On April 22, 2026, we released versions 18.11.1, 18.10.4, 18.9.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that could have allowed an unauthenticated user to execute GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.
Impacted Versions: GitLab CE/EE: all versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1
CVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
Thanks ahacker1 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an unauthenticated user to execute arbitrary JavaScript in a user’s browser session due to improper path validation under certain conditions.
Impacted Versions: GitLab CE/EE: all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1
CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that under certain conditions could have allowed an unauthenticated user to access tokens in the Storybook development environment due to improper input validation.
Impacted Versions: GitLab CE/EE: all versions from 16.1 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1
CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to cause denial of service under certain conditions by exhausting server resources by making crafted requests to a discussions endpoint.
Impacted Versions: GitLab CE/EE: all versions from 10.6 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to cause denial of service when importing issues due to improper input validation.
Impacted Versions: GitLab CE/EE: all versions from 12.3 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to cause denial of service due to insufficient resource allocation limits when retrieving notes under certain conditions.
Impacted Versions: GitLab CE/EE: all versions from 9.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to cause denial of service by overwhelming system resources under certain conditions due to insufficient resource allocation limits in the GraphQL API.
Impacted Versions: GitLab CE/EE: all versions from 12.4 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed a user to use invalidated or incorrectly scoped credentials to access Virtual Registries under certain conditions.
Impacted Versions: GitLab CE/EE: all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1
CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
This vulnerability has been discovered internally by GitLab team member David Fernandez
GitLab has remediated an issue that could have allowed an authenticated user to access titles of confidential or private issues in public projects due to improper access control in the issue description rendering process.
Impacted Versions: GitLab CE/EE: all versions from 18.11 before 18.11.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to load unauthorized content into another user’s browser due to improper input validation in the Mermaid sandbox.
Impacted Versions: GitLab CE/EE: all versions from 18.11 before 18.11.1
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with project owner permissions to bypass group fork prevention settings due to improper authorization checks.
Impacted Versions: GitLab CE/EE: all versions from 11.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1
CVSS 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)
Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program
This patch includes database migrations that may impact your upgrade process.
The following versions include regular migrations that run during the upgrade process:
The following versions include post-deploy migrations that can run after the upgrade:
To learn more about the impact of upgrades on your installation, see:
To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On April 8, 2026, we released versions 18.10.3, 18.9.5, 18.8.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper access control.
Impacted Versions: GitLab CE/EE: all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 8.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N)
This vulnerability has been discovered internally by GitLab team member Simon Tomlinson
GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service due to improper input validation of JSON payloads.
Impacted Versions: GitLab CE/EE: all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries.
Impacted Versions: GitLab CE/EE: all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks foxribeye for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that when importing CSV files could have allowed an authenticated user to cause denial of service to Sidekiq workers due to improper validation of CSV file structure.
Impacted Versions: GitLab CE/EE: all versions from 11.7 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to cause denial of service to the GitLab instance due to improper input validation in GraphQL queries.
Impacted Versions: GitLab EE: all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted content.
Impacted Versions: GitLab EE: all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 5.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
Thanks maksyche for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users’ browsers due to improper input sanitization.
Impacted Versions: GitLab EE: all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that under certain circumstances could have allowed an authenticated user with auditor privileges to modify vulnerability flag data in private projects due to incorrect authorization.
Impacted Versions: GitLab EE: all versions from 18.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Thanks sage_cyberlord for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that under certain circumstances could have allowed an authenticated user to have access to other users’ email addresses via certain GraphQL queries.
Impacted Versions: GitLab EE: all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper authorization checks in the API.
Impacted Versions: GitLab EE: all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Thanks modhanami for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient authorization checks.
Impacted Versions: GitLab CE/EE: all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks ahacker1 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user with custom role permissions to demote or remove higher-privileged group members due to improper authorization checks on member management operations.
Impacted Versions: GitLab CE/EE: all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3
CVSS 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)
Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program
gitlab-rspec test failures on stable branches’These versions do not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
The SLES 12.5 packages for 18.10.3 and 18.9.5 are not present in this release.
To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.
Note: GitLab releases have skipped 18.10.2, 18.9.4 and 18.8.8. There are no patches with these version numbers.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On March 25, 2026, we released versions 18.10.1, 18.9.3, 18.8.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks.
Impacted Versions: GitLab CE/EE: all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
CVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
Thanks maksyche for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an unauthenticated user to execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.
Impacted Versions: GitLab CE/EE: all versions from 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
CVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
Thanks ahacker1 for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an authenticated user to add email addresses to targeted user accounts due to improper sanitization of HTML content.
Impacted Versions: GitLab EE: all versions from 15.4 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
CVSS 7.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks a_m_a_m and yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service by making the GitLab instance unresponsive due to improper input validation in GraphQL request processing.
Impacted Versions: GitLab CE/EE: all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks svalkanov for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to user accounts due to inconsistent input validation in the authentication process.
Impacted Versions: GitLab CE/EE: all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
CVSS 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
Thanks a0xnirudh for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an unauthenticated user to access API tokens of self-hosted AI models due to improper access control.
Impacted Versions: GitLab EE: all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
CVSS 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)
Thanks maksyche for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when handling certain CI-related inputs.
Impacted Versions: GitLab CE/EE: all versions from 13.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when processing certain webhook configuration inputs.
Impacted Versions: GitLab CE/EE: all versions from 16.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks lucky_luke for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an authenticated user to execute arbitrary JavaScript in a user’s browser due to improper sanitization of entity-encoded content in Mermaid diagrams.
Impacted Versions: GitLab CE/EE: all versions from 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an authenticated user to perform unauthorized actions on merge requests in other projects due to improper access control during cross-repository operations.
Impacted Versions: GitLab CE/EE: all versions from 11.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Thanks pkkr for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with Planner role to view security category metadata and attributes in group security configuration due to improper access control.
Impacted Versions: GitLab EE: all versions from 18.6 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks kamikaze1337 for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to gain unauthorized access to resources due to improper caching of authorization decisions.
Impacted Versions: GitLab EE: all versions from 18.1 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1
CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)
This vulnerability was discovered internally by GitLab team member Fred de Gier.
oj and oj-introspect gem updatesoj and oj-introspect gem updatesThe SLES 12.5 package is not available for GitLab 18.10.1.
This patch includes database migrations that may impact your upgrade process.
The following versions include post-deploy migrations that can run after the upgrade:
To learn more about the impact of upgrades on your installation, see:
To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On March 11, 2026, we released versions 18.9.2, 18.8.6, 18.7.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that could have allowed an authenticated user, when the markdown_placeholders feature flag was enabled, to inject JavaScript in a browser due to improper sanitization of placeholder content in markdown processing.
Impacted Versions: GitLab CE/EE: all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances.
Impacted Versions: GitLab CE/EE: all versions from 18.9 before 18.9.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition by issuing specially crafted requests to repository archive endpoints under certain conditions.
Impacted Versions: GitLab CE/EE: all versions from 10.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition due to improper input validation when processing specially crafted JSON payloads in the protected branches API.
Impacted Versions: GitLab CE/EE: all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to cause a denial of service condition due to improper input validation on webhook custom header names under certain conditions.
Impacted Versions: GitLab CE/EE: all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to cause a denial of service condition due to improper handling of webhook response data.
Impacted Versions: GitLab CE/EE: all versions from 9.3 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to improper input validation in import functionality.
Impacted Versions: GitLab CE/EE: all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Thanks shells3c for reporting this vulnerability.
GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to access previous pipeline job information on projects with repository and CI/CD disabled due to improper authorization checks.
Impacted Versions: GitLab CE/EE: all versions from 15.1 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks iamgk808 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to disclose metadata from private issues, merge requests, epics, milestones, or commits due to improper filtering in the snippet rendering process under certain circumstances.
Impacted Versions: GitLab CE/EE: all versions from 15.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to disclose confidential issue titles due to improper filtering under certain circumstances.
Impacted Versions: GitLab CE/EE: all versions from 12.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks modhanami for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user with group import permissions to create labels in private projects due to improper authorization validation in the group import process under certain circumstances.
Impacted Versions: GitLab CE/EE: all versions from 14.4 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to cause repository downloads to contain different code than displayed in the web interface due to incorrect validation of branch references under certain circumstances.
Impacted Versions: GitLab CE/EE: all versions from 1.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N)
Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to gain unauthorized access to confidential issue titles created in public projects under certain circumstances.
Impacted Versions: GitLab CE/EE: all versions from 8.14 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 4.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions.
Impacted Versions: GitLab EE: all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user with maintainer-role permissions to reveal Datadog API credentials under certain conditions.
Impacted Versions: GitLab CE/EE: all versions from 15.5 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2
CVSS 2.2 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N)
Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program
This patch includes database migrations that may impact your upgrade process.
The following versions include regular migrations that run during the upgrade process:
To learn more about the impact of upgrades on your installation, see:
To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On February 25, 2026, we released versions 18.9.1, 18.8.5, 18.7.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that under certain circumstances, could have allowed an unauthenticated user to inject arbitrary scripts into the Mermaid sandbox UI.
Impacted Versions: GitLab CE/EE: all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1
CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N)
Thanks aphantom for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service by sending specially crafted files to the container registry event endpoint under certain conditions.
Impacted Versions: GitLab CE/EE: all versions from 12.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an unauthenticated user to cause Denial of Service by sending specially crafted requests to the Jira events endpoint.
Impacted Versions: GitLab CE/EE: all versions from 14.4 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge request endpoint under certain conditions.
Impacted Versions: GitLab CE/EE: all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to cause denial of service by exploiting a Bitbucket Server import endpoint via repeatedly sending large responses.
Impacted Versions: GitLab CE/EE: all versions from 11.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
This vulnerability has been discovered internally by GitLab team member Sam Word
GitLab has remediated an issue that could have, under certain circumstances, allowed an authenticated user with certain access to cause denial of service by creating specially crafted CI triggers via the API.
Impacted Versions: GitLab CE/EE: all versions from 9.0 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have under certain conditions, allowed an unauthenticated user to cause denial of service by sending specially crafted requests to a CI jobs API endpoint.
Impacted Versions: GitLab CE/EE: versions from 18.9 before 18.9.1
CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Thanks vinax for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make unauthorized modifications to protected Conan packages.
