Summary
| Detail | |||
|---|---|---|---|
| Vendor | Gitlab | First view | 2019-03-26 |
| Product | Gitlab | Last view | 2025-08-13 |
| Version | 11.5.0 | Type | Application |
| Update | rc3 | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | community | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:gitlab:gitlab | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 0 | 2025-08-13 | CVE-2025-8770 | An issue has been discovered in GitLab EE affecting all versions from 18.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that could have allowed authenticated users with specific access to bypass merge request approval policies by manipulating approval rule identifiers. |
| 5.4 | 2025-08-13 | CVE-2025-7739 | An issue has been discovered in GitLab CE/EE affecting all versions from 18.2 before 18.2.2 that, under certain conditions, could have allowed authenticated users to achieve stored cross-site scripting by injecting malicious HTML content in scoped label descriptions. |
| 5.4 | 2025-08-13 | CVE-2025-7734 | An issue has been discovered in GitLab CE/EE affecting all versions from 14.2 before 18.0.6, 18.1 before 18.1.4 and 18.2 before 18.2.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content. |
| 5.4 | 2025-08-13 | CVE-2025-6186 | An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to achieve account takeover by injecting malicious HTML into work item names. |
| 0 | 2025-08-13 | CVE-2025-5819 | An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that could have allowed authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances. |
| 0 | 2025-08-13 | CVE-2025-2937 | An issue has been discovered in GitLab CE/EE affecting all versions from 13.2 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to create a denial of service condition by sending specially crafted markdown payloads to the Wiki feature. |
| 0 | 2025-08-13 | CVE-2025-2614 | An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an authenticated user to cause a denial of service condition by creating specially crafted content that consumes excessive server resources when processed. |
| 4.3 | 2025-08-13 | CVE-2025-2498 | An improper access control in Gitlab EE affecting all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that under certain conditions could have allowed users to view assigned issues from restricted groups by bypassing IP restrictions. |
| 7.5 | 2025-08-13 | CVE-2025-1477 | An issue has been discovered in GitLab CE/EE affecting all versions from 8.14 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an unauthenticated user to create a denial of service condition by sending specially crafted payloads to specific integration API endpoints. |
| 5.5 | 2025-08-13 | CVE-2024-12303 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated users with specific roles and permissions to delete issues including confidential ones by inviting users with a specific role. |
| 0 | 2025-08-13 | CVE-2024-10219 | An issue has been discovered in GitLab CE/EE affecting all versions from 15.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated users to bypass access controls and download private artifacts by accessing specific API endpoints. |
| 2.7 | 2025-07-24 | CVE-2025-7001 | An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed priviledged users to access certain resource_group information through the API which should have been unavailable. |
| 5.3 | 2025-07-24 | CVE-2025-4976 | An issue has been discovered in GitLab EE affecting all versions from 17.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that, under certain circumstances, could have allowed an attacker to access internal notes in GitLab Duo responses. |
| 4.3 | 2025-07-24 | CVE-2025-1299 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 18.0.5, all versions starting from 18.1 before 18.1.3, all versions starting from 18.2 before 18.2.1 that, under circumstances, could have allowed an unauthorized user to read deployment job logs by sending a crafted request. |
| 0 | 2025-07-24 | CVE-2025-0765 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an unauthorized user to access custom service desk email addresses. |
| 6.1 | 2025-07-23 | CVE-2025-4700 | An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that, under specific circumstances, could have potentially allowed a successful attacker to trigger unintended content rendering leading to XSS. |
| 5.4 | 2025-07-23 | CVE-2025-4439 | An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an authenticated user to perform cross-site scripting attacks when the instance is served through certain content delivery networks. |
| 8 | 2025-07-10 | CVE-2025-6948 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content. |
| 2.7 | 2025-07-10 | CVE-2025-6168 | An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated maintainers to bypass group-level user invitation restrictions by sending crafted API requests. |
| 0 | 2025-07-10 | CVE-2025-4972 | An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated users with invitation privileges to bypass group-level user invitation restrictions by manipulating group invitation functionality. |
| 4.3 | 2025-07-10 | CVE-2025-3396 | An issue has been discovered in GitLab EE affecting all versions from 13.3 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that could have allowed authenticated project owners to bypass group-level forking restrictions by manipulating API requests. |
| 4.3 | 2025-06-26 | CVE-2025-5846 | An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks. |
| 0 | 2025-06-26 | CVE-2025-5315 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions. |
| 0 | 2025-06-26 | CVE-2025-3279 | An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests. |
| 8.8 | 2025-06-26 | CVE-2025-2938 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to gain elevated project privileges by requesting access to projects where role modifications during the approval process resulted in unintended permission grants. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 23% (130) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
| 7% (40) | CWE-770 | Allocation of Resources Without Limits or Throttling |
| 6% (36) | CWE-200 | Information Exposure |
| 6% (35) | CWE-400 | Uncontrolled Resource Consumption ('Resource Exhaustion') |
| 4% (28) | CWE-639 | Access Control Bypass Through User-Controlled Key |
| 4% (27) | CWE-732 | Incorrect Permission Assignment for Critical Resource |
| 3% (22) | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path ... |
| 2% (16) | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
| 2% (15) | CWE-287 | Improper Authentication |
| 2% (14) | CWE-532 | Information Leak Through Log Files |
| 2% (14) | CWE-269 | Improper Privilege Management |
| 2% (12) | CWE-352 | Cross-Site Request Forgery (CSRF) |
| 1% (11) | CWE-209 | Information Exposure Through an Error Message |
| 1% (11) | CWE-20 | Improper Input Validation |
| 1% (10) | CWE-276 | Incorrect Default Permissions |
| 1% (8) | CWE-281 | Improper Preservation of Permissions |
| 1% (8) | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
| 1% (8) | CWE-77 | Improper Sanitization of Special Elements used in a Command ('Comma... |
| 1% (7) | CWE-613 | Insufficient Session Expiration |
| 1% (6) | CWE-306 | Missing Authentication for Critical Function |
| 1% (6) | CWE-116 | Improper Encoding or Escaping of Output |
| 0% (5) | CWE-668 | Exposure of Resource to Wrong Sphere |
| 0% (4) | CWE-522 | Insufficiently Protected Credentials |
| 0% (4) | CWE-312 | Cleartext Storage of Sensitive Information |
| 0% (4) | CWE-295 | Certificate Issues |
SAINT Exploits
| Description | Link |
|---|---|
| GitLab ExifTool uploaded image command injection | More info here |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2019-01-07 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_b2f4ab910e6b11e98700001b217b3468.nasl - Type: ACT_GATHER_INFO |
| 2018-12-24 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_70b774a805bc11e987ad001b217b3468.nasl - Type: ACT_GATHER_INFO |
| 2018-12-17 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_757e6ee8ff9111e8a148001b217b3468.nasl - Type: ACT_GATHER_INFO |
| 2018-12-07 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_9d3428d4f98c11e8a148001b217b3468.nasl - Type: ACT_GATHER_INFO |
| 2018-11-29 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_8a4aba2df33e11e89416001b217b3468.nasl - Type: ACT_GATHER_INFO |
| 2018-11-21 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_d889d32cecd911e89416001b217b3468.nasl - Type: ACT_GATHER_INFO |
| 2018-10-30 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_b9591212dba711e89416001b217b3468.nasl - Type: ACT_GATHER_INFO |
