Developer Tools

In GitLab CE/EE versions starting from 16.4 prior to 17.5.0 a critical severity vulnerability CVE-2024-7102 was detected. This vulnerability allows attackers to trigger a pipeline as another user under certain circumstances. Currently, there is no fix version for that issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7102.

In GitLab CE/EE versions from 17.1 prior to 17.6.0 a medium severity vulnerability CVE-2024-8266 was detected. This vulnerability allows attackers with a maintainer role to trigger a pipeline as the project owner under certain circumstances. To address this issue, users should upgrade to version 17.6.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8266.

In GitLab EE versions 15.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 a medium severity vulnerability CVE-2024-9870 was detected. This vulnerability allows attackers to send requests from the GitLab server to unintended services. To address this issue, users should upgrade GitLab EE to versions 17.8.2, 17.7.4, 17.6.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-9870.

In GitLab CE/EE versions 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 a medium severity vulnerability CVE-2024-12379 was detected. This vulnerability allows attackers to impact the availability of GitLab via unbounded symbol creation using the scopes parameter in a Personal Access Token. To address this issue, users should upgrade GitLab CE/EE to versions 17.8.2, 17.7.4, 17.6.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12379.

In GitLab CE/EE versions 13.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 a high severity vulnerability CVE-2025-0376 was detected. This vulnerability allows attackers to execute unauthorized actions via a change page through a stored Cross-Site Scripting (XSS) attack. To address this issue, users should upgrade GitLab CE/EE to versions 17.8.2, 17.7.4, 17.6.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0376.

In GitLab CE/EE versions 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 a medium severity vulnerability CVE-2025-0516 was detected. This vulnerability allows users with limited permissions to perform unauthorized actions on critical project data due to improper authorization. To address this issue, users should upgrade GitLab CE/EE to versions 17.8.2, 17.7.4, 17.6.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0516.

In OpenShift version 4 a medium severity vulnerability CVE-2025-0750 was detected in CRI-O. This vulnerability allows an attacker with permissions to create and delete Pods to unmount arbitrary host paths due to a path traversal issue in the log management functions (UnMountPodLogs and LinkContainerLogs). Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-0750.

In GitLab CE/EE all versions starting from 7.14.1 prior to 17.3.7, 17.4 prior to 17.4.4, and 17.5 prior to 17.5.2 a medium severity vulnerability CVE-2025-1072 was detected. This vulnerability allows attackers to cause a denial of service by importing maliciously crafted content using the Fogbugz importer. To fix this issue, users should upgrade GitLab CE/EE to versions 17.3.7, 17.4.4, or 17.5.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2025-1072.

In the gitlab-web-ide-vscode-fork component distributed over CDN versions prior to 1.89.1-1.0.0-dev-20241118094343, used by all versions of GitLab CE/EE starting from 15.11 prior to 17.3 and temporarily affecting versions 17.4, 17.5, and 17.6 a high severity vulnerability CVE-2024-10383 was detected. This vulnerability allows attackers to perform an XSS attack when loading .ipynb files in the web IDE. To fix this issue, users should upgrade to the latest version of gitlab-web-ide-vscode-fork and GitLab. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-10383.