GitLab Version Control Server and CI/CD Platform
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in GitLab.
GitLab EOL Dates
Ensure that you are using a supported version of GitLab. Here are some end of life, and end of support dates for GitLab.
Release | EOL | End of Support | Status |
---|---|---|---|
18.1 | September 18, 2025 | July 17, 2025 |
EOL This Year
GitLab 18.1 will become EOL this year, in September 2025. |
18.0 | August 21, 2025 | June 19, 2025 |
EOL This Year
GitLab 18.0 will become EOL this year, in August 2025. |
17.11 | July 17, 2025 | May 15, 2025 |
EOL This Year
GitLab 17.11 will become EOL this year, in July 2025. |
17.9 | May 15, 2025 | March 20, 2025 |
EOL
GitLab 17.9 became EOL in 2025 and supported ended in 2025 |
17.8 | April 17, 2025 | February 20, 2025 |
EOL
GitLab 17.8 became EOL in 2025 and supported ended in 2025 |
17.7 | March 20, 2025 | January 16, 2025 |
EOL
GitLab 17.7 became EOL in 2025 and supported ended in 2025 |
17.6 | February 20, 2025 | December 19, 2024 |
EOL
GitLab 17.6 became EOL in 2025 and supported ended in 2024 |
17.5 | January 16, 2025 | November 21, 2024 |
EOL
GitLab 17.5 became EOL in 2025 and supported ended in 2024 |
17.4 | December 19, 2024 | October 17, 2024 |
EOL
GitLab 17.4 became EOL in 2024 and supported ended in 2024 |
17.3 | November 21, 2024 | September 19, 2024 |
EOL
GitLab 17.3 became EOL in 2024 and supported ended in 2024 |
17.2 | October 17, 2024 | August 15, 2024 |
EOL
GitLab 17.2 became EOL in 2024 and supported ended in 2024 |
17.1 | September 19, 2024 | July 18, 2024 |
EOL
GitLab 17.1 became EOL in 2024 and supported ended in 2024 |
17.0 | August 15, 2024 | June 20, 2024 |
EOL
GitLab 17.0 became EOL in 2024 and supported ended in 2024 |
16.11 | July 18, 2024 | May 16, 2024 |
EOL
GitLab 16.11 became EOL in 2024 and supported ended in 2024 |
16.9 | May 16, 2024 | March 21, 2024 |
EOL
GitLab 16.9 became EOL in 2024 and supported ended in 2024 |
16.8 | April 18, 2024 | February 15, 2024 |
EOL
GitLab 16.8 became EOL in 2024 and supported ended in 2024 |
16.7 | March 21, 2024 | January 18, 2024 |
EOL
GitLab 16.7 became EOL in 2024 and supported ended in 2024 |
16.6 | February 15, 2024 | December 21, 2023 |
EOL
GitLab 16.6 became EOL in 2024 and supported ended in 2023 |
16.5 | January 18, 2024 | November 16, 2023 |
EOL
GitLab 16.5 became EOL in 2024 and supported ended in 2023 |
16.4 | December 21, 2023 | October 22, 2023 |
EOL
GitLab 16.4 became EOL in 2023 and supported ended in 2023 |
By the Year
In 2025 there have been 11 vulnerabilities in GitLab with an average score of 5.6 out of ten. Last year, in 2024 GitLab had 147 security vulnerabilities published. Right now, GitLab is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.77
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 11 | 5.56 |
2024 | 147 | 6.32 |
2023 | 175 | 5.90 |
2022 | 150 | 5.75 |
2021 | 156 | 5.45 |
2020 | 235 | 6.14 |
2019 | 164 | 6.23 |
2018 | 33 | 7.06 |
It may take a day or so for new GitLab vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent GitLab Security Vulnerabilities
An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1
CVE-2025-0605
4.3 - Medium
- May 22, 2025
An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Group access controls could allow certain users to bypass two-factor authentication requirements.
authentification
An issue has been discovered in GitLab CE/EE affecting all versions from 17.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1
CVE-2025-0679
4.3 - Medium
- May 22, 2025
An issue has been discovered in GitLab CE/EE affecting all versions from 17.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Under certain conditions un-authorised users can view full email addresses that should be partially obscured.
Privacy violation
An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1
CVE-2025-0993
6.5 - Medium
- May 22, 2025
An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. This could allow an authenticated attacker to cause a denial of service condition by exhausting server resources.
Allocation of Resources Without Limits or Throttling
An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1
CVE-2025-1110
4.3 - Medium
- May 22, 2025
An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query.
AuthZ
An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1
CVE-2025-2853
6.5 - Medium
- May 22, 2025
An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of proper validation in GitLab could allow an authenticated user to cause a denial of service condition.
Allocation of Resources Without Limits or Throttling
An issue has been discovered in GitLab CE/EE affecting all versions from 10.2 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1
CVE-2025-3111
6.5 - Medium
- May 22, 2025
An issue has been discovered in GitLab CE/EE affecting all versions from 10.2 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in the Kubernetes integration could allow an authenticated user to cause denial of service..
