Developer Tools

In GitLab versions from 13.2.4 to 17.0 a medium severity vulnerability CVE-2024-1947 was detected. This vulnerability allows attackers to create a DoS attack. There is no solution to this yet. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-1947/.

In GitLab versions 13.2.4 to 17.0 a medium severity vulnerability CVE-2024-5258 was detected. This vulnerability allows attackers to bypass authorization. There is no solution to this yet. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-5258/.

In all GitLab CE/EE versions starting from 11.11 prior to 16.10.6, from 16.11 prior to 16.11.3, and from 17.0 prior to 17.0.1a medium severity vulnerability CVE-2024-5318 was detected. This vulnerability allows a guest user to access dependency lists of private projects through job artifacts. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-5318.

In GitLab CE/EE versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1 a medium severity vulnerability CVE-2023-6502 was detected. It is possible for a malicious user to cause a denial of service using a crafted wiki page. For more details, visit https://avd.aquasec.com/nvd/2023/cve-2023-6502.

In GitLab CE/EE versions from 13.11 before 16.10.6, from 16.11 before 16.11.3, from 17.0 before 17.0.1, a medium severity vulnerability CVE-2023-7045 was detected. An attacker could exploit this vulnerability to steal security tokens through the Kubernetes Agent Server (KAS). For more details, visit https://avd.aquasec.com/nvd/2023/cve-2023-7045/.

In Argo CD a medium severity vulnerability CVE-2024-36106 was detected. This vulnerability allows authenticated users to enumerate cluster names via error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the clusters names. This vulnerability is fixed in versions 2.11.3, 2.10.12, and 2.9.17. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-36106.

In Argo CD a medium severity vulnerability CVE-2024-37152 was detected. This vulnerability allows unauthorized access to sensitive settings via the /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. The vulnerability is fixed in versions 2.11.3, 2.10.12, and 2.9.17. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37152.

In OpenShift a critical security vulnerability CVE-2024-5037 was detected. This vulnerability allows attackers to use a forged token to bypass the authentication. There is no fix available for this. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-5037/.

In GitLab versions before 16.10.6, 16.11.3, and 17.0.1 a high severity vulnerability CVE-2024-4835 was detected. Attackers can create a harmful webpage and steal sensitive user data. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-4835/.