Debian Gitlab vulnerabilities

CVE-2024-1493 [MEDIUM] CVE-2024-1493: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 9.2... An issue was discovered in GitLab CE/EE affecting all versions starting from 9.2 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, with the processing logic for generating link in dependency files can lead to a regular expression DoS attack on the server Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-3976 [MEDIUM] CVE-2024-3976: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose via the UI the confidential issues title and description from a public project to unauthorised instance users. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-7803 [MEDIUM] CVE-2024-7803: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 be... An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A Discord webhook integration may cause DoS. Scope: local sid: open

CVE-2024-5435 [MEDIUM] CVE-2024-5435: gitlab - An issue has been discovered discovered in GitLab EE/CE affecting all versions s... An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-8648 [MEDIUM] CVE-2024-8648: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 16 befo... An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL. Scope: local sid: resolved (fixed in 17.5.5-1)

CVE-2024-9387 [MEDIUM] CVE-2024-9387: gitlab - An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before ... An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint. Scope: local sid: resolved (fixed in 17.5.5-1)

CVE-2024-12379 [MEDIUM] CVE-2024-12379: gitlab - A denial of service vulnerability in GitLab CE/EE affecting all versions from 14... A denial of service vulnerability in GitLab CE/EE affecting all versions from 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to impact the availability of GitLab via unbounded symbol creation via the scopes parameter in a Personal Access Token. Scope: local sid: resolved (fixed in 17.6.5-1)

CVE-2024-5005 [MEDIUM] CVE-2024-5005: gitlab - An issue has been discovered discovered in GitLab EE/CE affecting all versions s... An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the API. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-12619 [MEDIUM] CVE-2024-12619: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 be... An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1, allowing internal users to gain unauthorized access to internal projects. Scope: local sid: open

CVE-2024-8186 [MEDIUM] CVE-2024-8186: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 be... An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 before 17.7.6, 17.8 before 17.8.4, and 17.9 before 17.9.1. An attacker could inject HMTL into the child item search potentially leading to XSS in certain situations. Scope: local sid: open

CVE-2024-8641 [MEDIUM] CVE-2024-8641: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It may have been possible for an attacker with a victim's CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-1495 [MEDIUM] CVE-2024-1495: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.1 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. It was possible for an attacker to cause a denial of service using maliciously crafted file. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-7057 [MEDIUM] CVE-2024-7057: gitlab - An information disclosure vulnerability in GitLab CE/EE affecting all versions s... An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where job artifacts can be inappropriately exposed to users lacking the proper authorization level. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-6389 [MEDIUM] CVE-2024-6389: gitlab - An issue was discovered in GitLab-CE/EE affecting all versions starting with 17.... An issue was discovered in GitLab-CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-1963 [MEDIUM] CVE-2024-1963: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests. Scope: local sid: reso

CVE-2024-2191 [MEDIUM] CVE-2024-2191: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 16.... An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members only. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-6329 [MEDIUM] CVE-2024-6329: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 8.1... An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which causes the web interface to fail to render the diff correctly when the path is encoded. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-2874 [MEDIUM] CVE-2024-2874: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions before 16.10... An issue has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. A runner registered with a crafted description has the potential to disrupt the loading of targeted GitLab web resources. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-1816 [MEDIUM] CVE-2024-1816: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 12.... An issue was discovered in GitLab CE/EE affecting all versions starting from 12.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows for an attacker to cause a denial of service using a crafted OpenAPI file. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-5258 [MEDIUM] CVE-2024-5258: gitlab - An authorization vulnerability exists within GitLab from versions 16.10 before 1... An authorization vulnerability exists within GitLab from versions 16.10 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1 where an authenticated attacker could utilize a crafted naming convention to bypass pipeline authorization logic. Scope: local sid: resolved (fixed in 17.3.5-2)