Debian Gitlab vulnerabilities

CVE-2025-13436 [MEDIUM] CVE-2025-13436: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 ... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when handling certain CI-related inputs. Scope: local sid: open

CVE-2025-13978 [MEDIUM] CVE-2025-13978: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 ... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests. Scope: local sid: open

CVE-2025-0290 [MEDIUM] CVE-2025-0290: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.0 prior to 17.5.5, from 17.6 prior to 17.6.3, and from 17.7 prior to 17.7.1. Under certain conditions, processing of CI artifacts metadata could cause background jobs to become unresponsive. Scope: local sid: resolved (fixed in 17.5.5-1)

CVE-2025-10094 [MEDIUM] CVE-2025-10094: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 be... An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to disrupt access to token listings and related administrative operations by creating tokens with excessively large names. Scope: local sid: open

CVE-2025-13335 [MEDIUM] CVE-2025-13335: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 ... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that under certain circumstances could have allowed an authenticated user to create a denial of service condition by configuring malformed Wiki documents that bypass cycle detection. Scope: local sid: open

CVE-2025-11042 [MEDIUM] CVE-2025-11042: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 17.... An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while using specific GraphQL queries. Scope: local sid: open

CVE-2025-13690 [MEDIUM] CVE-2025-13690: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to cause a denial of service condition due to improper input validation on webhook custom header names under certain conditions. Scope: local sid: open

CVE-2025-11984 [MEDIUM] CVE-2025-11984: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 ... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions. Scope: local sid: open

CVE-2025-2934 [MEDIUM] CVE-2025-2934: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 5.2 p... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 5.2 prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior to 18.4.2 that could have allowed an authenticated attacker to create a denial of service condition by configuring malicious webhook endpoints that send crafted HTTP responses. Scope: local sid: open

CVE-2025-7691 [MEDIUM] CVE-2025-7691: gitlab - A privilege escalation issue has been discovered in GitLab EE affecting all vers... A privilege escalation issue has been discovered in GitLab EE affecting all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 that could have allowed a developer with specific group management permissions to escalate their privileges and obtain unauthorized access to additional system capabilities. Scope: local sid: open

CVE-2025-0549 [MEDIUM] CVE-2025-0549: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.3 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. A security vulnerability allows attackers to bypass Device OAuth flow protections, enabling authorization form submission through minimal user interaction. Scope: local sid: open

CVE-2025-0516 [MEDIUM] CVE-2025-0516: gitlab - Improper Authorization in GitLab CE/EE affecting all versions from 17.7 prior to... Improper Authorization in GitLab CE/EE affecting all versions from 17.7 prior to 17.7.4, 17.8 prior to 17.8.2 allow users with limited permissions to perform unauthorized actions on critical project data. Scope: local sid: open

CVE-2025-1677 [MEDIUM] CVE-2025-1677: gitlab - A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting al... A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all up to 17.8.7, 17.9 prior to 17.9.6 and 17.10 prior to 17.10.4 A denial of service could occur upon injecting oversized payloads into CI pipeline exports. Scope: local sid: open

CVE-2025-0652 [MEDIUM] CVE-2025-0652: gitlab - An issue has been discovered in GitLab EE/CE affecting all versions starting fro... An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access confidential information intended for internal use only. Scope: local sid: open

CVE-2025-2615 [MEDIUM] CVE-2025-2615: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 ... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that could have allowed a blocked user to access sensitive information by establishing GraphQL subscriptions through WebSocket connections. Scope: local sid: open

CVE-2025-12555 [MEDIUM] CVE-2025-12555: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 ... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that, under certain conditions, could have allowed an authenticated user to access previous pipeline job information on projects with repository and CI/CD disabled due to improper authorization checks. Scope: local sid: open

CVE-2025-2853 [MEDIUM] CVE-2025-2853: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions before 17.10... An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of proper validation in GitLab could allow an authenticated user to cause a denial of service condition. Scope: local sid: open

CVE-2025-2408 [MEDIUM] CVE-2025-2408: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 13.12 b... An issue has been discovered in GitLab CE/EE affecting all versions from 13.12 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions users could bypass IP access restrictions and view sensitive information. Scope: local sid: open

CVE-2025-3279 [MEDIUM] CVE-2025-3279: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 be... An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests. Scope: local sid: open

CVE-2025-0194 [MEDIUM] CVE-2025-0194: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 17.... An issue was discovered in GitLab CE/EE affecting all versions starting from 17.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. Under certain conditions, access tokens may have been logged when API requests were made in a specific manner. Scope: local sid: resolved (fixed in 17.5.5-1)