Impacted Versions: GitLab EE: all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Thanks modhanami for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an unauthorized user with Developer-role permissions to set pipeline variables for manually triggered jobs under certain conditions.
Impacted Versions: GitLab CE/EE: all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program
The SLES 12.5 package is not available for GitLab 18.9.1.
This patch includes database migrations that may impact your upgrade process.
The following versions include post-deploy migrations that can run after the upgrade:
To learn more about the impact of upgrades on your installation, see:
To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On February 10, 2026, we released versions 18.8.4, 18.7.4, 18.6.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that could have allowed an unauthenticated user to steal tokens and access private repositories by abusing incomplete validation in the Web IDE.
Impacted Versions: GitLab CE/EE: all versions from 18.2 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N)
Thanks cav0ur for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that, under certain conditions, could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries.
Impacted Versions: GitLab CE/EE: all versions from 10.8 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks foxribeye for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service through memory or CPU exhaustion by bypassing JSON validation middleware limits.
Impacted Versions: GitLab CE/EE: all versions from 18.4 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks elbo7 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by injecting content into vulnerability code flow.
Impacted Versions: GitLab CE/EE: all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)
Thanks joaxcar and yvvdwf for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to add unauthorized email addresses to user accounts through HTML injection in test case titles.
Impacted Versions: GitLab CE/EE: all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that, under certain conditions, could have allowed an unauthenticated user to cause denial of service by uploading specifically crafted files.
Impacted Versions: GitLab CE/EE: all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks maksyche for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an unauthenticated user to cause denial of service through CPU exhaustion by submitting specially crafted markdown files that trigger exponential processing in markdown preview.
Impacted Versions: GitLab CE/EE: all versions from 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks maksyche for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to cause denial of service by uploading a specially crafted file to the dashboard and repeatedly sending GraphQL queries to parse it.
Impacted Versions: GitLab EE: all versions from 15.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user with certain permissions to perform server-side request forgery against internal network services.
Impacted Versions: GitLab EE: all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
Thanks go7f0qho for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI.
Impacted Versions: GitLab CE/EE: all versions from 18.8 before 18.8.4
CVSS 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
Thanks u3mur4 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to perform server-side request forgery against internal services by bypassing protections in the Git repository import functionality.
Impacted Versions: GitLab CE/EE: all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Thanks yunus0x for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to access iteration data from private descendant groups by querying the iterations API endpoint.
Impacted Versions: GitLab EE: all versions from 16.7 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API endpoint.
Impacted Versions: GitLab CE/EE: all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Thanks go7f0 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to inject content into project labels titles.
Impacted Versions: GitLab CE/EE: all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)
Thanks rafabd1 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to view certain pipeline values by querying the API.
Impacted Versions: GitLab CE/EE: all versions from 17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
Thanks sndd for reporting this vulnerability through our HackerOne bug bounty program
dap_onboarding_empty_states back offGitLab.com Ultimate trials now include evaluation credits for GitLab Duo Agent Platform. On GitLab.com, signing up for an Ultimate trial provides 24 evaluation credits per user for 30 days to exercise agentic AI capabilities such as autonomous task execution and multi‑step workflow orchestration. Self-managed customers should update to GitLab 18.9 upon release to get the best trial experience. GitLab.com free tier namespaces can start an Ultimate trial today.
Start your free trial. Current paid customers can request evaluation credits through their account team and begin technical setup ahead of the 18.9 release contact Sales to learn more.
This patch includes database migrations that may impact your upgrade process.
The following versions include post-deploy migrations that can run after the upgrade:
To learn more about the impact of upgrades on your installation, see:
To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On February 6, 2026, we released versions 18.6.2, 18.7.1, and 18.8.1 of the GitLab AI Gateway.
These versions contain a critical security fix for GitLab Duo Self-Hosted AI Gateway, and we strongly recommend that all Self Managed customers with GitLab Duo Self-Hosted installations update to one of these versions immediately.
A fix has already been deployed for the GitLab-hosted AI Gateway. Customers using GitLab.com, GitLab Dedicated, and GitLab Self Managed instances with GitLab-hosted AI Gateway are protected and do not need to take action.
We strongly recommend that all GitLab Duo Self-Hosted installations running a version of self-hosted AI Gateway affected by the issue described below are upgraded to the latest version as soon as possible.
| Title | Severity |
|---|---|
| Insecure Template expansion issue impacts GitLab AI Gateway | Critical |
The Duo Workflow Service component of GitLab AI Gateway before versions 18.6.2, 18.7.1, and 18.8.1 is vulnerable to insecure template expansion of user supplied data via crafted Duo Agent Platform Flow definitions. Authenticated access to the GitLab instance is required. This vulnerability could be used to cause Denial of Service or gain code execution on the Gateway.
Impacted Versions: GitLab AI Gateway: all versions from 18.1.6, 18.2.6, and 18.3.1 before 18.6.2, 18.7.1, and 18.8.1
CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
This vulnerability was discovered internally by GitLab team member Joern Schneeweisz.
To update GitLab Duo Self-Hosted, see the GitLab Duo Self-Hosted install documentation.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On February 4, 2026, we released versions 18.8.3, 18.7.3, and 18.6.5 for GitLab Community Edition and Enterprise Edition.
This patch release delivers a set of targeted fixes focused on reliability, entitlement handling, and feature-flag consistency across GitLab Duo Agent Platform deployments.
The updates reflect real-world usage across diverse environments and usage models, and are part of the normal hardening cycle for a platform that integrates deeply with GitLab workflows, identity, and usage controls. Core agent capabilities and behaviors are unchanged. This patch release does not include any security fixes.
This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On January 21, 2026, we released versions 18.8.2, 18.7.2, 18.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that could have allowed an unauthenticated user to create a denial of service condition by sending crafted requests with malformed authentication data.
Impacted Versions: GitLab CE/EE: all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints.
Impacted Versions: GitLab CE/EE: all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an individual with existing knowledge of a victim’s credential ID to bypass two-factor authentication by submitting forged device responses.
Impacted Versions: GitLab CE/EE: all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
CVSS 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Thanks ahacker1 for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that under certain circumstances could have allowed an authenticated user to create a denial of service condition by configuring malformed Wiki documents that bypass cycle detection.
Impacted Versions: GitLab CE/EE: all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication requests.
Impacted Versions: GitLab CE/EE: all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2
CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
This vulnerability has been discovered internally by GitLab team member Thiago Figueiró.
Make external agent configurations GASeparate policy logic for AI Catalog Flows and Foundational FlowsFix logic for fetching occurrences related to vulnerabiltiesRecreate p_sent_notifications.reply_key indexCorrect Code Review Flow history for betaThis patch includes database migrations that may impact your upgrade process.
The following versions include post-deploy migrations that can run after the upgrade:
To learn more about the impact of upgrades on your installation, see:
To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On January 19, 2026, we released versions 18.8.1 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs. This patch release does not include any security fixes.
Correct Code Review Flow history for betaThis version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On January 7, 2026, we released versions 18.7.1, 18.6.3, 18.5.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown placeholder processing.
Impacted Versions: GitLab CE/EE: all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user’s browser by convincing the legitimate user to visit a specially crafted webpage.
Impacted Versions: GitLab CE/EE: all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1
CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests.
Impacted Versions: GitLab EE: all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVSS 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N)
This vulnerability has been discovered internally by GitLab team member Jessie Young.
GitLab has remediated an issue that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations.
Impacted Versions: GitLab EE: all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed authenticated users to create a denial of service condition by providing crafted responses to external API calls.
Impacted Versions: GitLab CE/EE: all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed authenticated users with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations.
Impacted Versions: GitLab CE/EE: all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed a user to leak sensitive connection information by referencing specially crafted images that bypass asset proxy protection.
Impacted Versions: GitLab CE/EE: all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
Thanks rogerace for reporting this vulnerability through our HackerOne bug bounty program.
Libpng has been updated to version 1.6.51, which contains fixes for security vulnerabilities including CVE-2025-65018 and CVE-2025-64720.
This patch includes database migrations that may impact your upgrade process.
The following versions include post-deploy migrations that can run after the upgrade:
To learn more about the impact of upgrades on your installation, see:
To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On December 10, 2025, we released versions 18.6.2, 18.5.4, 18.4.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to perform unauthorized actions on behalf of another user by creating wiki pages with malicious content.
Impacted Versions: GitLab CE/EE: all versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by injecting malicious external scripts into the Swagger UI.
Impacted Versions: GitLab CE/EE: all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2
CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N)
Thanks x0abcd_ for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated a security issue that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML into vulnerability code flow displays.
Impacted Versions: GitLab CE/EE: all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2
CVSS 7.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an unauthenticated user to create a denial of service condition by sending crafted GraphQL queries that bypass query complexity limits.
Impacted Versions: GitLab CE/EE: all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions.
Impacted Versions: GitLab CE/EE: all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2
CVSS 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
Thanks jcarre for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images.
Impacted Versions: GitLab CE/EE: all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
GitLab has remediated an issue that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with large content parameters.
Impacted Versions: GitLab CE/EE: all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
This vulnerability has been discovered internally by GitLab team member Thong Kuah
GitLab has remediated an issue that could have allowed a user to disclose sensitive information from private projects by executing specifically crafted GraphQL queries.
Impacted Versions: GitLab EE: all versions from 13.2 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks weasterhacker for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests.
Impacted Versions: GitLab CE/EE: all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
This vulnerability has been discovered internally by GitLab team member Rohit Shambhuni
GitLab has remediated an issue that could have allowed an authenticated user to, under certain conditions, render content in dialogs to other users by injecting malicious HTML content into merge request titles.
Impacted Versions: GitLab CE/EE: all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program
This patch includes database migrations that may impact your upgrade process.
The following versions include post-deploy migrations that can run after the upgrade:
To learn more about the impact of upgrades on your installation, see:
To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On November 26, 2025, we released versions 18.6.1, 18.5.3, 18.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that could have allowed an authenticated user to obtain credentials from higher-privileged users and perform actions in their context under specific conditions.
Impacted Versions: GitLab CE/EE: all versions from 18.4 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1
CVSS 7.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks aphantom for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing malicious JSON payloads.
Impacted Versions: GitLab CE/EE: all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that under specific conditions could have allowed an unauthenticated user to join arbitrary organizations by changing headers on some requests.
Impacted Versions: GitLab CE/EE: all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user with specific permissions to cause a denial of service condition through HTTP response processing.