Allocation of Resources Without Limits or Throttling
A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1
CVE-2025-0555
6.1 - Medium
- March 03, 2025
A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows an attacker to bypass security controls and execute arbitrary scripts in a users browser under specific conditions.
XSS
A vulnerability in GitLab-EE affecting all versions from 16.2 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1
CVE-2024-10925
- March 03, 2025
A vulnerability in GitLab-EE affecting all versions from 16.2 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows a Guest user to read Security policy YAML
Insecure Direct Object Reference / IDOR
An issue has been discovered in GitLab CE/EE affecting all versions
CVE-2025-0475
6.1 - Medium
- March 03, 2025
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. A proxy feature could potentially allow unintended content rendering leading to XSS under specific circumstances.
XSS
An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 before 17.7.6, 17.8 before 17.8.4, and 17.9 before 17.9.1
CVE-2024-8186
5.4 - Medium
- March 03, 2025
An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 before 17.7.6, 17.8 before 17.8.4, and 17.9 before 17.9.1. An attacker could inject HMTL into the child item search potentially leading to XSS in certain situations.
XSS
An issue was discovered in GitLab CE/EE affecting all versions starting
CVE-2025-0194
- January 08, 2025
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. Under certain conditions, access tokens may have been logged when API requests were made in a specific manner.
Insertion of Sensitive Information into Externally-Accessible File or Directory
GitLab CE/EE Unauthenticated Access to Confidential Issue and Epic File Attachments
CVE-2023-5117
- December 25, 2024
An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in which users were unaware that files uploaded to comments on confidential issues and epics of public projects could be accessed without authentication via a direct link to the uploaded file URL.
Exposure of Sensitive Information Due to Incompatible Policies
GitLab CE/EE GraphQL Query Branch Name Disclosure Vulnerability
CVE-2024-8116
- December 16, 2024
An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. By using a specific GraphQL query, under specific conditions an unauthorized user can retrieve branch names.
AuthZ
GitLab Merge Request Internal Notes Exposure Vulnerability
CVE-2024-8650
- December 16, 2024
An issue was discovered in GitLab CE/EE affecting all versions from 15.0 prior to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2 that allowed non-member users to view unresolved threads marked as internal notes in public projects merge requests.
AuthZ
An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 17.4.6, all versions starting from 17.5 before 17.5.4 all versions starting from 17.6 before 17.6.2
CVE-2024-10043
- December 12, 2024
An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 17.4.6, all versions starting from 17.5 before 17.5.4 all versions starting from 17.6 before 17.6.2, that allows group users to view confidential incident title through the Wiki History Diff feature, potentially leading to information disclosure.
AuthZ
An issue was discovered in GitLab CE/EE affecting all versions starting
CVE-2024-11274
- December 12, 2024
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, injection of NEL headers in k8s proxy response could lead to session data exfiltration.
Open Redirect
An issue was discovered in GitLab CE/EE affecting all versions starting
CVE-2024-12292
- December 12, 2024
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.0 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, where sensitive information passed in GraphQL mutations may have been retained in GraphQL logs.
Insertion of Sensitive Information into Log File
An issue has been discovered in GitLab CE/EE affecting all versions starting
CVE-2024-12570
- December 12, 2024
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.4.6, from 17.5 prior to 17.5.4, and from 17.6 prior to 17.6.2. It may have been possible for an attacker with a victim's `CI_JOB_TOKEN` to obtain a GitLab session token belonging to the victim.
Privilege Context Switching Error
An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2
CVE-2024-8179
- December 12, 2024
An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. Improper output encoding could lead to XSS if CSP is not enabled.
XSS
An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2
CVE-2024-8233
- December 12, 2024
An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could cause a denial of service with requests for diff files on a commit or merge request.
Inefficient Algorithmic Complexity
An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2
CVE-2024-8647
- December 12, 2024
An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted installs, it was possible to leak the anti-CSRF-token to an external site while the Harbor integration was enabled.
Directory traversal
An issue was discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2
CVE-2024-9367
- December 12, 2024
An issue was discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while parsing templates to generate changelogs.
Allocation of Resources Without Limits or Throttling
An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2
CVE-2024-9387
- December 12, 2024
An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint.
Open Redirect
Stored XSS Vulnerability in GitLab Project View
CVE-2024-52283
- November 28, 2024
Missing sanitation of inputs allowed arbitrary users to conduct a stored XSS attack that triggers for users that view a certain project
XSS
GitLab EE: Information Disclosure Vulnerability in Merge Request (MR) Feature
CVE-2024-10240
5.3 - Medium
- November 26, 2024
An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances.
Exposure of Sensitive System Information to an Unauthorized Control Sphere
An issue has been discovered in GitLab CE/EE affecting all versions from 8.12 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1
CVE-2024-8114
8.8 - High
- November 26, 2024
An issue has been discovered in GitLab CE/EE affecting all versions from 8.12 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. This issue allows an attacker with access to a victim's Personal Access Token (PAT) to escalate privileges.
