Debian Gitlab vulnerabilities

CVE-2024-4994 [HIGH] CVE-2024-4994: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 ... An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations. Scope: local sid: open

CVE-2024-0410 [HIGH] CVE-2024-0410: gitlab - An authorization bypass vulnerability was discovered in GitLab affecting version... An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1. A developer could bypass CODEOWNERS approvals by creating a merge conflict. Scope: local sid: resolved (fixed in 16.8.3-1)

CVE-2024-8233 [HIGH] CVE-2024-8233: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 bef... An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could cause a denial of service with requests for diff files on a commit or merge request. Scope: local sid: resolved (fixed in 17.5.5-1)

CVE-2024-8124 [HIGH] CVE-2024-8124: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 16.... An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service via sending a specific POST request. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-1211 [MEDIUM] CVE-2024-1211: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 in which cross-site request forgery may have been possible on GitLab instances configured to use JWT as an OmniAuth provider. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-1066 [MEDIUM] CVE-2024-1066: gitlab - An issue has been discovered in GitLab EE affecting all versions from 13.3.0 pri... An issue has been discovered in GitLab EE affecting all versions from 13.3.0 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows an attacker to do a resource exhaustion using GraphQL `vulnerabilitiesCountByDay` Scope: local sid: resolved (fixed in 16.6.7-1)

CVE-2024-4539 [MEDIUM] CVE-2024-4539: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 where abusing the API to filter branch and tags could lead to Denial of Service. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-3959 [MEDIUM] CVE-2024-3959: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 16.... An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows private job artifacts can be accessed by any user. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-8266 [MEDIUM] CVE-2024-8266: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 17.... An issue was discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.6.0, which allows an attacker with maintainer role to trigger a pipeline as project owner under certain circumstances. Scope: local sid: resolved (fixed in 17.6.5-1)

CVE-2024-12380 [MEDIUM] CVE-2024-12380: gitlab - An issue was discovered in GitLab EE/CE affecting all versions starting from 11.... An issue was discovered in GitLab EE/CE affecting all versions starting from 11.5 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. Certain user inputs in repository mirroring settings could potentially expose sensitive authentication information. Scope: local sid: open

CVE-2024-6826 [MEDIUM] CVE-2024-6826: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 be... An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. A denial of service could occur via importing a malicious crafted XML manifest file. Scope: local sid: resolved (fixed in 17.5.5-2)

CVE-2024-8973 [MEDIUM] CVE-2024-8973: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. It was possible to cause a DoS condition via GitHub import requests using a malicious crafted payload. Scope: local sid: open

CVE-2024-7610 [MEDIUM] CVE-2024-7610: gitlab - A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affectin... A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-4006 [MEDIUM] CVE-2024-4006: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not honored by GraphQL subscriptions Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-13054 [MEDIUM] CVE-2024-13054: gitlab - An issue was discovered in GitLab CE/EE affecting all versions before 17.7.7, 17... An issue was discovered in GitLab CE/EE affecting all versions before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. where a denial of service vulnerability could allow an attacker to cause a system reboot under certain conditions. Scope: local sid: open

CVE-2024-9623 [MEDIUM] CVE-2024-9623: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 8.1... An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-7554 [MEDIUM] CVE-2024-7554: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was made in a specific manner. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-8647 [MEDIUM] CVE-2024-8647: gitlab - An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6... An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted installs, it was possible to leak the anti-CSRF-token to an external site while the Harbor integration was enabled. Scope: local sid: resolved (fixed in 17.5.5-1)

CVE-2024-6324 [MEDIUM] CVE-2024-6324: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 15.... An issue was discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. It was possible to trigger a DoS by creating cyclic references between epics. Scope: local sid: resolved (fixed in 17.5.5-2)

CVE-2024-1347 [MEDIUM] CVE-2024-1347: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.... An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker through a crafted email address may be able to bypass domain based restrictions on an instance or a group. Scope: local sid: resolved (fixed in 17.3.5