cbcvebase.

Debian Gitlab vulnerabilities

863 known vulnerabilities affecting debian/gitlab.

Total CVEs
863
CISA KEV
4
actively exploited
Public exploits
18
Exploited in wild
7
Severity breakdown
CRITICAL43HIGH158MEDIUM552LOW110

Vulnerabilities

Page 6 of 44
CVE-2024-11274P3HIGHCVSS 8.7fixed in gitlab 17.5.5-1 (sid)2024
CVE-2024-11274 [HIGH] CVE-2024-11274: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 16.... An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, injection of NEL headers in k8s proxy response could lead to session data exfiltration. Scope: local sid: resolved (fixed in 17.5.5-1)
debian
CVE-2019-5464P3CRITICALCVSS 9.8fixed in gitlab 12.6.8-3 (sid)2019
CVE-2019-5464 [CRITICAL] CVE-2019-5464: gitlab - A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and ... A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized. Scope: local sid: resolved (fixed in 12.6.8-3)
debian
CVE-2020-13309P3MEDIUMCVSS 5.4fixed in gitlab 13.2.8-1 (sid)2020
CVE-2020-13309 [MEDIUM] CVE-2020-13309: gitlab - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.... A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was vulnerable to a blind SSRF attack through the repository mirroring feature. Scope: local sid: resolved (fixed in 13.2.8-1)
debian
CVE-2020-13343P3HIGHCVSS 7.5fixed in gitlab 13.2.10-1 (sid)2020
CVE-2020-13343 [HIGH] CVE-2020-13343: gitlab - An issue has been discovered in GitLab affecting all versions starting from 11.2... An issue has been discovered in GitLab affecting all versions starting from 11.2. Unauthorized Users Can View Custom Project Template Scope: local sid: resolved (fixed in 13.2.10-1)
debian
CVE-2022-2229P3HIGHCVSS 7.5fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-2229 [HIGH] CVE-2022-2229: gitlab - An improper authorization issue in GitLab CE/EE affecting all versions from 13.7... An improper authorization issue in GitLab CE/EE affecting all versions from 13.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to extract the value of an unprotected variable they know the name of in public projects or private projects they're a member of. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2024-0199P3HIGHCVSS 7.7fixed in gitlab 16.8.4-1 (sid)2024
CVE-2024-0199 [HIGH] CVE-2024-0199: gitlab - An authorization bypass vulnerability was discovered in GitLab affecting version... An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old feature branch to perform malicious actions. Scope: local sid: resolved (fixed in 16.8.4-1)
debian
CVE-2022-0244P3HIGHCVSS 8.6fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-0244 [HIGH] CVE-2022-0244: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting wit... An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group was due to incorrect handling of file. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2016-9469P3HIGHCVSS 8.2fixed in gitlab 8.13.6+dfsg2-2 (sid)2016
CVE-2016-9469 [HIGH] CVE-2016-9469: gitlab - Multiple versions of GitLab expose a dangerous method to any authenticated user ... Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects on a GitLab instance. For GitLab instances with publicly available projects this vulnerability could be exploited by an unauthenticated user. A fix was included in versions 8.14.3, 8.13.8, and 8.12.11, which were released
debian
CVE-2018-19576P3HIGHCVSS 8.1fixed in gitlab 11.3.11+dfsg-1 (sid)2018
CVE-2018-19576 [HIGH] CVE-2018-19576: gitlab - GitLab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11... GitLab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an access control issue that allows a Guest user to make changes to or delete their own comments on an issue, after the issue was made Confidential. Scope: local sid: resolved (fixed in 11.3.11+dfsg-1)
debian
CVE-2018-16049P3CRITICALCVSS 9.8fixed in gitlab 11.1.8+dfsg-2 (sid)2018
CVE-2018-16049 [CRITICAL] CVE-2018-16049: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6... An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Sensitive Data Disclosure in Sidekiq Logs through an Error Message. Scope: local sid: resolved (fixed in 11.1.8+dfsg-2)
debian
CVE-2021-22236P3MEDIUMCVSS 5.5fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-22236 [MEDIUM] CVE-2021-22236: gitlab - Due to improper handling of OAuth client IDs, new subscriptions generated OAuth ... Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2018-8971P3CRITICALCVSS 9.8fixed in gitlab 10.5.6+dfsg-1 (sid)2018
CVE-2018-8971 [CRITICAL] CVE-2018-8971: gitlab - The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x ... The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x before 10.5.6 has an incorrect omniauth-auth0 configuration, leading to signing in unintended users. Scope: local sid: resolved (fixed in 10.5.6+dfsg-1)
debian
CVE-2024-3035P3MEDIUMCVSS 6.8fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-3035 [MEDIUM] CVE-2024-3035: gitlab - A permission check vulnerability in GitLab CE/EE affecting all versions starting... A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories. Scope: local sid: resolved (fixed in 17.3.5-2)
debian
CVE-2018-18646P3HIGHCVSS 8.8fixed in gitlab 11.2.8+dfsg-2 (sid)2018
CVE-2018-18646 [HIGH] CVE-2018-18646: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7... An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows SSRF. Scope: local sid: resolved (fixed in 11.2.8+dfsg-2)
debian
CVE-2021-39867P3MEDIUMCVSS 6.5fixed in gitlab 15.10.8+ds1-2 (sid)2021
CVE-2021-39867 [MEDIUM] CVE-2021-39867: gitlab - In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerabilit... In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2019-6788P3HIGHCVSS 7.5fixed in gitlab 11.5.10+dfsg-1 (sid)2019
CVE-2019-6788 [HIGH] CVE-2019-6788: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8... An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 3 of 6). For installations using GitHub or Bitbucket OAuth integrations, it is possible to use a covert redirect to obtain the user OAuth token for those services. Scope: local sid: resolved (fixed in
debian
CVE-2022-4037P3MEDIUMCVSS 6.4fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-4037 [MEDIUM] CVE-2022-4037: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.... An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A race condition can lead to verified email forgery and takeover of third-party accounts when using GitLab as an OAuth provider. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2022-2230P4HIGHCVSS 8.1fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-2230 [HIGH] CVE-2022-2230: gitlab - A Stored Cross-Site Scripting vulnerability in the project settings page in GitL... A Stored Cross-Site Scripting vulnerability in the project settings page in GitLab CE/EE affecting all versions from 14.4 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2024-1211P3MEDIUMCVSS 6.4fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-1211 [MEDIUM] CVE-2024-1211: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 in which cross-site request forgery may have been possible on GitLab instances configured to use JWT as an OmniAuth provider. Scope: local sid: resolved (fixed in 17.3.5-2)
debian
CVE-2018-19856P3HIGHCVSS 7.5fixed in gitlab 11.5.4+dfsg-1 (sid)2018
CVE-2018-19856 [HIGH] CVE-2018-19856: gitlab - GitLab CE/EE before 11.3.12, 11.4.x before 11.4.10, and 11.5.x before 11.5.3 all... GitLab CE/EE before 11.3.12, 11.4.x before 11.4.10, and 11.5.x before 11.5.3 allows Directory Traversal in Templates API. Scope: local sid: resolved (fixed in 11.5.4+dfsg-1)
debian
Debian Gitlab vulnerabilities | cvebase