Debian Gitlab vulnerabilities

CVE-2024-9596 [LOW] CVE-2024-9596: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance. Scope: local sid: resolved

CVE-2024-4612 [MEDIUM] CVE-2024-4612: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow. Scope: local sid: resolved

CVE-2024-9512 [MEDIUM] CVE-2024-9512: gitlab - An issue has been discovered in GitLab EE affecting all versions prior to 17.10.... An issue has been discovered in GitLab EE affecting all versions prior to 17.10.8, 17.11 prior to 17.11.4, and 18.0 prior to 18.0.2. It may have been possible for private repository to be cloned in case of race condition when a secondary node is out of sync. Scope: local sid: resolved

CVE-2024-9633 [LOW] CVE-2024-9633: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.3 before 17.4.2, all versions starting from 17.5 before 17.5.4, all versions starting from 17.6 before 17.6.2. This issue allows an attacker to create a group with a name matching an existing unique Pages domain, potentially leading to domain confusion attacks. Scope: local sid: resolve

CVE-2024-5318 [MEDIUM] CVE-2024-5318: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.11 prior to 16.10.6, starting from 16.11 prior to 16.11.3, and starting from 17.0 prior to 17.0.1. A Guest user can view dependency lists of private projects through job artifacts. Scope: local sid: resolved

CVE-2024-7404 [MEDIUM] CVE-2024-7404: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 17.... An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow. Scope: local sid: resolved

CVE-2024-8635 [HIGH] CVE-2024-8635: gitlab - A server-side request forgery issue has been discovered in GitLab EE affecting a... A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL Scope: local sid: resolved

CVE-2024-5257 [MEDIUM] CVE-2024-5257: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 17.... An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Developer user with `admin_compliance_framework` custom role may have been able to modify the URL for a group namespace. Scope: local sid: resolved

CVE-2024-1250 [MEDIUM] CVE-2024-1250: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 16.8 before 16.8.2. When a user is assigned a custom role with manage_group_access_tokens permission, they may be able to create group access tokens with Owner privileges, which may lead to privilege escalation. Scope: local sid: resolved

CVE-2024-1451 [HIGH] CVE-2024-1451: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.1. A crafted payload added to the user profile page could lead to a stored XSS on the client side, allowing attackers to perform arbitrary actions on behalf of victims." Scope: local sid: resolved

CVE-2024-9870 [MEDIUM] CVE-2024-9870: gitlab - An external service interaction vulnerability in GitLab EE affecting all version... An external service interaction vulnerability in GitLab EE affecting all versions from 15.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send requests from the GitLab server to unintended services. Scope: local sid: resolved

CVE-2024-1539 [MEDIUM] CVE-2024-1539: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 15.2 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose updates to issues to a banned group member using the API. Scope: local sid: resolved

CVE-2024-8631 [MEDIUM] CVE-2024-8631: gitlab - A privilege escalation issue has been discovered in GitLab EE affecting all vers... A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include other custom roles. Scope: local sid: resolved

CVE-2024-6446 [LOW] CVE-2024-6446: gitlab - An issue has been discovered in GitLab affecting all versions starting from 17.1... An issue has been discovered in GitLab affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. A crafted URL could be used to trick a victim to trust an attacker controlled application. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-5067 [MEDIUM] CVE-2024-5067: gitlab - An issue was discovered in GitLab EE affecting all versions starting from 16.11 ... An issue was discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where certain project-level analytics settings could be leaked in DOM to group members with Developer or higher roles. Scope: local sid: resolved

CVE-2024-5469 [LOW] CVE-2024-5469: gitlab - DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 ... DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 and 16.11.0 prior to 16.11.3 allows an attacker to crash KAS via crafted gRPC requests. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2024-10043 [LOW] CVE-2024-10043: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 17.4.6, all versions starting from 17.5 before 17.5.4 all versions starting from 17.6 before 17.6.2, that allows group users to view confidential incident title through the Wiki History Diff feature, potentially leading to information disclosure. Scope: local sid: resolved

CVE-2024-6595 [LOW] CVE-2024-6595: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 11.... An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to upload an NPM package with conflicting package data. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2023-7028 [CRITICAL] CVE-2023-7028: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 pr... An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address. Scope: local sid: resolved (fixed in 16.4.

CVE-2023-2478 [CRITICAL] CVE-2023-2478: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, all versions starting from 15.11 before 15.11.2. Under certain conditions, a malicious unauthorized GitLab user may use a GraphQL endpoint to attach a malicious runner to any project. Scope: local sid: resolved (fixe