Debian Gitlab vulnerabilities
863 known vulnerabilities affecting debian/gitlab.
Total CVEs
863
CISA KEV
4
actively exploited
Public exploits
18
Exploited in wild
7
Severity breakdown
CRITICAL43HIGH158MEDIUM552LOW110
Vulnerabilities
Page 13 of 44
CVE-2023-2190P3MEDIUMCVSS 6.5fixed in gitlab 15.11.11+ds1-1 (sid)2023
CVE-2023-2190 [MEDIUM] CVE-2023-2190: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public.
Scope: local
sid: resolved (fixed in 15.11.11+ds1-1)
debian
CVE-2024-3976P3MEDIUMCVSS 6.5fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-3976 [MEDIUM] CVE-2024-3976: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose via the UI the confidential issues title and description from a public project to unauthorised instance users.
Scope: local
sid: resolved (fixed in 17.3.5-2)
debian
CVE-2023-3385P3MEDIUMCVSS 6.3fixed in gitlab 16.0.8+ds1-1 (sid)2023
CVE-2023-3385 [MEDIUM] CVE-2023-3385: gitlab - An issue has been discovered in GitLab affecting all versions starting from 8.10...
An issue has been discovered in GitLab affecting all versions starting from 8.10 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Under specific circumstances, a user importing a project 'from export' could access and read unrelated files via uploading a specially crafted file. This was due to a bug in `tar`
debian
CVE-2023-3444P3MEDIUMCVSS 5.7fixed in gitlab 15.11.11+ds1-1 (sid)2023
CVE-2023-3444 [MEDIUM] CVE-2023-3444: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to merge arbitrary code into protected branches.
Scope: local
sid: resolved (fixed in 15.11.11+ds1-1)
debian
CVE-2019-13003P3HIGHCVSS 7.5fixed in gitlab 12.6.8-3 (sid)2019
CVE-2019-13003 [HIGH] CVE-2019-13003: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 12.0.3...
An issue was discovered in GitLab Community and Enterprise Edition before 12.0.3. One of the parsers used by Gilab CI was vulnerable to a resource exhaustion attack. It allows Uncontrolled Resource Consumption.
Scope: local
sid: resolved (fixed in 12.6.8-3)
debian
CVE-2019-12446P3HIGHCVSS 7.5fixed in gitlab 12.6.8-3 (sid)2019
CVE-2019-12446 [HIGH] CVE-2019-12446: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 8.3 through 1...
An issue was discovered in GitLab Community and Enterprise Edition 8.3 through 11.11. It allows Information Exposure through an Error Message.
Scope: local
sid: resolved (fixed in 12.6.8-3)
debian
CVE-2017-0919P3HIGHCVSS 7.5fixed in gitlab 10.5.5+dfsg-1 (sid)2017
CVE-2017-0919 [HIGH] CVE-2017-0919: gitlab - GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are v...
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the GitLab import component resulting in an attacker being able to perform operations under a group in which they were previously unauthorized.
Scope: local
sid: resolved (fixed in 10.5.5+dfsg-1)
debian
CVE-2021-22209P3HIGHCVSS 7.5fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-22209 [HIGH] CVE-2021-22209: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2022-0154P3HIGHCVSS 7.5fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-0154 [HIGH] CVE-2022-0154: gitlab - An issue has been discovered in GitLab affecting all versions starting from 7.7 ...
An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account.
Scope: local
sid:
debian
CVE-2020-13303P3HIGHCVSS 7.1fixed in gitlab 13.2.8-1 (sid)2020
CVE-2020-13303 [HIGH] CVE-2020-13303: gitlab - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13....
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Due to improper verification of permissions, an unauthorized user can access a private repository within a public project.
Scope: local
sid: resolved (fixed in 13.2.8-1)
debian
CVE-2018-20499P3HIGHCVSS 7.2fixed in gitlab 11.5.6+dfsg-1 (sid)2018
CVE-2018-20499 [HIGH] CVE-2018-20499: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.x b...
An issue was discovered in GitLab Community and Enterprise Edition before 11.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF.
Scope: local
sid: resolved (fixed in 11.5.6+dfsg-1)
debian
CVE-2021-39944P3HIGHCVSS 7.1fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-39944 [HIGH] CVE-2021-39944: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they import
Scope: local
sid: resolved (fixe
debian
CVE-2024-7554P3MEDIUMCVSS 4.9fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-7554 [MEDIUM] CVE-2024-7554: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was made in a specific manner.
Scope: local
sid: resolved (fixed in 17.3.5-2)
debian
CVE-2020-13277P3MEDIUMCVSS 6.3fixed in gitlab 13.2.3-2 (sid)2020
CVE-2020-13277 [MEDIUM] CVE-2020-13277: gitlab - An authorization issue in the mirroring logic allowed read access to private rep...
An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5
Scope: local
sid: resolved (fixed in 13.2.3-2)
debian
CVE-2020-13351P3MEDIUMCVSS 6.5fixed in gitlab 13.3.9-1 (sid)2020
CVE-2020-13351 [MEDIUM] CVE-2020-13351: gitlab - Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ a...
Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are >=13.0, =13.4.0, =13.5.0, <13.5.2.
Scope: local
sid: resolved (fixed in 13.3.9-1)
debian
CVE-2019-15591P3MEDIUMCVSS 6.5fixed in gitlab 12.6.8-3 (sid)2019
CVE-2019-15591 [MEDIUM] CVE-2019-15591: gitlab - An improper access control vulnerability exists in GitLab <12.3.3 that allows an...
An improper access control vulnerability exists in GitLab <12.3.3 that allows an attacker to obtain container and dependency scanning reports through the merge request widget even though public pipelines were disabled.
Scope: local
sid: resolved (fixed in 12.6.8-3)
debian
CVE-2022-0152P3MEDIUMCVSS 6.5fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-0152 [MEDIUM] CVE-2022-0152: gitlab - An issue has been discovered in GitLab affecting all versions starting from 13.1...
An issue has been discovered in GitLab affecting all versions starting from 13.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to unauthorized access to some particular fields through the GraphQL API.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2023-0485P3MEDIUMCVSS 6.5fixed in gitlab 15.10.8+ds1-2 (sid)2023
CVE-2023-0485 [MEDIUM] CVE-2023-0485: gitlab - An issue has been discovered in GitLab affecting all versions starting from 13.1...
An issue has been discovered in GitLab affecting all versions starting from 13.11 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible that a project member demoted to a user role to read project updates by doing a diff with a pre-existing fork.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-
debian
CVE-2021-39872P3MEDIUMCVSS 6.5fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-39872 [MEDIUM] CVE-2021-39872: gitlab - In all versions of GitLab CE/EE since version 14.1, an improper access control v...
In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2022-3820P3MEDIUMCVSS 6.5fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-3820 [MEDIUM] CVE-2022-3820: gitlab - An issue has been discovered in GitLab affecting all versions starting from 15.4...
An issue has been discovered in GitLab affecting all versions starting from 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid Deploy Token to misuse it from any location.
Scope: local
sid: reso
debian