GitLab instance unresponsive to legitimate users by sending multiple concurrent large S
- CVE-2025-6454Sep 12, 2025affected >= 16.11.0, < 18.1.6fixed 18.1.6
An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to make unintended internal requests through proxy environments by injecting crafted sequences.
- CVE-2025-6769Sep 12, 2025affected >= 15.1.0, < 18.1.6fixed 18.1.6
An issue has been discovered in GitLab CE/EE affecting all versions from 15.1 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to view administrator-only maintenance notes by accessing runner details through specific interfaces
- CVE-2025-7337Sep 12, 2025affected >= 7.8.0, < 18.1.6fixed 18.1.6
An issue has been discovered in GitLab CE/EE affecting all versions from 7.8 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed an authenticated user with Developer-level access to cause a persistent denial of service affecting all users on a GitLab
- CVE-2025-10094Sep 12, 2025affected >= 10.7.0, < 18.1.6fixed 18.1.6
An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to disrupt access to token listings and related administrative operations by creating tokens with ex
- CVE-2025-2246Aug 27, 2025affected < 18.1.5fixed 18.1.5
An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have allowed unauthenticated users to access sensitive manual CI/CD variables by querying the GraphQL API.
- CVE-2025-3601Aug 27, 2025affected >= 8.15.0, < 18.1.5fixed 18.1.5
An issue has been discovered in GitLab CE/EE affecting all versions from 8.15 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have could have allowed an authenticated user to cause a Denial of Service (DoS) condition by submitting URLs that generate excessive
Page 9 of 54