GitLab GitLab Version Control Server and CI/CD Platform

  1. Vendors
  2. GitLab
  3. GitLab

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in GitLab.

GitLab EOL Dates

Ensure that you are using a supported version of GitLab. Here are some end of life, and end of support dates for GitLab.

Release EOL End of Support Status
17.11 July 17, 2025 May 15, 2025
EOL This Year

GitLab 17.11 will become EOL this year, in July 2025.
17.9 May 15, 2025 March 20, 2025
EOL This Year

GitLab 17.9 will become EOL this year, in May 2025.
17.8 April 17, 2025 February 20, 2025
EOL

GitLab 17.8 became EOL in 2025 and supported ended in 2025
17.7 March 20, 2025 January 16, 2025
EOL

GitLab 17.7 became EOL in 2025 and supported ended in 2025
17.6 February 20, 2025 December 19, 2024
EOL

GitLab 17.6 became EOL in 2025 and supported ended in 2024
17.5 January 16, 2025 November 21, 2024
EOL

GitLab 17.5 became EOL in 2025 and supported ended in 2024
17.4 December 19, 2024 October 17, 2024
EOL

GitLab 17.4 became EOL in 2024 and supported ended in 2024
17.3 November 21, 2024 September 19, 2024
EOL

GitLab 17.3 became EOL in 2024 and supported ended in 2024
17.2 October 17, 2024 August 15, 2024
EOL

GitLab 17.2 became EOL in 2024 and supported ended in 2024
17.1 September 19, 2024 July 18, 2024
EOL

GitLab 17.1 became EOL in 2024 and supported ended in 2024
17.0 August 15, 2024 June 20, 2024
EOL

GitLab 17.0 became EOL in 2024 and supported ended in 2024
16.11 July 18, 2024 May 16, 2024
EOL

GitLab 16.11 became EOL in 2024 and supported ended in 2024
16.9 May 16, 2024 March 21, 2024
EOL

GitLab 16.9 became EOL in 2024 and supported ended in 2024
16.8 April 18, 2024 February 15, 2024
EOL

GitLab 16.8 became EOL in 2024 and supported ended in 2024
16.7 March 21, 2024 January 18, 2024
EOL

GitLab 16.7 became EOL in 2024 and supported ended in 2024
16.6 February 15, 2024 December 21, 2023
EOL

GitLab 16.6 became EOL in 2024 and supported ended in 2023
16.5 January 18, 2024 November 16, 2023
EOL

GitLab 16.5 became EOL in 2024 and supported ended in 2023
16.4 December 21, 2023 October 22, 2023
EOL

GitLab 16.4 became EOL in 2023 and supported ended in 2023
16.3 November 16, 2023 September 22, 2023
EOL

GitLab 16.3 became EOL in 2023 and supported ended in 2023
16.2 October 22, 2023 August 22, 2023
EOL

GitLab 16.2 became EOL in 2023 and supported ended in 2023

By the Year

In 2025 there have been 3 vulnerabilities in GitLab with an average score of 5.9 out of ten. Last year, in 2024 GitLab had 138 security vulnerabilities published. Right now, GitLab is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.46




Year Vulnerabilities Average Score
2025 3 5.87
2024 138 6.32
2023 175 5.90
2022 150 5.75
2021 156 5.45
2020 235 6.14
2019 164 6.23
2018 33 7.06

It may take a day or so for new GitLab vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent GitLab Security Vulnerabilities

A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1

CVE-2025-0555 6.1 - Medium - March 03, 2025

A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows an attacker to bypass security controls and execute arbitrary scripts in a users browser under specific conditions.

XSS

An issue has been discovered in GitLab CE/EE affecting all versions

CVE-2025-0475 6.1 - Medium - March 03, 2025

An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. A proxy feature could potentially allow unintended content rendering leading to XSS under specific circumstances.

XSS

An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 before 17.7.6, 17.8 before 17.8.4, and 17.9 before 17.9.1

CVE-2024-8186 5.4 - Medium - March 03, 2025

An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 before 17.7.6, 17.8 before 17.8.4, and 17.9 before 17.9.1. An attacker could inject HMTL into the child item search potentially leading to XSS in certain situations.

XSS

GitLab CE/EE Unauthenticated Access to Confidential Issue and Epic File Attachments

CVE-2023-5117 - December 25, 2024

An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in which users were unaware that files uploaded to comments on confidential issues and epics of public projects could be accessed without authentication via a direct link to the uploaded file URL.

Exposure of Sensitive Information Due to Incompatible Policies

GitLab Merge Request Internal Notes Exposure Vulnerability

CVE-2024-8650 - December 16, 2024

An issue was discovered in GitLab CE/EE affecting all versions from 15.0 prior to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2 that allowed non-member users to view unresolved threads marked as internal notes in public projects merge requests.

AuthZ

GitLab CE/EE GraphQL Query Branch Name Disclosure Vulnerability

CVE-2024-8116 - December 16, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. By using a specific GraphQL query, under specific conditions an unauthorized user can retrieve branch names.

AuthZ

Stored XSS Vulnerability in GitLab Project View

CVE-2024-52283 - November 28, 2024

Missing sanitation of inputs allowed arbitrary users to conduct a stored XSS attack that triggers for users that view a certain project

XSS

GitLab EE: Information Disclosure Vulnerability in Merge Request (MR) Feature

CVE-2024-10240 5.3 - Medium - November 26, 2024

An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

GitLab API Denial of Service Vulnerability

CVE-2024-11828 7.5 - High - November 26, 2024

A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls. This was a regression of an earlier patch.

Inefficient Algorithmic Complexity

GitLab API Token Scope Misconfiguration Vulnerability

CVE-2024-11669 7.5 - High - November 26, 2024

An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes.

AuthZ

GitLab Authentication Bypass Vulnerability in Long-Lived Connections

CVE-2024-11668 5.3 - Medium - November 26, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results.

Insufficient Session Expiration

GitLab Cargo.toml File Parsing Denial of Service Vulnerability

CVE-2024-8237 7.5 - High - November 26, 2024

A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 12.6 prior to 17.4.5, 17.5 prior to 17.5.3, and 17.6 prior to 17.6.1. An attacker could cause a denial of service with a crafted cargo.toml file.

Inefficient Algorithmic Complexity

An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.4.5, starting from 17.5 prior to 17.5.3, starting from 17.6 prior to 17.6.1 which could cause Denial of Service

CVE-2024-8177 7.5 - High - November 26, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.4.5, starting from 17.5 prior to 17.5.3, starting from 17.6 prior to 17.6.1 which could cause Denial of Service via integrating a malicious harbor registry.

Inefficient Algorithmic Complexity

An issue has been discovered in GitLab CE/EE affecting all versions from 8.12 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1

CVE-2024-8114 8.8 - High - November 26, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 8.12 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. This issue allows an attacker with access to a victim's Personal Access Token (PAT) to escalate privileges.

AuthZ

GitLab Domain Confusion Vulnerability in Group Naming

CVE-2024-9633 7.5 - High - November 14, 2024

An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.3 before 17.4.2, all versions starting from 17.5 before 17.5.4, all versions starting from 17.6 before 17.6.2. This issue allows an attacker to create a group with a name matching an existing unique Pages domain, potentially leading to domain confusion attacks.

Incorrect Ownership Assignment

GitLab CE/EE Analytics Dashboard XSS Vulnerability

CVE-2024-8648 6.1 - Medium - November 14, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL.

XSS

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have

CVE-2024-7404 6.5 - Medium - November 14, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow.

Clickjacking

GitLab Kubernetes Agent Unauthorized Access Vulnerability

CVE-2024-9693 8.8 - High - November 14, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations.

AuthZ

An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2

CVE-2024-8180 5.4 - Medium - November 14, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. Improper output encoding could lead to XSS if CSP is not enabled.

XSS

An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1

CVE-2024-8312 5.4 - Medium - October 24, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. An attacker could inject HTML into the Global Search field on a diff view leading to XSS.

XSS

An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1

CVE-2024-6826 6.5 - Medium - October 24, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. A denial of service could occur via importing a malicious crafted XML manifest file.

Allocation of Resources Without Limits or Throttling

An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which

CVE-2024-9164 8.8 - High - October 11, 2024

An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches.

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which

CVE-2024-8970 8.8 - High - October 11, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.

An issue has been discovered discovered in GitLab EE/CE affecting all versions starting

CVE-2024-5005 4.3 - Medium - October 11, 2024

An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the API.

A cross-site scripting issue has been discovered in GitLab affecting all versions starting

CVE-2024-6530 5.4 - Medium - October 10, 2024

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When adding a authorizing an application, it can be made to render as HTML under specific circumstances.

XSS

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which

CVE-2024-9623 6.5 - Medium - October 10, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository.

AuthZ

An issue has been discovered in GitLab EE affecting all versions starting

CVE-2024-9596 5.3 - Medium - October 10, 2024

An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance.

An issue has been discovered in GitLab EE affecting all versions starting

CVE-2024-8977 8.1 - High - October 10, 2024

An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks.

SSRF

An issue has been discovered in GitLab EE/CE affecting all versions starting from 8.0 before 16.4

CVE-2023-3441 9.1 - Critical - October 01, 2024

An issue has been discovered in GitLab EE/CE affecting all versions starting from 8.0 before 16.4. The product did not sufficiently warn about security implications of granting merge rights to protected branches.

Information disclosure in Gitlab EE/CE affecting all versions

CVE-2024-8974 4.3 - Medium - September 26, 2024

Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project."

AuthZ

An issue has been discovered in GitLab EE affecting all versions starting

CVE-2024-4099 5.3 - Medium - September 26, 2024

An issue has been discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. An AI feature was found to read unsanitized content in a way that could have allowed an attacker to hide prompt injection.

Output Sanitization

An information disclosure issue has been discovered in GitLab EE affecting all versions starting

CVE-2024-4278 2.7 - Low - September 26, 2024

An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting.

Improper Synchronization

An issue was discovered in GitLab CE/EE affecting all versions starting

CVE-2024-6685 4.3 - Medium - September 16, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, where group runners information was disclosed to unauthorised group members.

An issue has been discovered in GitLab EE affecting all versions starting

CVE-2024-4283 6.1 - Medium - September 16, 2024

An issue has been discovered in GitLab EE affecting all versions starting from 11.1 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.

Open Redirect

An issue has been discovered in GitLab CE/EE affecting all versions starting

CVE-2024-8641 8.8 - High - September 12, 2024

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It may have been possible for an attacker with a victim's CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim.

An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 which

CVE-2024-8311 6.5 - Medium - September 12, 2024

An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 which allows authenticated users to bypass variable overwrite protection via inclusion of a CI/CD template.

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which

CVE-2024-6678 8.8 - High - September 12, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.

Authentication Bypass by Spoofing

An issue was discovered in GitLab CE/EE affecting all versions starting

CVE-2024-4472 5.5 - Medium - September 12, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs.

Insertion of Sensitive Information into Log File

An issue has been discovered in GitLab EE/CE affecting all versions

CVE-2024-8754 8.1 - High - September 12, 2024

An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured.

An issue has been discovered in GitLab EE affecting all versions starting

CVE-2024-8640 8.8 - High - September 12, 2024

An issue has been discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. Due to incomplete input filtering, it was possible to inject commands into a connected Cube server.

Command Injection

A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting

CVE-2024-8635 6.5 - Medium - September 12, 2024

A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL

SSRF

A privilege escalation issue has been discovered in GitLab EE affecting all versions starting

CVE-2024-8631 7.2 - High - September 12, 2024

A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include other custom roles.

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service

CVE-2024-8124 7.5 - High - September 12, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service via sending a specific POST request.

ReDoS

An issue has been discovered in GitLab affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2

CVE-2024-6446 3.5 - Low - September 12, 2024

An issue has been discovered in GitLab affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. A crafted URL could be used to trick a victim to trust an attacker controlled application.

An issue was discovered in GitLab-CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2

CVE-2024-6389 4.3 - Medium - September 12, 2024

An issue was discovered in GitLab-CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions.

An issue has been discovered discovered in GitLab EE/CE affecting all versions starting

CVE-2024-5435 6.5 - Medium - September 12, 2024

An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration.

Generation of Error Message Containing Sensitive Information

An issue has been discovered in GitLab EE affecting all versions starting

CVE-2024-4660 7.5 - High - September 12, 2024

An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates.

An issue has been discovered in GitLab EE affecting all versions starting

CVE-2024-4612 6.1 - Medium - September 12, 2024

An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.

Open Redirect

An issue was discovered in GitLab-EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2

CVE-2024-2743 9.1 - Critical - September 12, 2024

An issue was discovered in GitLab-EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variables.

AuthZ

The Ruby SAML library is for implementing the client side of a SAML authorization

CVE-2024-45409 9.8 - Critical - September 10, 2024

The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.

Improper Verification of Cryptographic Signature

A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 17.1.6

CVE-2024-8041 6.5 - Medium - August 22, 2024

A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1. A denial of service could occur upon importing a maliciously crafted repository using the GitHub importer.

An issue was discovered in GitLab EE affecting all versions starting 17.0 to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1

CVE-2024-7110 6.4 - Medium - August 22, 2024

An issue was discovered in GitLab EE affecting all versions starting 17.0 to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1 allows an attacker to execute arbitrary command in a victim's pipeline through prompt injection.

Command Injection

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.2 prior to 17.1.6 starting from 17.2 prior to 17.2.4, and starting from 17.3 prior to 17.3.1, which

CVE-2024-6502 6.5 - Medium - August 22, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.2 prior to 17.1.6 starting from 17.2 prior to 17.2.4, and starting from 17.3 prior to 17.3.1, which allows an attacker to create a branch with the same name as a deleted tag.

An issue has been discovered in GitLab EE affecting all versions starting

CVE-2024-3127 4.3 - Medium - August 22, 2024

An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL allowing unauthorised users to perform some actions at the group level.

AuthZ

An issue was discovered in GitLab CE/EE affecting all versions starting

CVE-2024-3114 6.5 - Medium - August 08, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server.

ReDoS

ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2

CVE-2024-2800 7.5 - High - August 08, 2024

ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking.

ReDoS

A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6

CVE-2024-7610 6.5 - Medium - August 08, 2024

A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch.

An issue has been discovered in GitLab CE/EE affecting all versions starting

CVE-2024-7554 6.5 - Medium - August 08, 2024

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was made in a specific manner.

Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2 which

CVE-2024-5423 6.5 - Medium - August 08, 2024

Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2 which allowed an attacker to cause resource exhaustion via banzai pipeline.

A cross-site scripting issue has been discovered in GitLab affecting all versions starting

CVE-2024-4207 5.4 - Medium - August 08, 2024

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 prior 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances.

XSS

An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2

CVE-2024-3958 6.5 - Medium - August 08, 2024

An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code.

Code Injection

A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2

CVE-2024-3035 8.1 - High - August 08, 2024

A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories.

Insecure Direct Object Reference / IDOR

An issue was discovered in GitLab CE/EE affecting all versions starting

CVE-2024-6329 7.5 - High - August 08, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which causes the web interface to fail to render the diff correctly when the path is encoded.

Output Sanitization

An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2

CVE-2024-4784 5.4 - Medium - August 08, 2024

An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2 that allowed bypassing the password re-entry requirement to approve a policy.

authentification

A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 12.6 before 17.0.6

CVE-2024-4210 6.5 - Medium - August 08, 2024

A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 12.6 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause a denial of service using crafted adoc files.

A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1

CVE-2024-7047 5.4 - Medium - July 25, 2024

A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user.

XSS

An information disclosure vulnerability in GitLab CE/EE affecting all versions starting

CVE-2024-7057 4.3 - Medium - July 25, 2024

An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where job artifacts can be inappropriately exposed to users lacking the proper authorization level.

An issue was discovered in GitLab CE/EE affecting all versions starting

CVE-2024-7091 5 - Medium - July 24, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where it was possible to disclose limited information of an exported group or project to another user.

An information disclosure vulnerability in GitLab CE/EE in project/group exports affecting all versions from 15.4 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1

CVE-2024-7060 6.5 - Medium - July 24, 2024

An information disclosure vulnerability in GitLab CE/EE in project/group exports affecting all versions from 15.4 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows unauthorized users to view the resultant export.

An issue was discovered in GitLab EE affecting all versions starting

CVE-2024-5067 4.9 - Medium - July 24, 2024

An issue was discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where certain project-level analytics settings could be leaked in DOM to group members with Developer or higher roles.

A resource misdirection vulnerability in GitLab CE/EE versions 12.0 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1

CVE-2024-0231 2.7 - Low - July 24, 2024

A resource misdirection vulnerability in GitLab CE/EE versions 12.0 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows an attacker to craft a repository import in such a way as to misdirect commits.

Injection

An issue was discovered in GitLab CE/EE affecting all versions starting

CVE-2024-6595 5.3 - Medium - July 17, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to upload an NPM package with conflicting package data.

Unrestricted File Upload

Gitlab Pipelines Privilege Escalation

CVE-2024-6385 9.8 - Critical - July 11, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.

An issue was discovered in GitLab CE/EE affecting all versions starting

CVE-2024-5470 2.7 - Low - July 11, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Guest user with `admin_push_rules` permission may have been able to create project-level deploy tokens.

An issue was discovered in GitLab CE/EE affecting all versions starting

CVE-2024-5257 2.7 - Low - July 11, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Developer user with `admin_compliance_framework` custom role may have been able to modify the URL for a group namespace.

An issue was discovered in GitLab CE/EE affecting all versions starting

CVE-2024-2880 2.7 - Low - July 11, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 in which a user with `admin_group_member` custom role permission could ban group members.

A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions

CVE-2024-2177 6.8 - Medium - July 09, 2024

A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload.

Clickjacking

Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1

CVE-2024-6323 7.5 - High - June 27, 2024

Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project.

AuthZ

An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which

CVE-2024-5655 8.8 - High - June 27, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to trigger a pipeline as another user under certain circumstances.

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which

CVE-2024-5430 4.9 - Medium - June 27, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows a project maintainer can delete the merge request approval policy via graphQL.

An issue was discovered in GitLab CE/EE affecting all versions starting

CVE-2024-4901 5.4 - Medium - June 27, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit notes.

XSS

Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which

CVE-2024-4557 6.5 - Medium - June 27, 2024

Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an attacker to cause resource exhaustion via banzai pipeline.

Resource Exhaustion

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which

CVE-2024-4011 4.3 - Medium - June 27, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives.

AuthZ

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which

CVE-2024-3959 6.5 - Medium - June 27, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows private job artifacts can be accessed by any user.

An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which

CVE-2024-3115 4.3 - Medium - June 27, 2024

An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to access issues and epics without having an SSO session using Duo Chat.

AuthZ

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which

CVE-2024-2191 5.3 - Medium - June 27, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members only.

An issue was discovered in GitLab CE/EE affecting all versions starting from 12.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which

CVE-2024-1816 5.5 - Medium - June 27, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 12.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows for an attacker to cause a denial of service using a crafted OpenAPI file.

An issue was discovered in GitLab CE/EE affecting all versions starting

CVE-2024-1493 6.5 - Medium - June 27, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 9.2 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, with the processing logic for generating link in dependency files can lead to a regular expression DoS attack on the server

ReDoS

DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 and 16.11.0 prior to 16.11.3

CVE-2024-5469 4.3 - Medium - June 14, 2024

DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 and 16.11.0 prior to 16.11.3 allows an attacker to crash KAS via crafted gRPC requests.

Improper Check for Unusual or Exceptional Conditions

A cross-site scripting issue has been discovered in GitLab affecting all versions starting

CVE-2024-4201 4.4 - Medium - June 12, 2024

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 16.10.7, all versions starting from 16.11 before 16.111.4, all versions starting from 17.0 before 17.0.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances.

XSS

An issue has been discovered in GitLab CE/EE affecting all versions starting

CVE-2024-1963 6.5 - Medium - June 12, 2024

An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.

ReDoS

An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.10.7, starting

CVE-2024-1736 6.5 - Medium - June 12, 2024

An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's CI/CD pipeline editor could allow for denial of service attacks through maliciously crafted configuration files.

ReDoS

An issue has been discovered in GitLab CE/EE affecting all versions starting

CVE-2024-1495 6.5 - Medium - June 12, 2024

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.1 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. It was possible for an attacker to cause a denial of service using maliciously crafted file.

ReDoS

An issue has been discovered in GitLab CE/EE affecting all versions starting

CVE-2024-5318 5.3 - Medium - May 24, 2024

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.11 prior to 16.10.6, starting from 16.11 prior to 16.11.3, and starting from 17.0 prior to 17.0.1. A Guest user can view dependency lists of private projects through job artifacts.

AuthZ

An authorization vulnerability exists within GitLab

CVE-2024-5258 4.3 - Medium - May 23, 2024

An authorization vulnerability exists within GitLab from versions 16.10 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1 where an authenticated attacker could utilize a crafted naming convention to bypass pipeline authorization logic.

AuthZ

A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions

CVE-2024-1947 6.5 - Medium - May 23, 2024

A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls.

A CSRF vulnerability exists within GitLab CE/EE from versions 13.11 before 16.10.6, from 16.11 before 16.11.3, from 17.0 before 17.0.1

CVE-2023-7045 6.1 - Medium - May 23, 2024

A CSRF vulnerability exists within GitLab CE/EE from versions 13.11 before 16.10.6, from 16.11 before 16.11.3, from 17.0 before 17.0.1. By leveraging this vulnerability, an attacker could exfiltrate anti-CSRF tokens via the Kubernetes Agent Server (KAS).

Session Riding

A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions before 16.10.6

CVE-2023-6502 6.5 - Medium - May 23, 2024

A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. It is possible for an attacker to cause a denial of service using a crafted wiki page.

ReDoS

A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1

CVE-2024-4835 8.2 - High - May 23, 2024

A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.

XSS

An issue has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1

CVE-2024-2874 6.5 - Medium - May 23, 2024

An issue has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. A runner registered with a crafted description has the potential to disrupt the loading of targeted GitLab web resources.

Allocation of Resources Without Limits or Throttling

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for GitLab or by GitLab? Click the Watch button to subscribe.

GitLab
Vendor

GitLab
Version Control Server and CI/CD Platform

subscribe