Impacted Versions: GitLab CE/EE: all versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to view information from security reports under certain configuration conditions.
Impacted Versions: GitLab EE: all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user with access to certain logs to obtain sensitive tokens under specific conditions.
Impacted Versions: GitLab CE/EE: all versions from 13.12 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1
CVSS 2.4 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N)
commitsCount variable name’This patch includes database migrations that may impact your upgrade process.
The following versions include post-deploy migrations that can run after the upgrade:
To learn more about the impact of upgrades on your installation, see:
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On November 12, 2025, we released versions 18.5.2, 18.4.4, 18.3.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that, under certain conditions, could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality.
Impacted Versions: GitLab CE/EE: all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2
CVSS 7.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that, under certain circumstances, could have allowed a user to remove Duo flows of another user.
Impacted Versions: GitLab EE: all versions from 18.1 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
This vulnerability has been discovered internally by GitLab team member Dylan Griffith.
GitLab has remediated an issue that could have allowed a blocked user to access sensitive information by establishing GraphQL subscriptions through WebSocket connections.
Impacted Versions: GitLab CE/EE: all versions from 16.7 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks rogerace for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remdiated an issue in GitLab CE/EE that under specific conditions, could have allowed unauthorized users to view confidential branch names by accessing project issues with related merge requests.
Impacted Versions: GitLab CE/EE: all versions from 17.6 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks weasterhacker for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to leak sensitive information from confidential issues by injecting hidden prompts in merge request comments.
Impacted Versions: GitLab EE: all versions from 17.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
Thanks rogerace for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses.
Impacted Versions: GitLab EE: all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2
CVSS 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
Thanks swiftee for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user with reporter access to view branch names and pipeline details by accessing the packages API endpoint even when repository access was disabled.
Impacted Versions: GitLab CE/EE: all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2
CVSS 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks iamgk808 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to bypass access control restrictions and view GitLab Pages content intended only for project members by authenticating through OAuth providers.
Impacted Versions: GitLab CE/EE: all versions from 17.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2
CVSS 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to cause a denial of service condition by submitting specially crafted markdown content with nested formatting patterns.
Impacted Versions: GitLab CE/EE: all versions from 16.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2
CVSS 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L)
Thanks phli for reporting this vulnerability through our HackerOne bug bounty program
libxslt has been updated to version 1.1.43 which contains fixes for security vulnerabilities including CVE-2024-55549 and CVE-2025-24855
/api/v4/internal/pages endpoint/api/v4/internal/pages endpoint/api/v4/internal/pages endpointThis patch includes database migrations that may impact your upgrade process.
The following versions include post-deploy migrations that can run after the upgrade:
To learn more about the impact of upgrades on your installation, see:
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On October 22, 2025, we released versions 18.5.1, 18.4.3, 18.3.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that could have allowed an authenticated user with specific permissions to hijack project runners from other projects.
Impacted Versions: GitLab EE: all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 8.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
Thanks iamgk808 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition by sending specially crafted payloads.
Impacted Versions: GitLab CE/EE: all versions from 17.10 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service condition by sending GraphQL requests with crafted JSON payloads.
Impacted Versions: GitLab CE/EE: all versions from 11.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an unauthenticated user to create a denial of service condition by uploading large files to specific API endpoints.
Impacted Versions: GitLab CE/EE: all versions from 11.7 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
This vulnerability has been discovered internally by GitLab team member David Fernandez
GitLab has remediated an issue that could have allowed an authenticated user to trigger unauthorized pipeline executions by manipulating commits.
Impacted Versions: GitLab EE: all versions from 10.6 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N)
GitLab has remediated an issue that under certain conditions could have allowed authenticated users to gain unauthorized project access by exploiting the access request approval workflow.
Impacted Versions: GitLab EE: all versions from 18.4 before 18.4.3 and 18.5 before 18.5.1
CVSS 3.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N)
Thanks mateuszek and rhidayahh for reporting this vulnerability through our HackerOne bug bounty program
GitLab has remediated an issue that could have allowed an authenticated user to execute unauthorized quick actions by including malicious commands in specific descriptions.
Impacted Versions: GitLab EE: all versions from 17.6 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1
CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)
This vulnerability has been discovered internally by GitLab team member Eva Kadlecová
These versions do not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On October 8, 2025, we released versions 18.4.2, 18.3.4, 18.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations.
Impacted Versions: GitLab EE: all versions from 18.3 to 18.3.4, 18.4 to 18.4.2
CVSS: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N)
This vulnerability has been discovered internally by GitLab team member Brian Williams.
GitLab has remediated an issue that could make the GitLab instance unresponsive or degraded by sending crafted GraphQL queries requesting large repository blobs.
Impacted Versions: GitLab CE/EE: all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed authenticated users without project membership to view sensitive manual CI/CD variables by querying the GraphQL API.
Impacted Versions: GitLab CE/EE: all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue impacting an upstream Ruby Core library that could have allowed an authenticated user to create a denial of service condition by configuring malicious webhook endpoints that send crafted HTTP responses. This issue was reported to Ruby Core maintainers on July 17, 2025.
Impacted Versions: GitLab CE/EE: all versions from 5.2 prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior to 18.4.2
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
Thanks ppee for reporting this vulnerability through our HackerOne bug bounty program.
This patch includes database migrations that may impact your upgrade process.
The following versions include post-deploy migrations that can run after the upgrade:
To learn more about the impact of upgrades on your installation, see:
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On September 25, 2025, we released versions 18.4.1, 18.3.3, 18.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that, under certain conditions, could have allowed an unauthenticated user to execute actions on behalf of other users by injecting malicious content.
Impacted Versions: GitLab CE/EE: all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1.
CVSS: 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an unauthenticated user to render a GitLab instance unresponsive to legitimate users by sending specifically crafted JSON files.
Impacted versions: GitLab CE/EE: all versions before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
GitLab has remediated an issue that could have allowed an unauthenticated user to bypass query complexity limits leading to a Denial of Service condition.
Impacted versions: Gitlab EE/CE all versions from 11.10 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks foxribeye for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed low privileged users access to sensitive information stored in virtual registry configurations.
Impacted versions: GitLab CE/EE all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1
CVSS: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed a developer with specific group management permissions to escalate their privileges and obtain unauthorized access to additional system capabilities.
Impacted versions: GitLab EE all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1
CVSS: 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Thanks rogerace for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an authenticated user to cause uncontrolled CPU consumption, potentially leading to a Denial of Service condition while using specific GraphQL queries.
Impacted versions: GitLab CE/EE all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
This vulnerability has been discovered internally by GitLab team member Alisa Frunza.
GitLab has remediated an issue that could allow Project Maintainers improper authorization to assign custom roles to users exceeding the Project Maintainer’s security boundary and achieving elevated privileges.
Impacted versions: GitLab EE all versions from 16.6 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1
CVSS: 3.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L)
This vulnerability was discovered internally by a GitLab team member, Diane Russel.
GitLab has remediated an issue that could have allowed an authenticated user to create a Denial of Service condition by exploiting an unprotected GraphQL API through repeated requests.
Impacted versions: GitLab CE/EE all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L)
This vulnerability has been discovered internally by GitLab team member Terri Chu
GitLab has remediated an issue that could have allowed an authenticated user to gain unauthorized access to confidential issues by creating a project with an identical name, potentially having users transfer sensitive information to the incorrect project.
Impacted versions: GitLab CE/EE all versions from 17.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
Thanks foxribeye for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an authenticated user to cause performance degradation, potentially leading to a Denial of Service condition with certain string conversion methods.
Impacted versions: GitLab CE/EE all versions from 17.4 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L)
postgreSQL has been updated to version 16.10 which contains fixes for security vulnerabilities including CVE-2025-8713, CVE-2025-8714 and CVE-2025-8715
ActiveRecord::StatementInvalid: PG::UndefinedColumn when querying reverification count’These versions do not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On September 10, 2025, we released versions 18.3.2, 18.2.6, 18.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that could have allowed unauthorized users to render the GitLab instance unresponsive to legitimate users by sending multiple concurrent large SAML responses.
Impacted Versions: GitLab CE/EE: all versions from 7.12 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks yuki_osaki for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed authenticated users to make unintended internal requests through proxy environments by injecting crafted sequences.
Impacted Versions: GitLab CE/EE: all versions from 16.11 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2
CVSS 8.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
Thanks ppee for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an authenticated user to stall background job processing by sending specially crafted commit messages, merge request descriptions, or notes.
Impacted Versions: GitLab CE/EE: all versions from 15.0 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an authenticated user with Developer-level access to cause a persistent denial of service affecting all users on a GitLab instance by uploading large files.
Impacted Versions: GitLab CE/EE: all versions from 7.8 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed authenticated users to disrupt access to token listings and related administrative operations by creating tokens with excessively large names.
Impacted Versions: GitLab CE/EE: all versions from 10.7 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed authenticated users to view administrator-only maintenance notes by accessing runner details through specific interfaces.
Impacted Versions: GitLab CE/EE: all versions from 15.1 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks iamgk808 for reporting this vulnerability through our HackerOne bug bounty program.
These versions do not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On August 27, 2025, we released versions 18.3.1, 18.2.5, 18.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that could have allowed an authenticated user to cause a Denial of Service (DoS) condition by submitting URLs that generate excessively large responses.
Impacted Versions: GitLab CE/EE: all versions from 8.15 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks nermalt for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed unauthenticated users to access sensitive manual CI/CD variables by querying the GraphQL API.
Impacted Versions: GitLab CE/EE: all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1
CVSS: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that under certain conditions could have allowed an unauthenticated attacker to cause a denial-of-service condition affecting all users by sending specially crafted GraphQL requests.
Impacted Versions: GitLab CE/EE: all versions from 14.1 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appears harmless in the web interface by taking advantage of ambiguity between branches and tags during repository imports.
Impacted Versions: GitLab CE/EE: all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1
CVSS: 5.0 (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N).
Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program.
These versions do not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On August 18, 2025, we released versions 18.2.4 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs. This patch release does not include any security fixes.
This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Note: GitLab releases have skipped 18.2.3. There is no patch with that version number.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On August 15, 2025, we released version 17.11.7 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs. This patch release does not include any security fixes.
This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On August 13, 2025, we released versions 18.2.2, 18.1.4, 18.0.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.
