Debian Gitlab vulnerabilities

CVE-2025-4097 [MEDIUM] CVE-2025-4097: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images. Scope: local sid: open

CVE-2025-5315 [MEDIUM] CVE-2025-5315: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 be... An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions. Scope: local sid: open

CVE-2025-4225 [MEDIUM] CVE-2025-4225: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 14.1 be... An issue has been discovered in GitLab CE/EE affecting all versions from 14.1 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that that under certain conditions could have allowed an unauthenticated attacker to cause a denial-of-service condition affecting all users by sending specially crafted GraphQL requests. Scope: local sid: open

CVE-2025-14157 [MEDIUM] CVE-2025-14157: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 b... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with large content parameters. Scope: local sid: open

CVE-2025-11246 [MEDIUM] CVE-2025-11246: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 ... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations. Scope: local sid: open

CVE-2025-5819 [MEDIUM] CVE-2025-5819: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 be... An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances. Scope: local sid: open

CVE-2025-3111 [MEDIUM] CVE-2025-3111: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 10.2 be... An issue has been discovered in GitLab CE/EE affecting all versions from 10.2 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in the Kubernetes integration could allow an authenticated user to cause denial of service.. Scope: local sid: open

CVE-2025-6171 [MEDIUM] CVE-2025-6171: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 ... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even when repository access was disabled. Scope: local sid: open

CVE-2025-7001 [MEDIUM] CVE-2025-7001: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 be... An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed priviledged users to access certain resource_group information through the API which should have been unavailable. Scope: local sid: open

CVE-2025-11971 [MEDIUM] CVE-2025-11971: gitlab - GitLab has remediated an issue in GitLab EE affecting all versions from 10.6 bef... GitLab has remediated an issue in GitLab EE affecting all versions from 10.6 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker to trigger unauthorized pipeline executions by manipulating commits. Scope: local sid: open

CVE-2025-1754 [MEDIUM] CVE-2025-1754: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 be... An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed unauthenticated attackers to upload arbitrary files to public projects by sending crafted API requests, potentially leading to resource abuse and unauthorized content storage. Scope: local sid: open

CVE-2025-6769 [MEDIUM] CVE-2025-6769: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 15.1 be... An issue has been discovered in GitLab CE/EE affecting all versions from 15.1 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to view administrator-only maintenance notes by accessing runner details through specific interfaces. Scope: local sid: open

CVE-2025-10569 [MEDIUM] CVE-2025-10569: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 b... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls. Scope: local sid: open

CVE-2025-1212 [MEDIUM] CVE-2025-1212: gitlab - An information disclosure vulnerability in GitLab CE/EE affecting all versions f... An information disclosure vulnerability in GitLab CE/EE affecting all versions from 8.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send a crafted request to a backend server to reveal sensitive information. Scope: local sid: resolved (fixed in 17.6.5-1)

CVE-2025-1278 [MEDIUM] CVE-2025-1278: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 12.0 be... An issue has been discovered in GitLab CE/EE affecting all versions from 12.0 before 17.9.8, 17.10 before 17.10.6, and 17.11 before 17.11.2. Under certain conditions users could bypass IP access restrictions and view sensitive information. Scope: local sid: open

CVE-2025-12576 [MEDIUM] CVE-2025-12576: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 b... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that under certain conditions could have allowed an authenticated user to cause a denial of service due to improper handling of webhook response data. Scope: local sid: open

CVE-2025-14103 [MEDIUM] CVE-2025-14103: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 ... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthorized user with Developer-role permissions to set pipeline variables for manually triggered jobs under certain conditions. Scope: local sid: resolved

CVE-2025-3950 [LOW] CVE-2025-3950: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 ... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection. Scope: local sid: open

CVE-2025-7736 [LOW] CVE-2025-7736: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.9 ... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to bypass access control restrictions and view GitLab Pages content intended only for project members by authenticating through OAuth providers. Scope: local sid: resolved

CVE-2025-12716 [HIGH] CVE-2025-12716: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 ... GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by creating wiki pages with malicious content. Scope: local sid: resolved