Debian Gitlab vulnerabilities
863 known vulnerabilities affecting debian/gitlab.
Total CVEs
863
CISA KEV
4
actively exploited
Public exploits
18
Exploited in wild
7
Severity breakdown
CRITICAL43HIGH158MEDIUM552LOW110
Vulnerabilities
Page 36 of 44
CVE-2022-0125P4MEDIUMCVSS 4.3fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-0125 [MEDIUM] CVE-2022-0125: gitlab - An issue has been discovered in GitLab affecting all versions starting from 12.0...
An issue has been discovered in GitLab affecting all versions starting from 12.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not verifying that a maintainer of a project had the right access to import members from a target project.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2017-0920P4MEDIUMCVSS 4.3fixed in gitlab 10.5.5+dfsg-1 (sid)2017
CVE-2017-0920 [MEDIUM] CVE-2017-0920: gitlab - GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are v...
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance.
Scope: local
sid: resolved (fixed in 10.5.5+dfsg-1)
debian
CVE-2022-0390P4MEDIUMCVSS 4.3fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-0390 [MEDIUM] CVE-2022-0390: gitlab - Improper access control in Gitlab CE/EE versions 12.7 to 14.5.4, 14.6 to 14.6.4,...
Improper access control in Gitlab CE/EE versions 12.7 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1 allowed for project non-members to retrieve issue details when it was linked to an item from the vulnerability dashboard.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2022-1100P4MEDIUMCVSS 4.3fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-1100 [MEDIUM] CVE-2022-1100: gitlab - A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versi...
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prior to 14.9.2. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage.
Scope: local
sid: resolved (
debian
CVE-2022-2908P4MEDIUMCVSS 4.3fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-2908 [MEDIUM] CVE-2022-2908: gitlab - A potential DoS vulnerability was discovered in Gitlab CE/EE versions starting f...
A potential DoS vulnerability was discovered in Gitlab CE/EE versions starting from 10.7 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1 allowed an attacker to trigger high CPU usage via a special crafted input added in the Commit message field.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2021-39943P4MEDIUMCVSS 4.3fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-39943 [MEDIUM] CVE-2021-39943: gitlab - An authorization logic error in the External Status Check API in GitLab EE affec...
An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2021-39932P4MEDIUMCVSS 4.3fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-39932 [MEDIUM] CVE-2021-39932: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for users reviewing code changes.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2019-6790P4MEDIUMCVSS 4.3fixed in gitlab 11.5.10+dfsg-1 (sid)2019
CVE-2019-6790 [MEDIUM] CVE-2019-6790: gitlab - An Incorrect Access Control (issue 2 of 3) issue was discovered in GitLab Commun...
An Incorrect Access Control (issue 2 of 3) issue was discovered in GitLab Community and Enterprise Edition 8.14 and later but before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. Guest users were able to view the list of a group's merge requests.
Scope: local
sid: resolved (fixed in 11.5.10+dfsg-1)
debian
CVE-2022-1821P4MEDIUMCVSS 4.3fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-1821 [MEDIUM] CVE-2022-1821: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for a subgroup member to access the members list of their parent group.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2020-26415P4MEDIUMCVSS 4.3fixed in gitlab 13.4.7-1 (sid)2020
CVE-2020-26415 [MEDIUM] CVE-2020-26415: gitlab - Information about the starred projects for private user profiles was exposed via...
Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to =13.5 to =13.6 to <13.6.2.
Scope: local
sid: resolved (fixed in 13.4.7-1)
debian
CVE-2019-6997P4MEDIUMCVSS 4.3fixed in gitlab 11.5.10+dfsg-1 (sid)2019
CVE-2019-6997 [MEDIUM] CVE-2019-6997: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 10.x (startin...
An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting in 10.7) and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. System notes contain an access control issue that permits a guest user to view merge request titles.
Scope: local
sid: resolved (fixed in 11.5.10+dfsg-1)
debian
CVE-2021-39916P4MEDIUMCVSS 4.3fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-39916 [MEDIUM] CVE-2021-39916: gitlab - Lack of an access control check in the External Status Check feature allowed any...
Lack of an access control check in the External Status Check feature allowed any authenticated user to retrieve the configuration of any External Status Check in GitLab EE starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2021-39930P4MEDIUMCVSS 4.3fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-39930 [MEDIUM] CVE-2021-39930: gitlab - Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14....
Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2021-39876P4MEDIUMCVSS 4.3fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-39876 [MEDIUM] CVE-2021-39876: gitlab - In all versions of GitLab CE/EE since version 11.3, the endpoint for auto-comple...
In all versions of GitLab CE/EE since version 11.3, the endpoint for auto-completing Assignee discloses the members of private groups.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2019-18461P4MEDIUMCVSS 4.3fixed in gitlab 12.6.8-3 (sid)2019
CVE-2019-18461 [MEDIUM] CVE-2019-18461: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.3 through ...
An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.3 when a sub group epic is added to a public group. It has Incorrect Access Control.
Scope: local
sid: resolved (fixed in 12.6.8-3)
debian
CVE-2021-39902P4MEDIUMCVSS 4.3fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-39902 [MEDIUM] CVE-2021-39902: gitlab - Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest m...
Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2020-13357P4MEDIUMCVSS 4.3fixed in gitlab 13.4.7-1 (sid)2020
CVE-2020-13357 [MEDIUM] CVE-2020-13357: gitlab - An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to ...
An issue was discovered in Gitlab CE/EE versions >= 13.1 to = 13.5 to = 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.
Scope: local
sid: resolved (fixed in 13.4.7-1)
debian
CVE-2024-4201P4MEDIUMCVSS 4.4fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-4201 [MEDIUM] CVE-2024-4201: gitlab - A cross-site scripting issue has been discovered in GitLab affecting all version...
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 16.10.7, all versions starting from 16.11 before 16.111.4, all versions starting from 17.0 before 17.0.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances.
Scope: local
sid: resolved (f
debian
CVE-2019-20144P4MEDIUMCVSS 4.3fixed in gitlab 12.6.8-3 (sid)2019
CVE-2019-20144 [MEDIUM] CVE-2019-20144: gitlab - An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition ...
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 10.8 through 12.6.1. It has Incorrect Access Control.
Scope: local
sid: resolved (fixed in 12.6.8-3)
debian
CVE-2023-1417P4MEDIUMCVSS 4.3fixed in gitlab 15.10.8+ds1-2 (sid)2023
CVE-2023-1417 [MEDIUM] CVE-2023-1417: gitlab - An issue has been discovered in GitLab affecting all versions starting from 15.9...
An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to victim's epic in an unrelated group.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian