GitLab GitLab Version Control Server and CI/CD Platform

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in GitLab.

GitLab EOL Dates

Ensure that you are using a supported version of GitLab. Here are some end of life, and end of support dates for GitLab.

Release EOL End of Support Status
18.1 September 18, 2025 July 17, 2025
EOL This Year

GitLab 18.1 will become EOL this year, in September 2025.

18.0 August 21, 2025 June 19, 2025
EOL This Year

GitLab 18.0 will become EOL this year, in August 2025.

17.11 July 17, 2025 May 15, 2025
EOL This Year

GitLab 17.11 will become EOL this year, in July 2025.

17.9 May 15, 2025 March 20, 2025
EOL

GitLab 17.9 became EOL in 2025 and supported ended in 2025

17.8 April 17, 2025 February 20, 2025
EOL

GitLab 17.8 became EOL in 2025 and supported ended in 2025

17.7 March 20, 2025 January 16, 2025
EOL

GitLab 17.7 became EOL in 2025 and supported ended in 2025

17.6 February 20, 2025 December 19, 2024
EOL

GitLab 17.6 became EOL in 2025 and supported ended in 2024

17.5 January 16, 2025 November 21, 2024
EOL

GitLab 17.5 became EOL in 2025 and supported ended in 2024

17.4 December 19, 2024 October 17, 2024
EOL

GitLab 17.4 became EOL in 2024 and supported ended in 2024

17.3 November 21, 2024 September 19, 2024
EOL

GitLab 17.3 became EOL in 2024 and supported ended in 2024

17.2 October 17, 2024 August 15, 2024
EOL

GitLab 17.2 became EOL in 2024 and supported ended in 2024

17.1 September 19, 2024 July 18, 2024
EOL

GitLab 17.1 became EOL in 2024 and supported ended in 2024

17.0 August 15, 2024 June 20, 2024
EOL

GitLab 17.0 became EOL in 2024 and supported ended in 2024

16.11 July 18, 2024 May 16, 2024
EOL

GitLab 16.11 became EOL in 2024 and supported ended in 2024

16.9 May 16, 2024 March 21, 2024
EOL

GitLab 16.9 became EOL in 2024 and supported ended in 2024

16.8 April 18, 2024 February 15, 2024
EOL

GitLab 16.8 became EOL in 2024 and supported ended in 2024

16.7 March 21, 2024 January 18, 2024
EOL

GitLab 16.7 became EOL in 2024 and supported ended in 2024

16.6 February 15, 2024 December 21, 2023
EOL

GitLab 16.6 became EOL in 2024 and supported ended in 2023

16.5 January 18, 2024 November 16, 2023
EOL

GitLab 16.5 became EOL in 2024 and supported ended in 2023

16.4 December 21, 2023 October 22, 2023
EOL

GitLab 16.4 became EOL in 2023 and supported ended in 2023

By the Year

In 2025 there have been 11 vulnerabilities in GitLab with an average score of 5.6 out of ten. Last year, in 2024 GitLab had 147 security vulnerabilities published. Right now, GitLab is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.77




Year Vulnerabilities Average Score
2025 11 5.56
2024 147 6.32
2023 175 5.90
2022 150 5.75
2021 156 5.45
2020 235 6.14
2019 164 6.23
2018 33 7.06

It may take a day or so for new GitLab vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent GitLab Security Vulnerabilities

An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1

CVE-2025-0605 4.3 - Medium - May 22, 2025

An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Group access controls could allow certain users to bypass two-factor authentication requirements.

authentification

An issue has been discovered in GitLab CE/EE affecting all versions from 17.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1

CVE-2025-0679 4.3 - Medium - May 22, 2025

An issue has been discovered in GitLab CE/EE affecting all versions from 17.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Under certain conditions un-authorised users can view full email addresses that should be partially obscured.

Privacy violation

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1

CVE-2025-0993 6.5 - Medium - May 22, 2025

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. This could allow an authenticated attacker to cause a denial of service condition by exhausting server resources.

Allocation of Resources Without Limits or Throttling

An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1

CVE-2025-1110 4.3 - Medium - May 22, 2025

An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query.

AuthZ

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1

CVE-2025-2853 6.5 - Medium - May 22, 2025

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of proper validation in GitLab could allow an authenticated user to cause a denial of service condition.

Allocation of Resources Without Limits or Throttling

An issue has been discovered in GitLab CE/EE affecting all versions from 10.2 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1

CVE-2025-3111 6.5 - Medium - May 22, 2025

An issue has been discovered in GitLab CE/EE affecting all versions from 10.2 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in the Kubernetes integration could allow an authenticated user to cause denial of service..

Allocation of Resources Without Limits or Throttling

A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1

CVE-2025-0555 6.1 - Medium - March 03, 2025

A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows an attacker to bypass security controls and execute arbitrary scripts in a users browser under specific conditions.

XSS

A vulnerability in GitLab-EE affecting all versions from 16.2 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1

CVE-2024-10925 - March 03, 2025

A vulnerability in GitLab-EE affecting all versions from 16.2 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows a Guest user to read Security policy YAML

Insecure Direct Object Reference / IDOR

An issue has been discovered in GitLab CE/EE affecting all versions

CVE-2025-0475 6.1 - Medium - March 03, 2025

An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. A proxy feature could potentially allow unintended content rendering leading to XSS under specific circumstances.

XSS

An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 before 17.7.6, 17.8 before 17.8.4, and 17.9 before 17.9.1

CVE-2024-8186 5.4 - Medium - March 03, 2025

An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 before 17.7.6, 17.8 before 17.8.4, and 17.9 before 17.9.1. An attacker could inject HMTL into the child item search potentially leading to XSS in certain situations.

XSS

An issue was discovered in GitLab CE/EE affecting all versions starting

CVE-2025-0194 - January 08, 2025

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. Under certain conditions, access tokens may have been logged when API requests were made in a specific manner.

Insertion of Sensitive Information into Externally-Accessible File or Directory

GitLab CE/EE Unauthenticated Access to Confidential Issue and Epic File Attachments

CVE-2023-5117 - December 25, 2024

An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in which users were unaware that files uploaded to comments on confidential issues and epics of public projects could be accessed without authentication via a direct link to the uploaded file URL.

Exposure of Sensitive Information Due to Incompatible Policies

GitLab CE/EE GraphQL Query Branch Name Disclosure Vulnerability

CVE-2024-8116 - December 16, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. By using a specific GraphQL query, under specific conditions an unauthorized user can retrieve branch names.

AuthZ

GitLab Merge Request Internal Notes Exposure Vulnerability

CVE-2024-8650 - December 16, 2024

An issue was discovered in GitLab CE/EE affecting all versions from 15.0 prior to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2 that allowed non-member users to view unresolved threads marked as internal notes in public projects merge requests.

AuthZ

An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 17.4.6, all versions starting from 17.5 before 17.5.4 all versions starting from 17.6 before 17.6.2

CVE-2024-10043 - December 12, 2024

An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 17.4.6, all versions starting from 17.5 before 17.5.4 all versions starting from 17.6 before 17.6.2, that allows group users to view confidential incident title through the Wiki History Diff feature, potentially leading to information disclosure.

AuthZ

An issue was discovered in GitLab CE/EE affecting all versions starting

CVE-2024-11274 - December 12, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, injection of NEL headers in k8s proxy response could lead to session data exfiltration.

Open Redirect

An issue was discovered in GitLab CE/EE affecting all versions starting

CVE-2024-12292 - December 12, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.0 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, where sensitive information passed in GraphQL mutations may have been retained in GraphQL logs.

Insertion of Sensitive Information into Log File

An issue has been discovered in GitLab CE/EE affecting all versions starting

CVE-2024-12570 - December 12, 2024

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.4.6, from 17.5 prior to 17.5.4, and from 17.6 prior to 17.6.2. It may have been possible for an attacker with a victim's `CI_JOB_TOKEN` to obtain a GitLab session token belonging to the victim.

Privilege Context Switching Error

An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2

CVE-2024-8179 - December 12, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. Improper output encoding could lead to XSS if CSP is not enabled.

XSS

An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2

CVE-2024-8233 - December 12, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could cause a denial of service with requests for diff files on a commit or merge request.

Inefficient Algorithmic Complexity

An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2

CVE-2024-8647 - December 12, 2024

An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted installs, it was possible to leak the anti-CSRF-token to an external site while the Harbor integration was enabled.

Directory traversal

An issue was discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2

CVE-2024-9367 - December 12, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while parsing templates to generate changelogs.

Allocation of Resources Without Limits or Throttling

An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2

CVE-2024-9387 - December 12, 2024

An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint.

Open Redirect

Stored XSS Vulnerability in GitLab Project View

CVE-2024-52283 - November 28, 2024

Missing sanitation of inputs allowed arbitrary users to conduct a stored XSS attack that triggers for users that view a certain project

XSS

GitLab EE: Information Disclosure Vulnerability in Merge Request (MR) Feature

CVE-2024-10240 5.3 - Medium - November 26, 2024

An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

An issue has been discovered in GitLab CE/EE affecting all versions from 8.12 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1

CVE-2024-8114 8.8 - High - November 26, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 8.12 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. This issue allows an attacker with access to a victim's Personal Access Token (PAT) to escalate privileges.

