Debian Gitlab vulnerabilities

CVE-2024-5430 [MEDIUM] CVE-2024-5430: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 16.... An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows a project maintainer can delete the merge request approval policy via graphQL. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-4201 [MEDIUM] CVE-2024-4201: gitlab - A cross-site scripting issue has been discovered in GitLab affecting all version... A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 16.10.7, all versions starting from 16.11 before 16.111.4, all versions starting from 17.0 before 17.0.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances. Scope: local sid: resolved (f

CVE-2024-9367 [MEDIUM] CVE-2024-9367: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 13.... An issue was discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while parsing templates to generate changelogs. Scope: local sid: resolved (fixed in 17.5.5-1)

CVE-2024-3035 [MEDIUM] CVE-2024-3035: gitlab - A permission check vulnerability in GitLab CE/EE affecting all versions starting... A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-6502 [MEDIUM] CVE-2024-6502: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 8.2... An issue was discovered in GitLab CE/EE affecting all versions starting from 8.2 prior to 17.1.6 starting from 17.2 prior to 17.2.4, and starting from 17.3 prior to 17.3.1, which allows an attacker to create a branch with the same name as a deleted tag. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-8650 [MEDIUM] CVE-2024-8650: gitlab - An issue was discovered in GitLab CE/EE affecting all versions from 15.0 prior t... An issue was discovered in GitLab CE/EE affecting all versions from 15.0 prior to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2 that allowed non-member users to view unresolved threads marked as internal notes in public projects merge requests. Scope: local sid: resolved (fixed in 17.5.5-1)

CVE-2024-8116 [MEDIUM] CVE-2024-8116: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 be... An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. By using a specific GraphQL query, under specific conditions an unauthorized user can retrieve branch names. Scope: local sid: resolved (fixed in 17.5.5-1)

CVE-2024-7091 [MEDIUM] CVE-2024-7091: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 15.... An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where it was possible to disclose limited information of an exported group or project to another user. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-11931 [MEDIUM] CVE-2024-11931: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI variables via CI lint. Scope: local sid: resolved (fixed in 17.6.5-1)

CVE-2024-4784 [MEDIUM] CVE-2024-4784: gitlab - An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, v... An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2 that allowed bypassing the password re-entry requirement to approve a policy. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-8754 [MEDIUM] CVE-2024-8754: gitlab - An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 ... An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured. Scope: local sid: resolved (fixed in 17.3.5-3)

CVE-2024-4025 [MEDIUM] CVE-2024-4025: gitlab - A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affectin... A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions from 7.10 prior before 16.11.5, version 17.0 before 17.0.3, and 17.1 before 17.1.1. It is possible for an attacker to cause a denial of service using a crafted markdown page. Scope: local sid: open

CVE-2024-10219 [MEDIUM] CVE-2024-10219: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 15.6 be... An issue has been discovered in GitLab CE/EE affecting all versions from 15.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated users to bypass access controls and download private artifacts by accessing specific API endpoints. Scope: local sid: open

CVE-2024-4210 [MEDIUM] CVE-2024-4210: gitlab - A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affectin... A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 12.6 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause a denial of service using crafted adoc files. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-2651 [MEDIUM] CVE-2024-2651: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.... An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. It was possible for an attacker to cause a denial of service using maliciously crafted markdown content. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-8041 [MEDIUM] CVE-2024-8041: gitlab - A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting al... A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1. A denial of service could occur upon importing a maliciously crafted repository using the GitHub importer. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-8237 [MEDIUM] CVE-2024-8237: gitlab - A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting al... A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 12.6 prior to 17.4.5, 17.5 prior to 17.5.3, and 17.6 prior to 17.6.1. An attacker could cause a denial of service with a crafted cargo.toml file. Scope: local sid: resolved (fixed in 17.5.5-1)

CVE-2024-12431 [MEDIUM] CVE-2024-12431: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 15.... An issue was discovered in GitLab CE/EE affecting all versions starting from 15.5 before 17.5.5, 17.6 before 17.6.3, and 17.7 before 17.7.1, in which unauthorized users could manipulate the status of issues in public projects. Scope: local sid: resolved (fixed in 17.5.5-1)

CVE-2024-12292 [MEDIUM] CVE-2024-12292: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 11.... An issue was discovered in GitLab CE/EE affecting all versions starting from 11.0 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, where sensitive information passed in GraphQL mutations may have been retained in GraphQL logs. Scope: local sid: resolved (fixed in 17.5.5-1)

CVE-2024-1525 [MEDIUM] CVE-2024-1525: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Under some specialized conditions, an LDAP user may be able to reset their password using their verified secondary email address and sign-in using direct authentication with