Debian Gitlab vulnerabilities
863 known vulnerabilities affecting debian/gitlab.
Total CVEs
863
CISA KEV
4
actively exploited
Public exploits
18
Exploited in wild
7
Severity breakdown
CRITICAL43HIGH158MEDIUM552LOW110
Vulnerabilities
Page 10 of 44
CVE-2017-0921P3HIGHCVSS 8.1fixed in gitlab 10.7.7+dfsg-2 (sid)2017
CVE-2017-0921 [HIGH] CVE-2017-0921: gitlab - GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are v...
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account takeover if a victim's session is compromised.
Scope: local
sid: resolved (fixed in 10.7.7+dfsg-2)
debian
CVE-2021-22201P3CRITICALCVSS 9.6fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-22201 [CRITICAL] CVE-2021-22201: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2019-15576P3HIGHCVSS 7.5fixed in gitlab 12.6.8-3 (sid)2019
CVE-2019-15576 [HIGH] CVE-2019-15576: gitlab - An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2....
An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to view private system notes from a GraphQL endpoint.
Scope: local
sid: resolved (fixed in 12.6.8-3)
debian
CVE-2018-14602P3HIGHCVSS 7.5fixed in gitlab 10.8.7+dfsg-1 (sid)2018
CVE-2018-14602 [HIGH] CVE-2018-14602: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7...
An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. Information Disclosure can occur because the Prometheus metrics feature discloses private project pathnames.
Scope: local
sid: resolved (fixed in 10.8.7+dfsg-1)
debian
CVE-2018-20500P3HIGHCVSS 7.5fixed in gitlab 11.5.6+dfsg-1 (sid)2018
CVE-2018-20500 [HIGH] CVE-2018-20500: gitlab - An insecure permissions issue was discovered in GitLab Community and Enterprise ...
An insecure permissions issue was discovered in GitLab Community and Enterprise Edition 9.4 and later but before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. The runner registration token in the CI/CD settings could not be reset. This was a security risk if one of the maintainers leaves the group and they know the token.
Scope: local
sid: resolved (fixed
debian
CVE-2019-15583P3HIGHCVSS 7.5fixed in gitlab 12.6.8-3 (sid)2019
CVE-2019-15583 [HIGH] CVE-2019-15583: gitlab - An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab...
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). When an issue was moved to a public project from a private one, the associated private labels and the private project namespace would be disclosed through the GitLab API.
Scope: local
sid: resolved (fixed in 12.6.8-3)
debian
CVE-2022-3283P3HIGHCVSS 7.5fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-3283 [HIGH] CVE-2022-3283: gitlab - A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versi...
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 While cloning an issue with special crafted content added to the description could have been used to trigger high CPU usage.
Scope: local
sid: resolved (fixed in 15.10.8+ds
debian
CVE-2019-11605P3HIGHCVSS 7.5fixed in gitlab 11.8.10+dfsg-1 (sid)2019
CVE-2019-11605 [HIGH] CVE-2019-11605: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.8.x before...
An issue was discovered in GitLab Community and Enterprise Edition 11.8.x before 11.8.10, 11.9.x before 11.9.11, and 11.10.x before 11.10.3. It allows Information Disclosure. A small number of GitLab API endpoints would disclose project information when using a read_user scoped token.
Scope: local
sid: resolved (fixed in 11.8.10+dfsg-1)
debian
CVE-2020-13290P3HIGHCVSS 7.5fixed in gitlab 13.2.3-2 (sid)2020
CVE-2020-13290 [HIGH] CVE-2020-13290: gitlab - In GitLab before 13.0.12, 13.1.6, and 13.2.3, improper access control was used o...
In GitLab before 13.0.12, 13.1.6, and 13.2.3, improper access control was used on the Applications page
Scope: local
sid: resolved (fixed in 13.2.3-2)
debian
CVE-2020-7968P3HIGHCVSS 7.5fixed in gitlab 12.6.8-3 (sid)2020
CVE-2020-7968 [HIGH] CVE-2020-7968: gitlab - GitLab EE 8.0 through 12.7.2 has Incorrect Access Control.
GitLab EE 8.0 through 12.7.2 has Incorrect Access Control.
Scope: local
sid: resolved (fixed in 12.6.8-3)
debian
CVE-2020-13359P3HIGHCVSS 7.6fixed in gitlab 13.3.9-1 (sid)2020
CVE-2020-13359 [HIGH] CVE-2020-13359: gitlab - The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL o...
The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are >=12.10, =13.4, =13.5, <13.5.2.
Scope: local
sid: resolved (fixed in 13.3.9-1)
debian
CVE-2020-26405P3HIGHCVSS 7.1fixed in gitlab 13.3.9-1 (sid)2020
CVE-2020-26405 [HIGH] CVE-2020-26405: gitlab - Path traversal vulnerability in package upload functionality in GitLab CE/EE sta...
Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are >=12.8, =13.4, =13.5, <13.5.2.
Scope: local
sid: resolved (fixed in 13.3.9-1)
debian
CVE-2019-14944P3MEDIUMCVSS 6.5fixed in gitlab 12.6.8-3 (sid)2019
CVE-2019-14944 [MEDIUM] CVE-2019-14944: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.11....
An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Gitaly allows injection of command-line flags. This sometimes leads to privilege escalation or remote code execution.
Scope: local
sid: resolved (fixed in 12.6.8-3)
debian
CVE-2021-22228P3MEDIUMCVSS 6.5fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-22228 [MEDIUM] CVE-2021-22228: gitlab - An issue has been discovered in GitLab affecting all versions before 13.11.6, al...
An issue has been discovered in GitLab affecting all versions before 13.11.6, all versions starting from 13.12 before 13.12.6, and all versions starting from 14.0 before 14.0.2. Improper access control allows unauthorised users to access project details using Graphql.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2020-13318P3MEDIUMCVSS 6.4fixed in gitlab 13.2.8-1 (sid)2020
CVE-2020-13318 [MEDIUM] CVE-2020-13318: gitlab - A vulnerability was discovered in GitLab versions before 13.0.12, 13.1.10, 13.2....
A vulnerability was discovered in GitLab versions before 13.0.12, 13.1.10, 13.2.8 and 13.3.4. GitLabs EKS integration was vulnerable to a cross-account assume role attack.
Scope: local
sid: resolved (fixed in 13.2.8-1)
debian
CVE-2024-2800P3MEDIUMCVSS 6.5fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-2800 [MEDIUM] CVE-2024-2800: gitlab - ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE...
ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking.
Scope: local
sid: resolved (fixed in 17.3.5-2)
debian
CVE-2023-3413P3MEDIUMCVSS 6.5fixed in gitlab 16.4.4+ds2-2 (sid)2023
CVE-2023-3413 [MEDIUM] CVE-2023-3413: gitlab - An issue has been discovered in GitLab affecting all versions starting from 16.2...
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members.
Scope: local
sid: resolved (fixed in 16.4.4+ds2-2)
debian
CVE-2022-2498P3MEDIUMCVSS 6.4fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-2498 [MEDIUM] CVE-2022-2498: gitlab - An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8...
An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2024-3959P3MEDIUMCVSS 6.5fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-3959 [MEDIUM] CVE-2024-3959: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 16....
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows private job artifacts can be accessed by any user.
Scope: local
sid: resolved (fixed in 17.3.5-2)
debian
CVE-2021-22229P3MEDIUMCVSS 5.9fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-22229 [MEDIUM] CVE-2021-22229: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting wit...
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8. Under a special condition it was possible to access data of an internal repository through project fork done by a project member.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian