CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-11931 – Insufficient Granularity of Access Control in GitLab
https://notcve.org/view.php?id=CVE-2024-11931
24 Jan 2025 — An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI variables via CI lint. • https://gitlab.com/gitlab-org/gitlab/-/issues/480901 • CWE-1220: Insufficient Granularity of Access Control •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 1CVE-2025-0314 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
https://notcve.org/view.php?id=CVE-2025-0314
24 Jan 2025 — An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. Improper rendering of certain file types lead to cross-site scripting. • https://gitlab.com/gitlab-org/gitlab/-/issues/512118 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.2EPSS: 0%CPEs: 3EXPL: 0CVE-2024-13041 – Incorrect User Management in GitLab
https://notcve.org/view.php?id=CVE-2024-13041
09 Jan 2025 — An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. When a user is created via the SAML provider, the external groups setting overrides the external provider configuration. As a result, the user may not be marked as external thereby giving those users access to internal projects or groups. • https://about.gitlab.com/releases/2025/01/08/patch-release-gitlab-17-7-1-released/#instance-saml-does-not-respect-external_provider-configuration • CWE-286: Incorrect User Management •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2024-6324 – Inefficient Algorithmic Complexity in GitLab
https://notcve.org/view.php?id=CVE-2024-6324
09 Jan 2025 — An issue was discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. It was possible to trigger a DoS by creating cyclic references between epics. • https://about.gitlab.com/releases/2025/01/08/patch-release-gitlab-17-7-1-released/#cyclic-reference-of-epics-leads-resource-exhaustion • CWE-407: Inefficient Algorithmic Complexity •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2024-12431 – Missing Authorization in GitLab
https://notcve.org/view.php?id=CVE-2024-12431
08 Jan 2025 — An issue was discovered in GitLab CE/EE affecting all versions starting from 15.5 before 17.5.5, 17.6 before 17.6.3, and 17.7 before 17.7.1, in which unauthorized users could manipulate the status of issues in public projects. • https://about.gitlab.com/releases/2025/01/08/patch-release-gitlab-17-7-1-released/#unauthorized-user-can-manipulate-status-of-issues-in-public-projects • CWE-862: Missing Authorization •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5117 – Exposure of Sensitive Information Due to Incompatible Policies in GitLab
https://notcve.org/view.php?id=CVE-2023-5117
25 Dec 2024 — An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in which users were unaware that files uploaded to comments on confidential issues and epics of public projects could be accessed without authentication via a direct link to the uploaded file URL. Se descubrió un problema en GitLab CE/EE que afectaba a todas las versiones anteriores a 17.6.0 en el que los usuarios no sabían que se podía acceder a los archivos cargados para comentarios sobre temas confidenciales y epopeyas de proyec... • https://gitlab.com/gitlab-org/gitlab/-/issues/398250 • CWE-213: Exposure of Sensitive Information Due to Incompatible Policies •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2024-8116 – Incorrect Authorization in GitLab
https://notcve.org/view.php?id=CVE-2024-8116
16 Dec 2024 — An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. By using a specific GraphQL query, under specific conditions an unauthorized user can retrieve branch names. • https://gitlab.com/gitlab-org/gitlab/-/issues/480509 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2024-8650 – Incorrect Authorization in GitLab
https://notcve.org/view.php?id=CVE-2024-8650
16 Dec 2024 — An issue was discovered in GitLab CE/EE affecting all versions from 15.0 prior to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2 that allowed non-member users to view unresolved threads marked as internal notes in public projects merge requests. • https://gitlab.com/gitlab-org/gitlab/-/issues/486300 • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 1CVE-2024-8179 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
https://notcve.org/view.php?id=CVE-2024-8179
12 Dec 2024 — An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. Improper output encoding could lead to XSS if CSP is not enabled. • https://gitlab.com/gitlab-org/gitlab/-/issues/480718 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2024-8233 – Inefficient Algorithmic Complexity in GitLab
https://notcve.org/view.php?id=CVE-2024-8233
12 Dec 2024 — An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could cause a denial of service with requests for diff files on a commit or merge request. • https://gitlab.com/gitlab-org/gitlab/-/issues/480867 • CWE-407: Inefficient Algorithmic Complexity •