Developer Tools

In GitLab CE/EE versions 17.3 before 17.9.8, 17.10 before 17.10.6 and 17.11 before 17.11.2 a medium severity vulnerability CVE-2025-0549 was detected. This vulnerability allows attackers to bypass Device OAuth flow protections, enabling authorization form submission through minimal user interaction. To address this issue, users should upgrade GitLab CE/EE to versions 17.9.8, 17.10.6 or 17.11.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0549.

In GitLab CE/EE versions 17.1 before 17.9.8, 17.10 before 17.10.6 and 17.11 before 17.11.2 a medium severity vulnerability CVE-2024-8973 was detected. This vulnerability allows attackers to cause a Denial of Service (DoS) condition via GitHub import requests using a maliciously crafted payload. To address this issue, users should upgrade GitLab CE/EE to versions 17.9.8, 17.10.6 or 17.11.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8973.

In Zitadel versions prior to 3.0.0, 2.71.9 and 2.70.10 a high severity vulnerability CVE-2025-46815 was detected. This vulnerability allows attackers with access to the application’s predefined URI to retrieve authentication tokens and user IDs by repeatedly using idp intents, enabling them to authenticate on behalf of the user. To address this issue, users should upgrade Zitadel to versions 3.0.0, 2.71.9 or 2.70.10. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-46815.

In GitLab EE/CE versions from 16.6 before 16.9.7, 17.10 before 17.10.5 and 17.11 before 17.11.1 a high severity vulnerability CVE-2025-1908 was discovered. This issue could allow an attacker to track users’ browsing activities, potentially leading to full account takeover. To address this issue, users should upgrade GitLab EE/CE to versions 16.9.7, 17.10.5 or 17.11.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1908.

In GitLab CE/EE versions from 16.7 before 17.9.7, 17.10 before 17.10.5 and 17.11 before 17.11.1 a medium severity vulnerability CVE-2025-0639 was discovered. This issue affects service availability through the issue preview feature. To address this issue, users should upgrade GitLab CE/EE to versions 17.9.7, 17.10.5 or 17.11.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0639.

In GitLab EE versions from 17.7 prior to 17.9.7, 17.10 prior to 17.10.5 and 17.11 prior to 17.11.1 a medium severity vulnerability CVE-2024-12244 was discovered. This issue in access controls may allow users to view restricted project information even when related features are disabled. To address this issue, users should upgrade GitLab EE to versions 17.9.7, 17.10.5 or 17.11.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12244.

In Backstage Scaffolder plugin (permissions backend) a medium severity vulnerability CVE-2025-32791 was detected. This vulnerability allows callers to extract limited information about the conditional decisions returned by the installed permission policy in the permission backend, though there is no impact if the permission system is disabled or the policy does not use conditional decisions. To address this issue, users should upgrade Backstage Scaffolder plugin to version 0.6.0 of the permissions backend. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-32791.

In Rancher versions 2.7.0 to before 2.7.14 and 2.8.0 to before 2.8.5 a medium severity vulnerability CVE-2023-32197 was detected. This vulnerability allows attackers to gain more permissions than they should in certain cases where RoleTemplate objects are set with external=true. To address this issue, users should upgrade Rancher to version 2.7.14 or 2.8.5. For more details, visit https://avd.aquasec.com/nvd/2023/cve-2023-32197.

In Rancher versions 2.7.0 to before 2.7.16, 2.8.0 to before 2.8.9, and 2.9.0 to before 2.9.3 a critical severity vulnerability CVE-2024-22036 was detected. This vulnerability lets attackers break out of the Rancher container and get root access. In test setups, they could even escape the container and run code on the host machine. To address this issue, users should upgrade Rancher to version 2.7.16, 2.8.9, or 2.9.3. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-22036.