AuthZ
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.4.5, starting from 17.5 prior to 17.5.3, starting from 17.6 prior to 17.6.1 which could cause Denial of Service
CVE-2024-8177
7.5 - High
- November 26, 2024
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.4.5, starting from 17.5 prior to 17.5.3, starting from 17.6 prior to 17.6.1 which could cause Denial of Service via integrating a malicious harbor registry.
Inefficient Algorithmic Complexity
GitLab Cargo.toml File Parsing Denial of Service Vulnerability
CVE-2024-8237
7.5 - High
- November 26, 2024
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 12.6 prior to 17.4.5, 17.5 prior to 17.5.3, and 17.6 prior to 17.6.1. An attacker could cause a denial of service with a crafted cargo.toml file.
Inefficient Algorithmic Complexity
GitLab Authentication Bypass Vulnerability in Long-Lived Connections
CVE-2024-11668
5.3 - Medium
- November 26, 2024
An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results.
Insufficient Session Expiration
GitLab API Token Scope Misconfiguration Vulnerability
CVE-2024-11669
7.5 - High
- November 26, 2024
An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes.
AuthZ
GitLab API Denial of Service Vulnerability
CVE-2024-11828
7.5 - High
- November 26, 2024
A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls. This was a regression of an earlier patch.
Inefficient Algorithmic Complexity
GitLab Domain Confusion Vulnerability in Group Naming
CVE-2024-9633
7.5 - High
- November 14, 2024
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.3 before 17.4.2, all versions starting from 17.5 before 17.5.4, all versions starting from 17.6 before 17.6.2. This issue allows an attacker to create a group with a name matching an existing unique Pages domain, potentially leading to domain confusion attacks.
Incorrect Ownership Assignment
GitLab CE/EE Analytics Dashboard XSS Vulnerability
CVE-2024-8648
6.1 - Medium
- November 14, 2024
An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL.
XSS
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have
CVE-2024-7404
6.5 - Medium
- November 14, 2024
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow.
Clickjacking
GitLab Kubernetes Agent Unauthorized Access Vulnerability
CVE-2024-9693
8.8 - High
- November 14, 2024
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations.
AuthZ
An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2
CVE-2024-8180
5.4 - Medium
- November 14, 2024
An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. Improper output encoding could lead to XSS if CSP is not enabled.
XSS
An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1
CVE-2024-6826
6.5 - Medium
- October 24, 2024
An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. A denial of service could occur via importing a malicious crafted XML manifest file.
Allocation of Resources Without Limits or Throttling
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1
CVE-2024-8312
5.4 - Medium
- October 24, 2024
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. An attacker could inject HTML into the Global Search field on a diff view leading to XSS.
XSS
An issue has been discovered discovered in GitLab EE/CE affecting all versions starting
CVE-2024-5005
4.3 - Medium
- October 11, 2024
An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the API.
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which
CVE-2024-8970
8.8 - High
- October 11, 2024
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.
An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which
CVE-2024-9164
8.8 - High
- October 11, 2024
An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches.
A cross-site scripting issue has been discovered in GitLab affecting all versions starting
CVE-2024-6530
5.4 - Medium
- October 10, 2024
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When adding a authorizing an application, it can be made to render as HTML under specific circumstances.
XSS
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which
CVE-2024-9623
6.5 - Medium
- October 10, 2024
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository.
AuthZ
An issue has been discovered in GitLab EE affecting all versions starting
CVE-2024-9596
5.3 - Medium
- October 10, 2024
An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance.
An issue has been discovered in GitLab EE affecting all versions starting
CVE-2024-8977
8.1 - High
- October 10, 2024
An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks.
SSRF
An issue has been discovered in GitLab EE/CE affecting all versions starting from 8.0 before 16.4
CVE-2023-3441
9.1 - Critical
- October 01, 2024
An issue has been discovered in GitLab EE/CE affecting all versions starting from 8.0 before 16.4. The product did not sufficiently warn about security implications of granting merge rights to protected branches.
An issue has been discovered in GitLab EE affecting all versions starting
CVE-2024-4099
5.3 - Medium
- September 26, 2024
An issue has been discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. An AI feature was found to read unsanitized content in a way that could have allowed an attacker to hide prompt injection.
Output Sanitization
Information disclosure in Gitlab EE/CE affecting all versions
CVE-2024-8974
4.3 - Medium
- September 26, 2024
Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project."
AuthZ
An information disclosure issue has been discovered in GitLab EE affecting all versions starting
CVE-2024-4278
2.7 - Low
- September 26, 2024
An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting.
Improper Synchronization
An issue was discovered in GitLab CE/EE affecting all versions starting
CVE-2024-6685
4.3 - Medium
- September 16, 2024
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, where group runners information was disclosed to unauthorised group members.