Developer Tools

In GitLab versions from 16.7 to 17.1.1 a medium severity vulnerability CVE-2024-3959 was detected. This vulnerability allows attackers to get access to sensitive data. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-3959/.

In GitLab EE all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 a medium severity vulnerability CVE-2024-3115 was detected. Attackers can access issues and epics without an SSO session through Duo Chat. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-3115.

In GitLab CE/EE affecting all versions starting from 12.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 a medium severity vulnerability CVE-2024-1816 was detected. This problem lets an attacker crash a service by using a specially made OpenAPI file. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-1816.

In GitLab CE/EE versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 a medium severity vulnerability CVE-2024-2191 was detected. This vulnerability makes the merge request title publicly visible despite being set to project members only, failing to restrict access from unauthorized users. To address this issue users should upgrade to 16.11.5, 17.0.3 or 17.1.1. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-2191.

In GitLab CE/EE versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 a high severity vulnerability CVE-2024-4901 was detected. A stored XSS vulnerability involves injecting malicious code into a web app via user inputs like commit notes. This allows attackers to run scripts in users’ browsers, compromising sessions or accessing sensitive data. To address this issue users should upgrade to 16.11.5, 17.0.3 or 17.1.1. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-4901.

In GitLab CE/EE all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 a low severity vulnerability CVE-2024-4011 was detected. This vulnerability allows non-project member to promote key results to objectives. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-4011.

In GitLab CE/EE all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 multiple Denial of Service (DoS) vulnerabilities CVE-2024-4557 of medium severity were detected. They allow an attacker to cause resource exhaustion via banzai pipeline. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-4557.

In GitLab versions 16.11 to 17.1.1 a high severity vulnerability CVE-2024-6323 was detected. This vulnerability allows attackers to leak the content of a private repository in a public project. There is no fix to this yet. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6323/.

In GitLab CE/EE versions from 15.8 onwards a critical security vulnerability CVE-2024-5655 was detected. Attackers can trigger a pipeline as another user under certain circumstances. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-5655.