Impacted Versions: GitLab CE/EE: all versions from 14.2 before 18.0.6, 18.1 before 18.1.4 and 18.2 before 18.2.2
CVSS: 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that, under certain conditions, could have allowed authenticated users to achieve stored cross-site scripting by injecting malicious HTML content in scoped label descriptions.
Impacted Versions: GitLab CE/EE: all versions from 18.2 before 18.2.2
CVSS: 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed authenticated users to achieve account takeover by injecting malicious HTML into work item names.
Impacted Versions: GitLab CE/EE: all versions from 18.1 before 18.1.4, and 18.2 before 18.2.2
CVSS: 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that under certain conditions could have allowed authenticated users with maintainer privileges to cause denial of service to other users’ CI/CD pipelines by manipulating shared infrastructure resources beyond their intended access level.
Impacted Versions: GitLab CE/EE: all versions 18.0 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2
CVSS: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
Thanks abdelrahman_maged for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that under certain conditions could have allowed authenticated users with specific roles and permissions to delete issues including confidential ones by inviting users with a specific role.
Impacted Versions: GitLab CE/EE: all versions from 17.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2
CVSS: 6.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L)
Thanks yuki_osaki for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an authenticated user to cause a denial of service condition by creating specially crafted content that consumes excessive server resources when processed.
Impacted Versions: GitLab CE/EE: all versions from 11.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that under certain conditions could have allowed authenticated users to bypass access controls and download private artifacts by accessing specific API endpoints.
Impacted Versions: GitLab CE/EE: all versions from 15.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Thanks albatraoz for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed authenticated users with specific access to bypass merge request approval policies by manipulating approval rule identifiers.
Impacted Versions: GitLab EE: all versions from 18.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
This vulnerability has been discovered internally by GitLab team member Dominic Bauer.
GitLab has remediated an issue that could have allowed authenticated users to create a denial of service condition by sending specially crafted markdown payloads to the Wiki feature.
Impacted Versions: GitLab CE/EE: all versions from 13.2 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks yuki_osaki for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an unauthenticated user to create a denial of service condition by sending specially crafted payloads to specific integration API endpoints.
Impacted Versions: GitLab CE/EE: all versions from 8.14 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances.
Impacted Versions: GitLab CE/EE: all versions from 15.7 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N)
Thanks skybound for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that under certain conditions could have allowed users to view assigned issues from restricted groups by bypassing IP restrictions.
Impacted Versions: GitLab EE: all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks rogerace for reporting this vulnerability through our HackerOne bug bounty program.
docs hugo_build CI job uses docs-gitlab-com stable branchesdocs hugo_build CI job uses docs-gitlab-com stable branchesdocs hugo_build CI job uses docs-gitlab-com stable branchesThis patch includes database migrations that may impact your upgrade process.
The following versions include regular migrations that run during the upgrade process:
The following versions include post-deploy migrations that can run after the upgrade:
To learn more about the impact of upgrades on your installation, see:
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On July 23, 2025, we released versions 18.2.1, 18.1.3, 18.0.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue affecting a Kubernetes proxy feature that, under specific circumstances, could have potentially allowed a successful attacker to trigger unintended content rendering leading to XSS.
Impacted Versions: GitLab CE/EE: all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1.
CVSS: 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an authenticated user to perform cross-site scripting attacks when the instance is served through certain content delivery networks.
Impacted Versions: GitLab CE/EE: all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1.
CVSS: 7.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed privileged users to access certain resource_group information through the API which should have been unavailable.
Impacted Versions: GitLab CE/EE: all versions from 15.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1.
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks iamgk808 for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that, under certain circumstances, could have allowed an attacker to access internal notes in GitLab Duo responses.
Impacted Versions: GitLab EE: all versions from 17.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1.
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks rogerace for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed an unauthorized user to access custom service desk email addresses.
Impacted Versions: GitLab CE/EE: all versions from 17.9 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1.
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks iamgk808 for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that, under circumstances, could have allowed an unauthorized user to read deployment job logs by sending a crafted request.
Impacted Versions: GitLab CE/EE affecting all versions starting from 15.4 before 18.0.5, all versions starting from 18.1 before 18.1.3, all versions starting from 18.2 before 18.2.1.
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
Trigger webhook events on vulnerability dismissalTrigger webhook events on vulnerability dismissalTo update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On July 9, 2025, we released versions 18.1.2, 18.0.4, 17.11.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.
Impacted Versions: all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2.
CVSS: 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed authenticated project owners to bypass group-level forking restrictions by manipulating API requests.
Impacted Versions: all versions from 13.3 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2.
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed authenticated users with invitation privileges to bypass group-level user invitation restrictions by manipulating group invitation functionality.
Impacted Versions: all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2.
CVSS: 2.7(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)
Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed authenticated maintainers to bypass group-level user invitation restrictions by sending crafted API requests.
Impacted Versions: all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2.
CVSS: 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)
Thanks hunter0xp7 for reporting this vulnerability through our HackerOne bug bounty program.
rsync has been updated to version 3.4.1 which contains fixes for security vulnerabilities including CVE-2024-12084 and CVE-2024-12088.
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On June 25, 2025, we released versions 18.1.1, 18.0.3, 17.11.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that, under certain conditions, could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests.
Impacted Versions: GitLab CE/EE: all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1.
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed unauthenticated attackers to upload arbitrary files to public projects by sending crafted API requests, potentially leading to resource abuse and unauthorized content storage.
Impacted Versions: GitLab CE/EE: all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1.
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Thanks abdelrahman_maged for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions.
Impacted Versions: GitLab CE/EE: all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1.
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Thanks rhidayahh for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed authenticated users to gain elevated project privileges by requesting access to projects where role modifications during the approval process resulted in unintended permission grants.
Impacted Versions: GitLab CE/EE: all versions from 17.3 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1.
CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks.
Impacted Versions: GitLab EE: all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1
CVSS: 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)
This vulnerability was reported internally by a GitLab team member, Joern Schneeweisz.
To update GitLab, see the Update page. To update GitLab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On June 11, 2025, we released versions 18.0.2, 17.11.4, 17.10.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook page and security FAQ. You can see all of GitLab’s release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.
GitLab has remediated an issue that, under certain conditions, could have allowed a successful attacker to achieve account takeover by injecting code into the search page.
Impacted versions GitLab CE/EE: all versions starting with 18.0 before 18.0.2.
CVSS: 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that, under certain conditions, could have allowed a successful attacker to act in the context of a legitimate user by injecting a malicious script into the snippet viewer.
Impacted versions GitLab CE/EE: all versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that, under certain conditions, could have allowed a successful attacker with authenticated access to a GitLab instance with a GitLab Ultimate license applied (paid customer or trial) to inject a malicious CI/CD job into all future CI/CD pipelines of any project.
Impacted versions GitLab Ultimate EE from 17.11 before 17.11.4 and 18.0 before 18.0.2.
CVSS 8.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
Thanks jean_d-ou for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed a successful attacker to deny access to legitimate users of the targeted system by triggering an infinite redirect loop causing memory exhaustion on the server.
Impacted versions GitLab CE/EE: all versions from 17.7 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed a successful attacker to deny access to legitimate users of the targeted system by generating tokens with sufficiently large names.
Impacted versions GitLab CE/EE: all versions from 8.7 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed a successful attacker to deny access to legitimate users of the targeted system by crafting Board Names with sufficiently large sizes.
Impacted versions GitLab CE/EE: all versions from 8.13 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that, under certain conditions, could have allowed a successful attacker to clone a legitimate user’s private repository by sending a timed clone request when a secondary node is out of sync.
Impacted versions GitLab CE/EE: all versions prior to 17.10.8, 17.11 prior to 17.11.4, and 18.0 prior to 18.0.2
CVSS 5.3 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
Thanks hdtran for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed a successful attacker to deny access to legitimate users of the targeted system by integrating a malicious third-party component into a GitLab project.
Impacted versions GitLab CE/EE: versions from 2.1.0 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Thanks joaxcar and pwnie for reporting this vulnerability through our HackerOne bug bounty program.
GitLab has remediated an issue that could have allowed authenticated users to gain access to data beyond their privilege boundaries by accessing arbitrary compliance frameworks.
Impacted versions GitLab CE/EE: all versions from 17.9 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
This vulnerability has been discovered internally by a member of the GitLab team.
GitLab has remediated an issue that could have allowed a successful attacker to bypass IP access restrictions and view sensitive group information.
Impacted versions GitLab EE: versions from 12.0 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2.
CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
This vulnerability has been discovered internally by GitLab team member @joernchen.
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On May 21, 2025, we released versions 18.0.1, 17.11.3, 17.10.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. This could allow an authenticated attacker to cause a denial of service condition by exhausting server resources.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5).
It is now mitigated in the latest release and is assigned CVE-2025-0993.
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 11.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Improper XPath validation allowed modified SAML responses to bypass 2FA requirement under specialized conditions.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N, 6.8).
It is now mitigated in the latest release and is assigned CVE-2024-12093.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A Discord webhook integration may cause DoS.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-7803.
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 10.2 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in the Kubernetes integration could allow an authenticated user to cause denial of service.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2025-3111.
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of proper validation in GitLab could allow an authenticated user to cause a denial of service condition.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2025-2853.
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.9).
It is now mitigated in the latest release and is assigned CVE-2025-4979.
Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Group access controls could allow certain users to bypass two-factor authentication requirements.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N, 4.6).
It is now mitigated in the latest release and is assigned CVE-2025-0605.
Thanks salh4ckr for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 17.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Under certain conditions un-authorised users can view full email addresses that should be partially obscured.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2025-0679.
Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program.
A business logic error in GitLab CE/EE affecting all versions starting from 12.1 prior to 17.10.7, 17.11 prior to 17.11.3 and 18.0 prior to 18.0.1 where an attacker can cause a branch name confusion in confidential MRs.
This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N, 3.5).
It is now mitigated in the latest release and is assigned CVE-2024-9163.
Thanks foxribeye for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query.
This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N, 2.7).
It is now mitigated in the latest release and is assigned CVE-2025-1110.
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
Mattermost has been updated to apply the latest patches for low and medium level security issues.
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On May 7, 2025, we released versions 17.11.2, 17.10.6, 17.9.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.3 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. Under certain conditions Device OAuth flow protections could be bypassed, enabling authorization form submission through minimal user interaction.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, 6.8).
It is now mitigated in the latest release and is assigned CVE-2025-0549.
Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. It was possible to cause a DoS condition via GitHub import requests using a malicious crafted payload.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-8973.
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 12.0 before 17.9.8, 17.10 before 17.10.6, and 17.11 before 17.11.2. Under certain conditions users could bypass IP access restrictions of a group, enabling them to disclose sensitive information.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3).
It is now mitigated in the latest release and is assigned CVE-2025-1278.
Thanks iamgk808 for reporting this vulnerability through our HackerOne bug bounty program.
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On April 23, 2025, we released versions 17.11.1, 17.10.5, 17.9.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue has been discovered in GitLab EE that allows for cross-site-scripting attack and content security policy bypass in a user’s browser under specific conditions, affecting all versions from 16.6 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7).
It is now mitigated in the latest release and is assigned CVE-2025-1763.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE that allows for cross-site-scripting attack and content security policy bypass in a user’s browser under specific conditions, affecting all versions from 16.6 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7).
It is now mitigated in the latest release and is assigned CVE-2025-2443.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE/CE that could allow an attacker to track users’ browsing activities, potentially leading to full account take-over, affecting all versions from 16.6 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1.
This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N, 7.7).
It is now mitigated in the latest release and is assigned CVE-2025-1908.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered affecting service availability via issue preview in GitLab CE/EE affecting all versions from 16.7 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2025-0639.
Thanks sigitsetiawansss for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in access controls that could allow users to view certain restricted project information even when related features are disabled in GitLab EE, affecting all versions from 17.7 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-12244.
Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program.
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On April 9, 2025, we released versions 17.10.4, 17.9.6, 17.8.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all up to 17.8.7, 17.9 prior to 17.9.6 and 17.10 prior to 17.10.4. A denial of service could occur upon injecting oversized payloads into CI pipeline exports.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2025-1677.
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions, an attacker could potentially trick users into unintentionally authorizing sensitive actions on their behalf.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, 6.4).
It is now mitigated in the latest release and is assigned CVE-2025-0362.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 13.12 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions users could bypass IP access restrictions and view sensitive information.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3).
It is now mitigated in the latest release and is assigned CVE-2025-2408.
Thanks rogerace for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions from 17.1 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4, This allows attackers to perform targeted searches with sensitive keywords to get the count of issues containing the searched term.
This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, 5.3).
It is now mitigated in the latest release and is assigned CVE-2024-11129
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program
An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.9.6, and 17.10 before 17.10.4. The runtime profiling data of a specific service was accessible to unauthenticated users.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, 3.7).
It is now mitigated in the latest release and is assigned CVE-2025-2469.
Thanks ap-wtioit for reporting this vulnerability through our HackerOne bug bounty program.
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
]]>On April 2, 2025, we released versions 17.10.3 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs. This patch release does not include any security fixes.
This version includes new post deployment migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Note: GitLab releases have skipped 17.10.2. There is no patch with that version number.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On April 2, 2025, we released versions 17.9.5 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs. This patch release does not include any security fixes.
This version includes new post deployment migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Note: GitLab releases have skipped 17.9.4. There is no patch with that version number.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On March 26, 2025, we released versions 17.10.1, 17.9.3, 17.8.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue has been discovered in Gitlab EE/CE affecting all versions from 13.5.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Certain error messages could allow Cross-Site Scripting attacks (XSS).
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7).
It is now mitigated in the latest release and is assigned CVE-2025-2255.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Improper rendering of certain file types leads to cross-site scripting.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7).
It is now mitigated in the latest release and is assigned CVE-2025-0811.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to groups and projects.
This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, 7.5).
It is now mitigated in the latest release and is assigned CVE-2025-2242.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1, allowing internal users to gain unauthorized access to internal projects.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N, 5.2).
It is now mitigated in the latest release and is assigned CVE-2024-12619.
Thanks aituglo for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in the GitLab Duo with Amazon Q affecting all versions from 17.8 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A specifically crafted issue could manipulate AI-assisted development features to potentially expose sensitive project data to unauthorized users.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N, 4.4).
We have requested a CVE ID and will update this blog post when it is assigned.
This vulnerability has been discovered internally by GitLab team member Félix Veillette-Potvin.
An issue has been discovered in GitLab EE/CE affecting all versions from 12.10 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A maliciously crafted file can cause uncontrolled CPU consumption when viewing the associated merge request.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-10307.
Thanks l33thaxor for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab EE affecting all versions starting from 14.9 before 17.8.6, all versions starting from 17.9 before 17.9.3, all versions starting from 17.10 before 17.10.1. An input validation issue in the Harbor registry integration could have allowed a maintainer to add malicious code to the CLI commands shown in the UI.
This is a low severity issue (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N, 3.7).
It is now mitigated in the latest release and is assigned CVE-2024-9773.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On March 12, 2025, we released versions 17.9.2, 17.8.5, 17.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action and will be notified once their instance has been patched.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
ruby-saml)GitLab has remediated two privately disclosed security issues (CVE-2025-25291, CVE-2025-25292) identified in the ruby-saml library which GitLab uses when SAML SSO authentication is enabled at the instance or group level. These issues have been remediated on GitLab.com, and in GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2.
On GitLab CE/EE instances using SAML authentication, under certain circumstances, an attacker with access to a valid signed SAML document from the IdP could authenticate as another valid user within the environment’s SAML IdP.
Affected customers who cannot immediately update GitLab CE/EE to address these issues may choose to perform the following mitigation steps:
Note: This vulnerability requires the attacker to have compromised a valid user account to perform the authentication bypass.
gitlab_rails['omniauth_block_auto_created_users'] = true)CVE-2025-25291 through our HackerOne bug bounty programCVE-2025-25292 and contacting GitLab to coordinate disclosure and remediation across vendorsruby-saml RubyGem) for their collaboration on remediation and coordinating disclosuregraphql)GitLab has remediated a privately disclosed security issue (CVE-2025-27407) identified in the Ruby graphql library, which affects and has been remediated in GitLab.com, and in GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2.
Under certain circumstances, if an attacker-controlled authenticated user account attempted to transfer a maliciously-crafted project via the Direct Transfer feature (note: Direct transfer is in beta stage and is disabled by default for all self-managed Gitlab instances), remote code execution is possible. Disabling Direct Transfer removes risk of exploitation from this issue.
Affected customers who cannot immediately update their GitLab CE/EE to address these issues may choose to perform the following mitigation steps:
An issue was discovered in GitLab CE/EE affecting all versions before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. where a denial of service vulnerability could allow an attacker to cause a system reboot under certain conditions.
This is a medium severity issue (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 5.7).
It is now mitigated in the latest release and is assigned CVE-2024-13054.
Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab EE/CE affecting all versions starting from 11.5 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. Certain user inputs in repository mirroring settings could potentially expose sensitive authentication information.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.4).
It is now mitigated in the latest release and is assigned CVE-2024-12380.
Thanks sigitsetiawansss for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab EE affecting all versions starting with 12.3 before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. A vulnerability in certain GitLab instances could allow an attacker to cause a denial of service condition by manipulating specific API inputs. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2025-1257.
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access confidential information intended for internal use only. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2025-0652.
Thanks foxribeye for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab EE affecting all versions starting from 17.2 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. An input validation issue in the Google Cloud IAM integration feature could have enabled a Maintainer to introduce malicious code.
This is a low severity issue (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N, 3.7).
It is now mitigated in the latest release and is assigned CVE-2024-8402.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
Admin group member permissions can approve the users invitation despite user capsAn issue was discovered in GitLab EE affecting all versions from 16.5 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2 which allowed a user with a custom permission to approve pending membership requests beyond the maximum number of allowed users.
This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N, 2.7).
It is now mitigated in the latest release and is assigned CVE-2024-7296.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.
The PostgreSQL project released an update so we are updating to versions 14.17 and 16.8.
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On February 26, 2025, we released versions 17.9.1, 17.8.4, 17.7.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. A proxy feature could potentially allow unintended content rendering leading to XSS under specific circumstances.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7).
It is now mitigated in the latest release and is assigned CVE-2025-0475.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows an attacker to bypass security controls and execute arbitrary scripts in a user’s browser under specific conditions.
This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N, 7.7).
It is now mitigated in the latest release and is assigned CVE-2025-0555.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 before 17.7.6, 17.8 before 17.8.4, and 17.9 before 17.9.1. An attacker could inject HMTL into the child item search potentially leading to XSS in certain situations.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, 5.4).
It is now mitigated in the latest release and is assigned CVE-2024-8186.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
A vulnerability in GitLab-EE affecting all versions from 16.2 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows a Guest user to read Security policy YAML.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, 5.3).
It is now mitigated in the latest release and is assigned CVE-2024-10925.
Thanks yuki_osaki for reporting this vulnerability through our HackerOne bug bounty program.
Improper authorization in GitLab EE affecting all versions from 17.7 prior to 17.7.6, 17.8 prior to 17.8.4, 17.9 prior to 17.9.1 allow users with limited permissions to access potentially sensitive project analytics data.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2025-0307.
Thanks weasterhacker for reporting this vulnerability through our HackerOne bug bounty program.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
Note: GitLab releases have skipped 17.7.5 and 17.8.3. There are no patches with these version numbers.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On February 12, 2025, we released versions 17.8.2, 17.7.4, 17.6.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via a change page.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7).
It is now mitigated in the latest release and is assigned CVE-2025-0376.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
A denial of service vulnerability in GitLab CE/EE affecting all versions from 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to impact the availability of GitLab via unbounded symbol creation via the scopes parameter in a Personal Access Token.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-12379.
Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.6.5, starting from 17.7 prior to 17.7.4, and starting from 17.8 prior to 17.8.2, which allows an attacker to exfiltrate contents of a private issue using prompt injection.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, 6.4).
It is now mitigated in the latest release and is assigned CVE-2024-3303.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An information disclosure vulnerability in GitLab CE/EE affecting all versions from 8.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send a crafted request to a backend server to reveal sensitive information.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2025-1212.
This vulnerability has been discovered internally by GitLab team member Joern Schneeweisz.
An external service interaction vulnerability in GitLab EE affecting all versions from 15.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send requests from the GitLab server to unintended services.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-9870.
Thanks retr02332 for reporting this vulnerability through our HackerOne bug bounty program.
