Debian Gitlab vulnerabilities

CVE-2024-6385 [CRITICAL] CVE-2024-6385: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 15.... An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-5655 [CRITICAL] CVE-2024-5655: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 15.... An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to trigger a pipeline as another user under certain circumstances. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-6678 [CRITICAL] CVE-2024-6678: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 8.1... An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-4901 [HIGH] CVE-2024-4901: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 16.... An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit notes. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-4024 [HIGH] CVE-2024-4024: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.8 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker with their Bitbucket account credentials may be able to take over a GitLab account linked to another user's Bitbucket account, if Bitb

CVE-2024-9631 [HIGH] CVE-2024-9631: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 13.... An issue was discovered in GitLab CE/EE affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, where viewing diffs of MR with conflicts can be slow. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-6530 [HIGH] CVE-2024-6530: gitlab - A cross-site scripting issue has been discovered in GitLab affecting all version... A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When adding a authorizing an application, it can be made to render as HTML under specific circumstances. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-2829 [HIGH] CVE-2024-2829: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.5 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. A crafted wildcard filter in FileFinder may lead to a denial of service. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-8970 [HIGH] CVE-2024-8970: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 11.... An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances. Scope: local sid: resolved (fixed in 17.3.5-3)

CVE-2024-0199 [HIGH] CVE-2024-0199: gitlab - An authorization bypass vulnerability was discovered in GitLab affecting version... An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old feature branch to perform malicious actions. Scope: local sid: resolved (fixed in 16.8.4-1)

CVE-2024-2878 [HIGH] CVE-2024-2878: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible for an attacker to cause a denial of service by crafting unusual search terms for branch names. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-2434 [HIGH] CVE-2024-2434: gitlab - An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 1... An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to 16.11.1 where path traversal could lead to DoS and restricted file read. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-11274 [HIGH] CVE-2024-11274: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 16.... An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, injection of NEL headers in k8s proxy response could lead to session data exfiltration. Scope: local sid: resolved (fixed in 17.5.5-1)

CVE-2024-3092 [HIGH] CVE-2024-3092: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. A payload may lead to a Stored XSS while using the diff viewer, allowing attackers to perform arbitrary actions on behalf of victims. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-2279 [HIGH] CVE-2024-2279: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. Using the autocomplete for issues references feature a crafted payload may lead to a stored XSS, allowing attackers to perform arbitrary actions on behalf of victims. Scope: loca

CVE-2024-9693 [HIGH] CVE-2024-9693: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 16.... An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations. Scope: local sid: resolved (fixed in 17.3.5-3)

CVE-2024-8114 [HIGH] CVE-2024-8114: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 8.12 be... An issue has been discovered in GitLab CE/EE affecting all versions from 8.12 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. This issue allows an attacker with access to a victim's Personal Access Token (PAT) to escalate privileges. Scope: local sid: resolved (fixed in 17.5.5-1)

CVE-2024-8312 [HIGH] CVE-2024-8312: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 b... An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. An attacker could inject HTML into the Global Search field on a diff view leading to XSS. Scope: local sid: resolved (fixed in 17.5.5-2)

CVE-2024-7047 [HIGH] CVE-2024-7047: gitlab - A cross site scripting vulnerability exists in GitLab CE/EE affecting all versio... A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-4835 [HIGH] CVE-2024-4835: gitlab - A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 bef... A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information. Scope: local sid: resolved (fixed in 17.3.5-2)