CVSS: 6.6EPSS: 0%CPEs: 3EXPL: 1CVE-2024-3303 – Improper Neutralization of Input Used for LLM Prompting in GitLab
https://notcve.org/view.php?id=CVE-2024-3303
13 Feb 2025 — An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.6.5, starting from 17.7 prior to 17.7.4, and starting from 17.8 prior to 17.8.2, which allows an attacker to exfiltrate contents of a private issue using prompt injection. • https://gitlab.com/gitlab-org/gitlab/-/issues/454460 • CWE CATEGORY •
CVSS: 4.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-1198 – Insufficient Session Expiration in GitLab
https://notcve.org/view.php?id=CVE-2025-1198
13 Feb 2025 — An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results. • https://gitlab.com/gitlab-org/gitlab/-/issues/511477 • CWE-613: Insufficient Session Expiration •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7102 – Execution with Unnecessary Privileges in GitLab
https://notcve.org/view.php?id=CVE-2024-7102
13 Feb 2025 — An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.0 which allows an attacker to trigger a pipeline as another user under certain circumstances. • https://gitlab.com/gitlab-org/gitlab/-/issues/474414 • CWE-250: Execution with Unnecessary Privileges •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 1CVE-2024-8266 – Execution with Unnecessary Privileges in GitLab
https://notcve.org/view.php?id=CVE-2024-8266
13 Feb 2025 — An issue was discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.6.0, which allows an attacker with maintainer role to trigger a pipeline as project owner under certain circumstances. • https://gitlab.com/gitlab-org/gitlab/-/issues/481531 • CWE-250: Execution with Unnecessary Privileges •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2024-9870 – Unintended Proxy or Intermediary ('Confused Deputy') in GitLab
https://notcve.org/view.php?id=CVE-2024-9870
12 Feb 2025 — An external service interaction vulnerability in GitLab EE affecting all versions from 15.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send requests from the GitLab server to unintended services. • https://gitlab.com/gitlab-org/gitlab/-/issues/498911 • CWE-441: Unintended Proxy or Intermediary ('Confused Deputy') •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 1CVE-2024-12379 – Allocation of Resources Without Limits or Throttling in GitLab
https://notcve.org/view.php?id=CVE-2024-12379
12 Feb 2025 — A denial of service vulnerability in GitLab CE/EE affecting all versions from 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to impact the availability of GitLab via unbounded symbol creation via the scopes parameter in a Personal Access Token. • https://gitlab.com/gitlab-org/gitlab/-/issues/508559 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 1CVE-2025-0376 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
https://notcve.org/view.php?id=CVE-2025-0376
12 Feb 2025 — An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via a change page. • https://gitlab.com/gitlab-org/gitlab/-/issues/512603 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-1212 – Exposure of Sensitive System Information to an Unauthorized Control Sphere in GitLab
https://notcve.org/view.php?id=CVE-2025-1212
12 Feb 2025 — An information disclosure vulnerability in GitLab CE/EE affecting all versions from 8.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send a crafted request to a backend server to reveal sensitive information. • https://gitlab.com/gitlab-org/gitlab/-/issues/502196 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2025-1042 – Files or Directories Accessible to External Parties in GitLab
https://notcve.org/view.php?id=CVE-2025-1042
12 Feb 2025 — An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way. • https://gitlab.com/gitlab-org/gitlab/-/issues/50849943 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 1CVE-2025-1072 – Allocation of Resources Without Limits or Throttling in GitLab
https://notcve.org/view.php?id=CVE-2025-1072
07 Feb 2025 — A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14.1 prior to 17.3.7, 17.4 prior to 17.4.4, and 17.5 prior to 17.5.2. A denial of service could occur upon importing maliciously crafted content using the Fogbugz importer. • https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/#denial-of-service-by-importing-malicious-crafted-fogbugz-import-payload • CWE-770: Allocation of Resources Without Limits or Throttling •