Debian Gitlab vulnerabilities
863 known vulnerabilities affecting debian/gitlab.
Total CVEs
863
CISA KEV
4
actively exploited
Public exploits
18
Exploited in wild
7
Severity breakdown
CRITICAL43HIGH158MEDIUM552LOW110
Vulnerabilities
Page 2 of 44
CVE-2022-1680P2CRITICALCVSS 9.9fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-1680 [CRITICAL] CVE-2022-1680: gitlab - An account takeover issue has been discovered in GitLab EE affecting all version...
An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary
debian
CVE-2024-4024P2HIGHCVSS 7.3fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-4024 [HIGH] CVE-2024-4024: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.8 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker with their Bitbucket account credentials may be able to take over a GitLab account linked to another user's Bitbucket account, if Bitb
debian
CVE-2024-2434P2HIGHCVSS 8.5fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-2434 [HIGH] CVE-2024-2434: gitlab - An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 1...
An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to 16.11.1 where path traversal could lead to DoS and restricted file read.
Scope: local
sid: resolved (fixed in 17.3.5-2)
debian
CVE-2024-6385P2CRITICALCVSS 9.6fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-6385 [CRITICAL] CVE-2024-6385: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 15....
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.
Scope: local
sid: resolved (fixed in 17.3.5-2)
debian
CVE-2024-0402P2CRITICALCVSS 9.9fixed in gitlab 16.6.6-1 (sid)2024
CVE-2024-0402 [CRITICAL] CVE-2024-0402: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 pr...
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.
Scope: local
sid: resolved (fixed in 16.6.6-1)
debian
CVE-2023-2442P3HIGHCVSS 8.7fixed in gitlab 15.10.8+ds1-2 (sid)2023
CVE-2023-2442 [HIGH] CVE-2023-2442: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A specially crafted merge request could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2021-22192P2CRITICALCVSS 9.9fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-22192 [CRITICAL] CVE-2021-22192: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2024-5655P2CRITICALCVSS 9.6fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-5655 [CRITICAL] CVE-2024-5655: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 15....
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to trigger a pipeline as another user under certain circumstances.
Scope: local
sid: resolved (fixed in 17.3.5-2)
debian
CVE-2023-0050P3HIGHCVSS 8.7fixed in gitlab 15.10.8+ds1-2 (sid)2023
CVE-2023-0050 [HIGH] CVE-2023-0050: gitlab - An issue has been discovered in GitLab affecting all versions starting from 13.7...
An issue has been discovered in GitLab affecting all versions starting from 13.7 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A specially crafted Kroki diagram could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims.
Scope: local
sid: resolved
debian
CVE-2023-3364P3HIGHCVSS 7.5fixed in gitlab 16.0.8+ds1-1 (sid)2023
CVE-2023-3364 [HIGH] CVE-2023-3364: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use AutolinkFilter to the preview_markdown endpoint.
Scope: local
sid: resolved (fixed i
debian
CVE-2024-8124P3HIGHCVSS 7.5fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-8124 [HIGH] CVE-2024-8124: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 16....
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service via sending a specific POST request.
Scope: local
sid: resolved (fixed in 17.3.5-2)
debian
CVE-2017-0916P3CRITICALCVSS 9.8fixed in gitlab 10.5.5+dfsg-1 (sid)2017
CVE-2017-0916 [CRITICAL] CVE-2017-0916: gitlab - Gitlab Community Edition version 10.3 is vulnerable to a lack of input validatio...
Gitlab Community Edition version 10.3 is vulnerable to a lack of input validation in the system_hook_push queue through web hook component resulting in remote code execution.
Scope: local
sid: resolved (fixed in 10.5.5+dfsg-1)
debian
CVE-2023-5612P3MEDIUMCVSS 5.3PoCfixed in gitlab 16.6.6-1 (sid)2023
CVE-2023-5612 [MEDIUM] CVE-2023-5612: gitlab - An issue has been discovered in GitLab affecting all versions before 16.6.6, 16....
An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled.
Scope: local
sid: resolved (fixed in 16.6.6-1)
debian
CVE-2022-1190P3HIGHCVSS 8.7fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-1190 [HIGH] CVE-2022-1190: gitlab - Improper handling of user input in GitLab CE/EE versions 8.3 prior to 14.7.7, 14...
Improper handling of user input in GitLab CE/EE versions 8.3 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to exploit a stored XSS by abusing multi-word milestone references in issue descriptions, comments, etc.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2017-0915P3CRITICALCVSS 9.8fixed in gitlab 10.5.5+dfsg-1 (sid)2017
CVE-2017-0915 [CRITICAL] CVE-2017-0915: gitlab - Gitlab Community Edition version 10.2.4 is vulnerable to a lack of input validat...
Gitlab Community Edition version 10.2.4 is vulnerable to a lack of input validation in the GitlabProjectsImportService resulting in remote code execution.
Scope: local
sid: resolved (fixed in 10.5.5+dfsg-1)
debian
CVE-2021-39906P3HIGHCVSS 8.7fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-39906 [HIGH] CVE-2021-39906: gitlab - Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows...
Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2022-3265P3HIGHCVSS 7.3fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-3265 [HIGH] CVE-2022-3265: gitlab - A cross-site scripting issue has been discovered in GitLab CE/EE affecting all v...
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.
Scope: local
sid
debian
CVE-2024-6678P3CRITICALCVSS 9.9fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-6678 [CRITICAL] CVE-2024-6678: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 8.1...
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.
Scope: local
sid: resolved (fixed in 17.3.5-2)
debian
CVE-2024-2829P3HIGHCVSS 7.5fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-2829 [HIGH] CVE-2024-2829: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.5 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. A crafted wildcard filter in FileFinder may lead to a denial of service.
Scope: local
sid: resolved (fixed in 17.3.5-2)
debian
CVE-2022-1423P3HIGHCVSS 7.1fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-1423 [HIGH] CVE-2022-1423: gitlab - Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting a...
Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows a malicious actor with Developer privileges to perform cache poisoning leading to arbitrary code execution in protected branches
Scope: local
sid: resol
debian