Debian Gitlab vulnerabilities
863 known vulnerabilities affecting debian/gitlab.
Total CVEs
863
CISA KEV
4
actively exploited
Public exploits
18
Exploited in wild
7
Severity breakdown
CRITICAL43HIGH158MEDIUM552LOW110
Vulnerabilities
Page 42 of 44
CVE-2019-18449P4MEDIUMCVSS 4.3fixed in gitlab 12.6.8-3 (sid)2019
CVE-2019-18449 [MEDIUM] CVE-2019-18449: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 12.4 i...
An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the autocomplete feature. It has Insecure Permissions (issue 2 of 2).
Scope: local
sid: resolved (fixed in 12.6.8-3)
debian
CVE-2019-18453P4MEDIUMCVSS 4.3fixed in gitlab 12.6.8-3 (sid)2019
CVE-2019-18453 [MEDIUM] CVE-2019-18453: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.6 through ...
An issue was discovered in GitLab Community and Enterprise Edition 11.6 through 12.4 in the add comments via email feature. It has Insecure Permissions.
Scope: local
sid: resolved (fixed in 12.6.8-3)
debian
CVE-2020-13350P4LOWCVSS 3.1fixed in gitlab 13.3.9-1 (sid)2020
CVE-2020-13350 [LOW] CVE-2020-13350: gitlab - CSRF in runner administration page in all versions of GitLab CE/EE allows an att...
CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners. Affected versions are >=13.5.0, =13.4.0, <13.4.5,<13.3.9.
Scope: local
sid: resolved (fixed in 13.3.9-1)
debian
CVE-2021-22194P4MEDIUMCVSS 5.7fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-22194 [MEDIUM] CVE-2021-22194: gitlab - In all versions of GitLab, marshalled session keys were being stored in Redis.
In all versions of GitLab, marshalled session keys were being stored in Redis.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2021-39879P4LOWCVSS 2.2fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-39879 [LOW] CVE-2021-39879: gitlab - Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allo...
Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2019-5465P4MEDIUMCVSS 4.3fixed in gitlab 12.6.8-3 (sid)2019
CVE-2019-5465 [MEDIUM] CVE-2019-5465: gitlab - An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, b...
An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID.
Scope: local
sid: resolved (fixed in 12.6.8-3)
debian
CVE-2021-39919P4MEDIUMCVSS 4.4fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-39919 [MEDIUM] CVE-2021-39919: gitlab - In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all version...
In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2021-39881P4LOWCVSS 3.5fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-39881 [LOW] CVE-2021-39881: gitlab - In all versions of GitLab CE/EE since version 7.7, the application may let a mal...
In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2021-22202P4LOWCVSS 2.4fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-22202 [LOW] CVE-2021-22202: gitlab - An issue has been discovered in GitLab CE/EE affecting all previous versions. If...
An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2024-12292P4MEDIUMCVSS 4.0fixed in gitlab 17.5.5-1 (sid)2024
CVE-2024-12292 [MEDIUM] CVE-2024-12292: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 11....
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.0 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, where sensitive information passed in GraphQL mutations may have been retained in GraphQL logs.
Scope: local
sid: resolved (fixed in 17.5.5-1)
debian
CVE-2023-0838P4MEDIUMCVSS 5.5fixed in gitlab 15.10.8+ds1-2 (sid)2023
CVE-2023-0838 [MEDIUM] CVE-2023-0838: gitlab - An issue has been discovered in GitLab affecting versions starting from 15.1 bef...
An issue has been discovered in GitLab affecting versions starting from 15.1 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. A maintainer could modify a webhook URL to leak masked webhook secrets by adding a new parameter to the url. This addresses an incomplete fix for CVE-2022-4342.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2023-2620P4MEDIUMCVSS 5.5fixed in gitlab 15.11.11+ds1-1 (sid)2023
CVE-2023-2620 [MEDIUM] CVE-2023-2620: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1. A maintainer could modify a webhook URL to leak masked webhook secrets by manipulating other masked portions. This addresses an incomplete fix for CVE-2023-0838.
Scope: local
sid: res
debian
CVE-2021-39899P4LOWCVSS 2.9fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-39899 [LOW] CVE-2021-39899: gitlab - In all versions of GitLab CE/EE, an attacker with physical access to a user’s ma...
In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the com
debian
CVE-2022-1426P4LOWCVSS 2.0fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-1426 [LOW] CVE-2022-1426: gitlab - An issue has been discovered in GitLab affecting all versions starting from 12.6...
An issue has been discovered in GitLab affecting all versions starting from 12.6 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly authenticating a user that had some certain amount of information which allowed an user to authenticate without a personal access token.
Scope: local
sid:
debian
CVE-2019-9219P4LOWCVSS 3.7fixed in gitlab 11.8.2-2 (sid)2019
CVE-2019-9219 [LOW] CVE-2019-9219: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.6.1...
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 2 of 5).
Scope: local
sid: resolved (fixed in 11.8.2-2)
debian
CVE-2019-7176P4LOWCVSS 3.7fixed in gitlab 11.5.10+dfsg-1 (sid)2019
CVE-2019-7176 [LOW] CVE-2019-7176: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 8.x (starting...
An issue was discovered in GitLab Community and Enterprise Edition 8.x (starting in 8.9), 9.x, 10.x, and 11.x before 11.5.9, 11.6.x before 11.6.7, and 11.7.x before 11.7.2. It has Incorrect Access Control. Guest users are able to add reaction emojis on comments to which they have no visibility.
Scope: local
sid: resolved (fixed in 11.5.10+dfsg-1)
debian
CVE-2023-5117P4LOWCVSS 3.7fixed in gitlab 17.6.5-1 (sid)2023
CVE-2023-5117 [LOW] CVE-2023-5117: gitlab - An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in ...
An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in which users were unaware that files uploaded to comments on confidential issues and epics of public projects could be accessed without authentication via a direct link to the uploaded file URL.
Scope: local
sid: resolved (fixed in 17.6.5-1)
debian
CVE-2022-3375P4LOWCVSS 3.1fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-3375 [LOW] CVE-2022-3375: gitlab - An issue has been discovered in GitLab affecting all versions starting from 11.1...
An issue has been discovered in GitLab affecting all versions starting from 11.10 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible to disclose the branch names when attacker has a fork of a project that was switched to private.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2022-4342P4MEDIUMCVSS 5.5fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-4342 [MEDIUM] CVE-2022-4342: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak masked webhook secrets by changing target URL of the webhook.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2023-0483P4MEDIUMCVSS 5.5fixed in gitlab 15.10.8+ds1-2 (sid)2023
CVE-2023-0483 [MEDIUM] CVE-2023-0483: gitlab - An issue has been discovered in GitLab affecting all versions starting from 12.1...
An issue has been discovered in GitLab affecting all versions starting from 12.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible for a project maintainer to extract a Datadog integration API key by modifying the site.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian