Debian Gitlab vulnerabilities

CVE-2024-1947 [MEDIUM] CVE-2024-1947: gitlab - A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all... A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-2177 [MEDIUM] CVE-2024-2177: gitlab - A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all ve... A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-2454 [MEDIUM] CVE-2024-2454: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. The pins endpoint is susceptible to DoS through a crafted request. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-13041 [MEDIUM] CVE-2024-13041: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 16.... An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. When a user is created via the SAML provider, the external groups setting overrides the external provider configuration. As a result, the user may not be marked as external thereby giving thos

CVE-2024-12093 [MEDIUM] CVE-2024-12093: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 11.1 be... An issue has been discovered in GitLab CE/EE affecting all versions from 11.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Improper XPath validation allows modified SAML response to bypass 2FA requirement under specialized conditions. Scope: local sid: open

CVE-2024-3958 [MEDIUM] CVE-2024-3958: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.... An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-4557 [MEDIUM] CVE-2024-4557: gitlab - Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE ... Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an attacker to cause resource exhaustion via banzai pipeline. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-4207 [MEDIUM] CVE-2024-4207: gitlab - A cross-site scripting issue has been discovered in GitLab affecting all version... A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 prior 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-8177 [MEDIUM] CVE-2024-8177: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 15.... An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.4.5, starting from 17.5 prior to 17.5.3, starting from 17.6 prior to 17.6.1 which could cause Denial of Service via integrating a malicious harbor registry. Scope: local sid: resolved (fixed in 17.5.5-1)

CVE-2024-12570 [MEDIUM] CVE-2024-12570: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.4.6, from 17.5 prior to 17.5.4, and from 17.6 prior to 17.6.2. It may have been possible for an attacker with a victim's `CI_JOB_TOKEN` to obtain a GitLab session token belonging to the victim. Scope: local sid: resolved (fixed in 17.5.5-1)

CVE-2024-10307 [MEDIUM] CVE-2024-10307: gitlab - An issue has been discovered in GitLab EE/CE affecting all versions from 12.10 b... An issue has been discovered in GitLab EE/CE affecting all versions from 12.10 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A maliciously crafted file can cause uncontrolled CPU consumption when viewing the associated merge request. Scope: local sid: open

CVE-2024-1736 [MEDIUM] CVE-2024-1736: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.... An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's CI/CD pipeline editor could allow for denial of service attacks through maliciously crafted configuration files. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-3114 [MEDIUM] CVE-2024-3114: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 11.... An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-2818 [MEDIUM] CVE-2024-2818: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.... An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. It was possible for an attacker to cause a denial of service using malicious crafted description parameter for labels. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-4472 [MEDIUM] CVE-2024-4472: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 16.... An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-0456 [MEDIUM] CVE-2024-0456: gitlab - An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 1... An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project Scope: local sid: resolved (fixed in 16.6.6-1)

CVE-2024-8179 [MEDIUM] CVE-2024-8179: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 be... An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. Improper output encoding could lead to XSS if CSP is not enabled. Scope: local sid: resolved (fixed in 17.5.5-1)

CVE-2024-5423 [MEDIUM] CVE-2024-5423: gitlab - Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE ... Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2 which allowed an attacker to cause resource exhaustion via banzai pipeline. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-2800 [MEDIUM] CVE-2024-2800: gitlab - ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE... ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-1299 [MEDIUM] CVE-2024-1299: gitlab - A privilege escalation vulnerability was discovered in GitLab affecting versions... A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with owner privileges. Scope: local sid: resolved (fixed in 16.8.4-1)