Improper Authorization in GitLab CE/EE affecting all versions from 17.7 prior to 17.7.4, 17.8 prior to 17.8.2 allow users with limited permissions to perform unauthorized actions on critical project data.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2025-0516.
Thanks sp4rrow for reporting this vulnerability through our HackerOne bug bounty program.
An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N, 4.2).
It is now mitigated in the latest release and is assigned CVE-2025-1198.
This vulnerability has been discovered internally by a GitLab team member Dylan Griffith.
An improper access control vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows a user with a custom permission to view contents of a repository even if that access is not authorized.
This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N, 2.7).
It is now mitigated in the latest release and is assigned CVE-2025-1042.
Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE for Self-Managed and Dedicated instances affecting all versions from 17.5 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. It was possible for a user manually designated as an External without configuring them as such in SAML response to lose that designation, and to read and clone internal projects under certain circumstances. After upgrading to a patched version, please review and re-designate any externals users.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1).
It is now mitigated in the latest release and is assigned CVE-2025-1540.
Thanks Renato Alves for reporting this vulnerability.
Mattermost has been updated to versions 10.2.3, which contains several patches and security fixes.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On January 22, 2025, we released versions 17.8.1, 17.7.3, 17.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
| Title | Severity |
|---|---|
| Stored XSS via Asciidoctor render | High |
| Developer could exfiltrate protected CI/CD variables via CI lint | Medium |
| Cyclic reference of epics leads resource exhaustion | Medium |
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. Improper rendering of certain file types lead to cross-site scripting.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7).
It is now mitigated in the latest release and is assigned CVE-2025-0314.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI/CD variables via CI lint.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, 6.4).
It is now mitigated in the latest release and is assigned CVE-2024-11931.
This vulnerability was internally discovered and reported by GitLab team member Greg Myers.
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 17.6.4, starting from 17.7 prior to 17.7.3, and starting from 17.8 prior to 17.8.1. It was possible to trigger a DoS by creating cyclic references between epics.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-6324.
Thanks xorz for reporting this vulnerability through our HackerOne bug bounty program.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On January 15, 2025, we released versions 17.7.2 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs. This patch release does not include any security fixes.
download_code dependency from access to read merge requestsIf you had previously upgraded to GitLab 17.7.0 or 17.7.1 this patch is recommended to prevent any further occurrences of merge request comments being unable to be displayed. A future release will correct the display issue for affected records.
This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On January 8, 2025, we released versions 17.7.1, 17.6.3, 17.5.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
GitLab released a new user contribution and membership mapping feature for GitLab importers, including Direct Transfer, GitHub, Bitbucket Server, and Gitea importers. This feature is available by default from GitLab 17.7.1. More information on the feature and availability can be found in a blog post and in the documentation here.
Vulnerabilities (CVE-2024-5655, CVE-2024-6385, CVE-2024-6678, CVE-2024-8970) affecting import functionality were discovered through our HackerOne bug bounty program. To address these vulnerabilities and further enhance security, GitLab redesigned the importers’ user contribution mapping functionality.
Full details describing improved user contribution and membership mapping features are available in the GitLab docs here.
Exploitation requires that an attacker have an authenticated user account on the target GitLab instance. Therefore, the risk is primarily limited to insider threats unless you allow open internet access and public registrations.
GitLab strongly recommends disabling importers until your GitLab instance is upgraded to version 17.7.1 or later. You can disable import features by:
If you must enable an importer, GitLab recommends temporarily enabling it during an import and disabling the feature after the import is complete.
GitLab Self-Managed with Direct Transfer (beta feature) or GitHub, Bitbucket Server, or Gitea importers enabled may be vulnerable and should be upgraded immediately.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. Under certain conditions, access tokens may have been logged when API requests were made in a specific manner.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N, 6.5).
It is now mitigated in the latest release and is assigned CVE-2025-0194.
This vulnerability has been discovered internally by GitLab team member Thong Kuah.
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. It was possible to trigger a DoS by creating cyclic references between epics.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-6324.
Thanks xorz for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.5 before 17.5.5, 17.6 before 17.6.3, and 17.7 before 17.7.1, in which unauthorized users could manipulate the status of issues in public projects.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-12431.
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
external_provider configurationAn issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. When a user is created via the SAML provider, the external groups setting overrides the external provider configuration. As a result, the user may not be marked as external thereby giving those users access to internal projects or groups.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-13041.
This vulnerability has been discovered internally by GitLab team member Drew Blessing.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On December 11, 2024, we released versions 17.6.2, 17.5.4, 17.4.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 before 17.4.6, starting from 17.5 before 17.5.4, and starting from 17.6 before 17.6.2, injection of Network Error Logging (NEL) headers in kubernetes proxy response could lead to session data exfiltration.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 8.7).
It is now mitigated in the latest release and is assigned CVE-2024-11274.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could cause a denial of service with requests for diff files on a commit or merge request.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5).
It is now mitigated in the latest release and is assigned CVE-2024-8233.
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 17.4.6, from 17.5 before 17.5.4, and from 17.6 before 17.6.2. It may have been possible for an attacker with a victim’s CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L, 6.7).
It is now mitigated in the latest release and is assigned CVE-2024-12570.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, 6.4).
It is now mitigated in the latest release and is assigned CVE-2024-9387.
Thanks swiftee for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab affecting all versions starting 15.2 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. On self hosted installs, it was possible to leak the cross site request forgery (CSRF) token to an external site while the Harbor integration was enabled.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, 5.4).
It is now mitigated in the latest release and is assigned CVE-2024-8647.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. Improper output encoding could lead to Cross Site Scripting (XSS) if Content Security Policy (CSP) is not enabled.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, 5.4).
It is now mitigated in the latest release and is assigned CVE-2024-8179.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. By using a specific GraphQL query, under specific conditions an unauthorised user can retrieve branch names.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3).
It is now mitigated in the latest release and is assigned CVE-2024-8116.
Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions from 15.0 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2 that allowed non-member users to view unresolved threads marked as internal notes in public projects merge requests.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3).
It is now mitigated in the latest release and is assigned CVE-2024-8650.
Thanks salh4ckr for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2, that allows an attacker to cause uncontrolled resource consumption, potentially leading to a Denial of Service (DoS) condition while parsing templates to generate changelogs.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-9367.
Thanks l33thaxor for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.0 before 17.4.6, starting from 17.5 before 17.5.4, and starting from 17.6 before 17.6.2, where sensitive information passed in GraphQL mutations may have been retained in GraphQL logs.
This is a medium severity issue (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 4.0).
It is now mitigated in the latest release and is assigned CVE-2024-12292.
This issue was discovered internally by GitLab team member Radamanthus Batnag.
An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 17.4.6, all versions starting from 17.5 before 17.5.4 all versions starting from 17.6 before 17.6.2, that allows group users to view confidential incident title through the Wiki History Diff feature, potentially leading to information disclosure.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1).
It is now mitigated in the latest release and is assigned CVE-2024-10043.
Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.3 before 17.4.2, all versions starting from 17.5 before 17.5.4, all versions starting from 17.6 before 17.6.2. This issue allows an attacker to create a group with a name matching an existing unique Pages domain, potentially leading to domain confusion attacks.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L, 3.1).
It is now mitigated in the latest release and is assigned CVE-2024-9633.
Thanks psycho_012 for reporting this vulnerability through our HackerOne bug bounty program.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On November 26, 2024, we released versions 17.6.1, 17.5.3, 17.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue has been discovered in GitLab CE/EE affecting all versions from 8.12 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. This issue allows an attacker with access to a victim’s Personal Access Token (PAT) to escalate privileges.
This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N , 8.2).
It is now mitigated in the latest release and is assigned CVE-2024-8114.
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 12.6 prior to 17.4.5, 17.5 prior to 17.5.3, and 17.6 prior to 17.6.1. An attacker could cause a denial of service with a crafted cargo.toml file.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-8237.
Thanks l33thaxor for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-11669.
This vulnerability has been discovered internally by a GitLab team member, Dylan Griffith.
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.4.5, starting from 17.5 prior to 17.5.3, starting from 17.6 prior to 17.6.1 which could cause Denial of Service via integrating a malicious harbor registry.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, 5.3).
It is now mitigated in the latest release and is assigned CVE-2024-8177.
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-11828.
Thanks luryus for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N, 4.2).
It is now mitigated in the latest release and is assigned CVE-2024-11668.
This vulnerability has been discovered internally by GitLab team members, Dylan Griffith and Heinrich Lee Yu.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On November 13, 2024, we released versions 17.5.2, 17.4.4, 17.3.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations.
This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H, 8.5).
It is now mitigated in the latest release and is assigned CVE-2024-9693.
This vulnerability was found internally by a GitLab team member Tiger Watson.
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, 6.8).
It is now mitigated in the latest release and is assigned CVE-2024-7404.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14.1 prior to 17.3.7, 17.4 prior to 17.4.4, and 17.5 prior to 17.5.2. A denial of service could occur upon importing maliciously crafted content using the Fogbugz importer.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
We have requested a CVE ID and will update this blog post when it is assigned.
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, 6.1).
It is now mitigated in the latest release and is assigned CVE-2024-8648.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. Improper output encoding could lead to XSS if CSP is not enabled.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, 5.4).
It is now mitigated in the latest release and is assigned CVE-2024-8180.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3).
It is now mitigated in the latest release and is assigned CVE-2024-10240.
This vulnerability has been discovered internally by GitLab team member Patrick Bajao.
Mattermost has been updated to versions 10.1.2, which contains several patches and security fixes.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On October 23, 2024, we released versions 17.5.1, 17.4.3, 17.3.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
| Title | Severity |
|---|---|
| HTML injection in Global Search may lead to XSS | High |
| DoS via XML manifest file import | Medium |
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. An attacker could inject HTML into the Global Search field on a diff view leading to XSS.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7).
It is now mitigated in the latest release and is assigned CVE-2024-8312.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. A denial of service could occur via importing a malicious crafted XML manifest file.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-6826.
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
Helm charts, devkit and analytics stack have been patched to no longer support dynamic funnels.
The GitLab chart bundles a forked Ingress NGINX Controller subchart. We’ve updated its image version to 1.11.2.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On October 9, 2024, we released versions 17.4.2, 17.3.5, 17.2.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches.
This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6).
It is now mitigated in the latest release and is assigned CVE-2024-9164.
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.
This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N, 8.2).
It is now mitigated in the latest release and is assigned CVE-2024-8970.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks.
This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N, 8.2).
It is now mitigated in the latest release and is assigned CVE-2024-8977.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, were viewing diffs of MR with conflicts can be slow. This is a high severity issue (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5). It is now mitigated in the latest release and is assigned CVE-2024-9631.
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When authorising a new application, it can be made to render as HTML under specific circumstances.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, 7.3).
It is now mitigated in the latest release and is assigned CVE-2024-6530.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N, 4.9).
It is now mitigated in the latest release and is assigned CVE-2024-9623.
Thanks stevenorman for reporting this vulnerability.
An issue has been discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2. It was possible for guest users to disclose project templates using the API.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-5005.
Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, 3.7).
It is now mitigated in the latest release and is assigned CVE-2024-9596.
This issue was discovered internally by GitLab team member Paul Gascou-Vaillancourt.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On September 25, 2024, we released versions 16.10.10, 16.9.11, 16.8.10, 16.7.10, 16.6.10, 16.5.10, 16.4.7, 16.3.9, 16.2.11, 16.1.8, and 16.0.10 for GitLab Community Edition (CE) and Enterprise Edition (EE). This extends the security fixes previously added to 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10.
These versions contain backports of an important security fix which was previously released for GitLab versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10. We strongly recommend that all affected self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
Special thanks goes to Roger Meier (@bufferoverflow) who originally created the merge request in Canonical.
We strongly recommend that all installations running a version affected by the issue described below be upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
| Title | Severity |
|---|---|
| SAML authentication bypass | Critical |
Updates dependencies omniauth-saml to version 2.2.1 and ruby-saml to 1.17.0 to mitigate CVE-2024-45409. This security vulnerability applies only to instances which
have configured SAML based authentication.
The following mitigation for self-managed GitLab installations prevents successful exploitation of CVE-2024-45409:
Evidence of attempted or successful exploitation of Ruby-SAML (CVE-2024-45409) will be present in the GitLab application_json and auth_json log files.
Unsuccessful exploitation attempts may generate a ValidationError from the RubySaml library. This could be for a variety of reasons related to the complexity of crafting a working exploit.
Two examples are shown below, but the error may manifest with other descriptions. The common string to search for is RubySaml::ValidationError inside the application_json log.
{"severity":"ERROR","time":"2024-xx-xx","correlation_id":"xx","message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, The response was received at https://domain.com/users/auth/saml/incorrect_callback instead of https://domain.com/users/auth/saml/callback"}"message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Fingerprint mismatch"Successful exploitation attempts will trigger SAML related log events. However, there may be differences that make an exploit attempt unique from legitimate SAML authentication events.
A successful exploitation attempt will log whatever extern_id value is set by the attacker attempting exploitation. Therefore, identifying a unique extern_uid that is not common in your organization could be an indicator of potential exploitation.
{"severity":"INFO","time":"2024-xx-xx","correlation_id":"xx","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"0.0.0.0","meta.feature_category":"system_access","meta.client_id":"ip/0.0.0.0","message":"(SAML) saving user exploit-test-user@domain.com from login with admin =\\u003e false, extern_uid =\\u003e exploit-test-user"}When crafting an exploit, there are many SAML assertions an attacker would need to craft to perfectly replicate a legitimate login. These include both the key and value fields that you specify at your IdP, and may be unknown to unauthorized individuals - especially if you have customized these attributes.
You can review your auth_json log file to look for SAML responses with incorrect or missing information in the attributes section.
"severity":"INFO","time":"2024-xx-xx","correlation_id":"xx","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"0.0.0.0","meta.feature_category":"system_access","meta.client_id":"ip/0.0.0.0","payload_type":"saml_response": {"issuer": ["xxx"],"name_id": "xxx","name_id_format": "xxx","name_id_spnamequalifier": null,"name_id_namequalifier": null,"destination": "xxx","audiences": ["xxx"],"attributes": {"first_name": ["xxx"],"last_name": ["yyy"], "email": ["zzz"]}}For self managed customers forwarding GitLab application_json logs to a SIEM, creating detections to detect Ruby-SAML (CVE-2024-45409) exploitation attempts is possible. Our team is sharing two threat detections rules, written in Sigma format, to detect potential exploitation.
Note: These detections may need to be tuned and modified to customer environments in order to deliver effective results, and due to varying configurations of different customer environments, customers should validate the legitimacy and accuracy of any events identified by these detections.
This detection is designed to identify an authenticated SAML user with more than one extern_uid values linked to authentication events, a potential indication of malicious authentications with an attacker set extern_uid field.
title: Multiple extern_ids
description: Detects when their are multiple extern_id's associated with a user.
author: Gitlab Security Engineering
date: 09/15/2024
schedule: "*/10 * * * *"
pseudocode: |
select log source application.log
where 7d < event_time < now()
where severity="INFO" and meta_caller_id="Groups::OmniauthCallbacksController#group_saml"
regex(message, "saving user (?<user_email>\S+) .*extern_uid \S+ (?<extern_id>[\S]+)")
count extern_id by user_email as total_extern_ids
where total_extern_ids > 1
verify: Review Gitlab application logs for the source IP of the SAML authentications. If there is a singular IP for all extern_ids this could point to a false positive. Cross reference the SAML authentication source IP/s with the known user's IP from sso authentication logs.
tuning: N/AThis detection is designed to correlate authentication events, grouped by user, against both GitLab SAML authentication events as well as other iDP authentication events in an effort to identify any change in user IP address, which could be an indication of attacker authentication sessions.
title: Gitlab SAML IP differs from SSO IP
description: Detects when the source IP for the SAML authentication to Gitlab from application.log differs from the users known IP from SSO MFA logs.
author: Gitlab Security Engineering
date: 09/15/2024
schedule: "*/10 * * * *"
pseudocode: |
select log source application.log
where severity="INFO" and meta_caller_id="Groups::OmniauthCallbacksController#group_saml"
regex(message, "saving user (?<user_email>\S+) ")
#Create sub-query to bring in table from SSO authentication data
select meta_remote_ip, user_email
where user_email in
(
select log source authentication
where 1d < event_time < now()
where event_type="user.authentication.auth_via_mfa"
group by user_email, sso_source_ip
)
where sso_source_ip!=meta_remote_ip
verify: False positives can arise when the user is traveling. Review SSO authentication logs to see if the geo-location is similar to the SAML authentication to Gitlab. If any discrepancies are found, reach out to the user for verification. If the user is not traveling, temporarily lock the user's Gitlab account and review their activity through Gitlab's application logs.
tuning: If the query is producing high false positives, consider using geolocation functions on IPs to compare the cities and countries that are generating the authentications.To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On September 25, 2024, we released versions 17.4.1, 17.3.4, 17.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below be upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting via a POST request.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N, 5.5).
It is now mitigated in the latest release and is assigned CVE-2024-4278.
Thanks ac7n0w for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. An AI feature was found to read unsanitized content in a way that could’ve allowed an attacker to hide prompt injection.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N, 3.1).
It is now mitigated in the latest release and is assigned CVE-2024-4099.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An information disclosure issue has been discovered in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1. In specific conditions it was possible to disclose the path of a private project to an unauthorized user.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N, 2.6).
It is now mitigated in the latest release and is assigned CVE-2024-8974.
This vulnerability has been discovered internally by GitLab team member Lukas Eipert.
Mattermost has been updated to version 9.11.1, which contains several patches and security fixes.
lowTo update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On September 17, 2024, we released versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
All GitLab Dedicated instances have been upgraded and customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
Version 17.2.6 has been used to remediate GitLab Dedicated and hasn’t been made public. Version 17.2.7 contains identical changes.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
| Title | Severity |
|---|---|
| SAML authentication bypass | Critical |
Updates dependencies omniauth-saml to version 2.2.1 and ruby-saml to 1.17.0 to mitigate CVE-2024-45409. This security vulnerability applies only to instances which
have configured SAML based authentication.
The following mitigation for self-managed GitLab installations prevents successful exploitation of CVE-2024-45409:
Evidence of attempted or successful exploitation of Ruby-SAML (CVE-2024-45409) will be present in the GitLab application_json and auth_json log files.
Unsuccessful exploitation attempts may generate a ValidationError from the RubySaml library. This could be for a variety of reasons related to the complexity of crafting a working exploit.
Two examples are shown below, but the error may manifest with other descriptions. The common string to search for is RubySaml::ValidationError inside the application_json log.
{"severity":"ERROR","time":"2024-xx-xx","correlation_id":"xx","message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, The response was received at https://domain.com/users/auth/saml/incorrect_callback instead of https://domain.com/users/auth/saml/callback"}"message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Fingerprint mismatch"Successful exploitation attempts will trigger SAML related log events. However, there may be differences that make an exploit attempt unique from legitimate SAML authentication events.
A successful exploitation attempt will log whatever extern_id value is set by the attacker attempting exploitation. Therefore, identifying a unique extern_uid that is not common in your organization could be an indicator of potential exploitation.
{"severity":"INFO","time":"2024-xx-xx","correlation_id":"xx","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"0.0.0.0","meta.feature_category":"system_access","meta.client_id":"ip/0.0.0.0","message":"(SAML) saving user exploit-test-user@domain.com from login with admin =\\u003e false, extern_uid =\\u003e exploit-test-user"}When crafting an exploit, there are many SAML assertions an attacker would need to craft to perfectly replicate a legitimate login. These include both the key and value fields that you specify at your IdP, and may be unknown to unauthorized individuals - especially if you have customized these attributes.
You can review your auth_json log file to look for SAML responses with incorrect or missing information in the attributes section.
"severity":"INFO","time":"2024-xx-xx","correlation_id":"xx","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"0.0.0.0","meta.feature_category":"system_access","meta.client_id":"ip/0.0.0.0","payload_type":"saml_response": {"issuer": ["xxx"],"name_id": "xxx","name_id_format": "xxx","name_id_spnamequalifier": null,"name_id_namequalifier": null,"destination": "xxx","audiences": ["xxx"],"attributes": {"first_name": ["xxx"],"last_name": ["yyy"], "email": ["zzz"]}}For self managed customers forwarding GitLab application_json logs to a SIEM, creating detections to detect Ruby-SAML (CVE-2024-45409) exploitation attempts is possible. Our team is sharing two threat detections rules, written in Sigma format, to detect potential exploitation.
