Debian Gitlab vulnerabilities

CVE-2024-11828 [MEDIUM] CVE-2024-11828: gitlab - A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all... A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls. This was a regression of an earlier patch. Scope: local sid: resolved (fixed in 17.5.5-1)

CVE-2024-4011 [LOW] CVE-2024-4011: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 16.... An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-3303 [MEDIUM] CVE-2024-3303: gitlab - An issue was discovered in GitLab EE affecting all versions starting from 16.0 p... An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.6.5, starting from 17.7 prior to 17.7.4, and starting from 17.8 prior to 17.8.2, which allows an attacker to exfiltrate contents of a private issue using prompt injection. Scope: local sid: resolved

CVE-2024-5470 [LOW] CVE-2024-5470: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 17.... An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Guest user with `admin_push_rules` permission may have been able to create project-level deploy tokens. Scope: local sid: resolved

CVE-2024-11668 [MEDIUM] CVE-2024-11668: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 b... An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results. Scope: local sid: resolved

CVE-2024-6356 [MEDIUM] CVE-2024-6356: gitlab - An issue was discovered in GitLab EE affecting all versions starting from 16.0 p... An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which allowed cross project access for Security policy bot. Scope: local sid: resolved

CVE-2024-8640 [HIGH] CVE-2024-8640: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. Due to incomplete input filtering, it was possible to inject commands into a connected Cube server. Scope: local sid: resolved

CVE-2024-2743 [MEDIUM] CVE-2024-2743: gitlab - An issue was discovered in GitLab-EE starting with version 13.3 before 17.1.7, 1... An issue was discovered in GitLab-EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variables. Scope: local sid: resolved

CVE-2024-8311 [MEDIUM] CVE-2024-8311: gitlab - An issue was discovered with pipeline execution policies in GitLab EE affecting ... An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 which allows authenticated users to bypass variable overwrite protection via inclusion of a CI/CD template. Scope: local sid: resolved

CVE-2024-11669 [MEDIUM] CVE-2024-11669: gitlab - An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 befor... An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes. Scope: local sid: resolved

CVE-2024-4283 [MEDIUM] CVE-2024-4283: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 11.1 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow. Scope: local sid: resolved

CVE-2024-7060 [LOW] CVE-2024-7060: gitlab - An information disclosure vulnerability in GitLab CE/EE in project/group exports... An information disclosure vulnerability in GitLab CE/EE in project/group exports affecting all versions from 15.4 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows unauthorized users to view the resultant export. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-8180 [MEDIUM] CVE-2024-8180: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 be... An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. Improper output encoding could lead to XSS if CSP is not enabled. Scope: local sid: resolved

CVE-2024-6323 [HIGH] CVE-2024-6323: gitlab - Improper authorization in global search in GitLab EE affecting all versions from... Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project. Scope: local sid: resolved

CVE-2024-9164 [CRITICAL] CVE-2024-9164: gitlab - An issue was discovered in GitLab EE affecting all versions starting from 12.5 p... An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. Scope: local sid: resolved

CVE-2024-4278 [MEDIUM] CVE-2024-4278: gitlab - An information disclosure issue has been discovered in GitLab EE affecting all v... An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting. Scope: local sid: resolved

CVE-2024-7586 [MEDIUM] CVE-2024-7586: gitlab - An issue was discovered in GitLab EE affecting all versions starting from 17.0 p... An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, where webhook deletion audit log preserved auth credentials. Scope: local sid: resolved

CVE-2024-4099 [LOW] CVE-2024-4099: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. An AI feature was found to read unsanitized content in a way that could have allowed an attacker to hide prompt injection. Scope: local sid: resolved

CVE-2024-9163 [LOW] CVE-2024-9163: gitlab - A business logic error in GitLab CE/EE affecting all versions starting from 12.1... A business logic error in GitLab CE/EE affecting all versions starting from 12.1 prior to 17.10.7, 17.11 prior to 17.11.3 and 18.0 prior to 18.0.1 where an attacker can cause a branch name confusion in confidential MRs. Scope: local sid: open

CVE-2024-9183 [HIGH] CVE-2024-9183: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 ... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 prior to 18.4.5, 18.5 prior to 18.5.3, and 18.6 prior to 18.6.1 that could have allowed an authenticated user to obtain credentials from higher-privileged users and perform actions in their context under specific conditions. Scope: local sid: resolved