AuthZ

An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.4.5, starting from 17.5 prior to 17.5.3, starting from 17.6 prior to 17.6.1 which could cause Denial of Service

CVE-2024-8177 7.5 - High - November 26, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.4.5, starting from 17.5 prior to 17.5.3, starting from 17.6 prior to 17.6.1 which could cause Denial of Service via integrating a malicious harbor registry.

Inefficient Algorithmic Complexity

GitLab Cargo.toml File Parsing Denial of Service Vulnerability

CVE-2024-8237 7.5 - High - November 26, 2024

A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 12.6 prior to 17.4.5, 17.5 prior to 17.5.3, and 17.6 prior to 17.6.1. An attacker could cause a denial of service with a crafted cargo.toml file.

Inefficient Algorithmic Complexity

GitLab Authentication Bypass Vulnerability in Long-Lived Connections

CVE-2024-11668 5.3 - Medium - November 26, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results.

Insufficient Session Expiration

GitLab API Token Scope Misconfiguration Vulnerability

CVE-2024-11669 7.5 - High - November 26, 2024

An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes.

AuthZ

GitLab API Denial of Service Vulnerability

CVE-2024-11828 7.5 - High - November 26, 2024

A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls. This was a regression of an earlier patch.

Inefficient Algorithmic Complexity

GitLab Domain Confusion Vulnerability in Group Naming

CVE-2024-9633 7.5 - High - November 14, 2024

An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.3 before 17.4.2, all versions starting from 17.5 before 17.5.4, all versions starting from 17.6 before 17.6.2. This issue allows an attacker to create a group with a name matching an existing unique Pages domain, potentially leading to domain confusion attacks.

Incorrect Ownership Assignment

GitLab CE/EE Analytics Dashboard XSS Vulnerability

CVE-2024-8648 6.1 - Medium - November 14, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL.

XSS

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have

CVE-2024-7404 6.5 - Medium - November 14, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow.

Clickjacking

GitLab Kubernetes Agent Unauthorized Access Vulnerability

CVE-2024-9693 8.8 - High - November 14, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations.

AuthZ

An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2

CVE-2024-8180 5.4 - Medium - November 14, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. Improper output encoding could lead to XSS if CSP is not enabled.

XSS

An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1

CVE-2024-6826 6.5 - Medium - October 24, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. A denial of service could occur via importing a malicious crafted XML manifest file.

Allocation of Resources Without Limits or Throttling

An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1

CVE-2024-8312 5.4 - Medium - October 24, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. An attacker could inject HTML into the Global Search field on a diff view leading to XSS.

XSS

An issue has been discovered discovered in GitLab EE/CE affecting all versions starting

CVE-2024-5005 4.3 - Medium - October 11, 2024

An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the API.

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which

CVE-2024-8970 8.8 - High - October 11, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.

An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which

CVE-2024-9164 8.8 - High - October 11, 2024

An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches.

A cross-site scripting issue has been discovered in GitLab affecting all versions starting

CVE-2024-6530 5.4 - Medium - October 10, 2024

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When adding a authorizing an application, it can be made to render as HTML under specific circumstances.

XSS

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which

CVE-2024-9623 6.5 - Medium - October 10, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository.

AuthZ

An issue has been discovered in GitLab EE affecting all versions starting

CVE-2024-9596 5.3 - Medium - October 10, 2024

An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance.

An issue has been discovered in GitLab EE affecting all versions starting

CVE-2024-8977 8.1 - High - October 10, 2024

An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks.

SSRF

An issue has been discovered in GitLab EE/CE affecting all versions starting from 8.0 before 16.4

CVE-2023-3441 9.1 - Critical - October 01, 2024

An issue has been discovered in GitLab EE/CE affecting all versions starting from 8.0 before 16.4. The product did not sufficiently warn about security implications of granting merge rights to protected branches.

An issue has been discovered in GitLab EE affecting all versions starting

CVE-2024-4099 5.3 - Medium - September 26, 2024

An issue has been discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. An AI feature was found to read unsanitized content in a way that could have allowed an attacker to hide prompt injection.

Output Sanitization

Information disclosure in Gitlab EE/CE affecting all versions

CVE-2024-8974 4.3 - Medium - September 26, 2024

Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project."

AuthZ

An information disclosure issue has been discovered in GitLab EE affecting all versions starting

CVE-2024-4278 2.7 - Low - September 26, 2024

An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting.

Improper Synchronization

An issue was discovered in GitLab CE/EE affecting all versions starting

CVE-2024-6685 4.3 - Medium - September 16, 2024

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, where group runners information was disclosed to unauthorised group members.

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for GitLab or by GitLab? Click the Watch button to subscribe.

GitLab
Vendor

GitLab
Version Control Server and CI/CD Platform

subscribe