Note: These detections may need to be tuned and modified to customer environments in order to deliver effective results, and due to varying configurations of different customer environments, customers should validate the legitimacy and accuracy of any events identified by these detections.
This detection is designed to identify an authenticated SAML user with more than one extern_uid values linked to authentication events, a potential indication of malicious authentications with an attacker set extern_uid field.
title: Multiple extern_ids
description: Detects when their are multiple extern_id's associated with a user.
author: Gitlab Security Engineering
date: 09/15/2024
schedule: "*/10 * * * *"
pseudocode: |
select log source application.log
where 7d < event_time < now()
where severity="INFO" and meta_caller_id="Groups::OmniauthCallbacksController#group_saml"
regex(message, "saving user (?<user_email>\S+) .*extern_uid \S+ (?<extern_id>[\S]+)")
count extern_id by user_email as total_extern_ids
where total_extern_ids > 1
verify: Review Gitlab application logs for the source IP of the SAML authentications. If there is a singular IP for all extern_ids this could point to a false positive. Cross reference the SAML authentication source IP/s with the known user's IP from sso authentication logs.
tuning: N/AThis detection is designed to correlate authentication events, grouped by user, against both GitLab SAML authentication events as well as other iDP authentication events in an effort to identify any change in user IP address, which could be an indication of attacker authentication sessions.
title: Gitlab SAML IP differs from SSO IP
description: Detects when the source IP for the SAML authentication to Gitlab from application.log differs from the users known IP from SSO MFA logs.
author: Gitlab Security Engineering
date: 09/15/2024
schedule: "*/10 * * * *"
pseudocode: |
select log source application.log
where severity="INFO" and meta_caller_id="Groups::OmniauthCallbacksController#group_saml"
regex(message, "saving user (?<user_email>\S+) ")
#Create sub-query to bring in table from SSO authentication data
select meta_remote_ip, user_email
where user_email in
(
select log source authentication
where 1d < event_time < now()
where event_type="user.authentication.auth_via_mfa"
group by user_email, sso_source_ip
)
where sso_source_ip!=meta_remote_ip
verify: False positives can arise when the user is traveling. Review SSO authentication logs to see if the geo-location is similar to the SAML authentication to Gitlab. If any discrepancies are found, reach out to the user for verification. If the user is not traveling, temporarily lock the user's Gitlab account and review their activity through Gitlab's application logs.
tuning: If the query is producing high false positives, consider using geolocation functions on IPs to compare the cities and countries that are generating the authentications.To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On September 11, 2024, we released versions 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.
This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, 9.9).
It is now mitigated in the latest release and is assigned CVE-2024-6678.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. Due to incomplete input filtering, it was possible to inject commands into a connected Cube server.
This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 8.5).
It is now mitigated in the latest release and is assigned CVE-2024-8640.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, 7.7).
It is now mitigated in the latest release and is assigned CVE-2024-8635.
This vulnerability was discovered internally by GitLab team member joernchen.
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service via sending a specific POST request.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5).
It is now mitigated in the latest release and is assigned CVE-2024-8124.
Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It may have been possible for an attacker with a victim’s CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L, 6.7).
It is now mitigated in the latest release and is assigned CVE-2024-8641.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 which allows authenticated users to bypass variable overwrite protection via inclusion of a CI/CD template.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-8311.
This vulnerability has been discovered internally by GitLab team member Andy Schoenen.
An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-4660.
Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, 6.4).
We have requested a CVE ID and will update this blog post when it is assigned.
This vulnerability was discovered internally by GitLab team member Joern Schneeweisz.
An issue has been discovered in GitLab EE affecting all versions starting from 11.1 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, 6.4).
It is now mitigated in the latest release and is assigned CVE-2024-4283.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, 6.4).
It is now mitigated in the latest release and is assigned CVE-2024-4612.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include other custom roles.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N, 5.5).
It is now mitigated in the latest release and is assigned CVE-2024-8631.
Thanks chotebabume for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variables.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, 5.3).
It is now mitigated in the latest release and is assigned CVE-2024-2743.
Thanks 0xn3va for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered discovered in GitLab CE/EE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N, 4.5).
It is now mitigated in the latest release and is assigned CVE-2024-5435.
Thanks gudanggaramfilter for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-6389.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs.
This is a medium severity issue (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 4.0).
It is now mitigated in the latest release and is assigned CVE-2024-4472.
Thanks ac7n0w for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. A crafted URL could be used to trick a victim to trust an attacker controlled application.
This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N, 3.5).
It is now mitigated in the latest release and is assigned CVE-2024-6446.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, where group runners information was disclosed to unauthorised group members.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1).
It is now mitigated in the latest release and is assigned CVE-2024-6685.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.
17-3To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On September 11, 2024, we released versions 16.11.9 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs. This patch release does not include any security fixes.
This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On August 21, 2024, we released versions 17.3.1, 17.2.4, 17.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.2 prior to 17.1.6 starting from 17.2 prior to 17.2.4, and starting from 17.3 prior to 17.3.1, which allows an attacker to create a branch with the same name as a deleted tag.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N, 5.7).
It is now mitigated in the latest release and is assigned CVE-2024-6502.
Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program.
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1. A denial of service could occur upon importing a maliciously crafted repository using the GitHub importer.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-8041.
Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.1.6 starting from 17.2 prior to 17.2.4, and starting from 17.3 prior to 17.3.1, allows an attacker to execute arbitrary command in a victim’s pipeline through prompt injection.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, 6.4).
It is now mitigated in the latest release and is assigned CVE-2024-7110.
This vulnerability has been discovered internally by GitLab team member Dennis Appelt.
An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL allowing unauthorized users to perform some actions at the group level.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-3127.
Thanks 0x777 for reporting this vulnerability through our HackerOne bug bounty program.
Mattermost has been updated to versions 9.9.0, which contains several patches and security fixes.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
Note: GitLab releases have skipped 17.2.3 and 17.1.5 . There are no patches with these version numbers.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On August 7, 2024, we released versions 17.2.2, 17.1.4, 17.0.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N, 6.8).
It is now mitigated in the latest release and is assigned CVE-2024-3035.
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which allowed cross project access for Security policy bot.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N , 4.4).
It is now mitigated in the latest release and is assigned CVE-2024-6356.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
We have requested a CVE ID and will update this blog post when it is assigned.
This vulnerability was discovered internally by GitLab team member Terri Chu.
Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2 which allowed an attacker to cause resource exhaustion via banzai pipeline.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-5423.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 12.6 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause a denial of service using crafted adoc files.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-4210.
Thanks gudanggaramfilter for reporting this vulnerability through our HackerOne bug bounty program.
ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-2800.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which causes the web interface to fail to render the diff correctly when the path is encoded.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N, 5.7).
It is now mitigated in the latest release and is assigned CVE-2024-6329.
Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program.
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 prior 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N , 4.4).
It is now mitigated in the latest release and is assigned CVE-2024-4207.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, 5.3).
It is now mitigated in the latest release and is assigned CVE-2024-3958.
Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was made in a specific manner.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.9).
We have requested a CVE ID and will update this blog post when it is assigned.
This vulnerability was discovered internally by GitLab team member Dominic Couture.
An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2 that allowed bypassing the password re-entry requirement to approve a policy.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N, 4.2).
It is now mitigated in the latest release and is assigned CVE-2024-4784.
Thanks vexin for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-3114.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, where webhook deletion audit log preserved auth credentials.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N, 4.1).
It is now mitigated in the latest release and is assigned CVE-2024-7586.
This vulnerability was discovered internally by GitLab Team Anton Smith.
project_daily_statistic_counter_attribute_fetch FF by defaultThis default enabled, optional setting added for admins of GitLab self-managed instances on versions 16.11 and above allow them to enable mandatory expiraton on all new personal, project and group access tokens. Expirations set for existing tokens are not affected by this setting. For usage information see Require expiration dates for new access tokens
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On July 24, 2024, we released versions 17.2.1, 17.1.3, 17.0.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user.
This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N, 7.7)
This vulnerability has been discovered internally by GitLab team member Joern Schneeweisz.
An issue was discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 where certain project-level analytics settings could be leaked in DOM to group members with Developer or higher roles.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N , 4.4).
It is now mitigated in the latest release and is assigned CVE-2024-5067.
Thanks yvvdwf and zebraman for reporting this vulnerability through our HackerOne bug bounty program.
An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where job artifacts can be inappropriately exposed to users lacking the proper authorization level.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-7057.
Thanks ricardobrito for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where it was possible to disclose limited information of an exported group or project to another user.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N, 4.1 ).
This vulnerability was found internally by a GitLab team member James Nutt.
A resource misdirection vulnerability in GitLab CE/EE affecting all versions 12.0 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows an attacker to craft a repository import in such a way as to misdirect commits.
This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N, 2.7).
It is now mitigated in the latest release and is assigned CVE-2024-0231.
Thanks aaron_dewes for reporting this vulnerability through our HackerOne bug bounty program.
An information disclosure vulnerability in GitLab CE/EE in project/group exports affecting all versions from 15.4 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows unauthorized users to view the resultant export.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N, 2.6).
This vulnerability has been discovered internally by GitLab team member Martin Wortschack
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On July 10, 2024, we released versions 17.1.2, 17.0.4, 16.11.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com and GitLab Dedicated are already running the patched version.
GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue was discovered in GitLab CE/EE affecting versions 15.8 prior to 16.11.6, 17.0 prior to 17.0.4, and 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.
This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6).
It is now resolved in the latest release and is assigned CVE-2024-6385.
Thanks to yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
admin_compliance_framework permission can change group URLAn issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Developer user with admin_compliance_framework custom role may have been able to modify the URL for a group namespace.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N, 4.9).
It is now mitigated in the latest release and is assigned CVE-2024-5257.
Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Guest user with admin_push_rules permission may have been able to create project-level deploy tokens.
This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N, 3.8).
It is now mitigated in the latest release and is assigned CVE-2024-5470.
Thanks indoappsec for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to upload an NPM package with conflicting package data.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N, 3.0).
It is now mitigated in the latest release and is assigned CVE-2024-6595.
This vulnerability was found internally by a GitLab team member Ameya Darshan. Thanks to Darcy Clarke for their work on manifest confusion.
admin_group_member permission can ban group membersAn issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 in which a user with admin_group_member custom role permission could ban group members.
This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N, 2.7).
It is now mitigated in the latest release and is assigned CVE-2024-2880.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows a subdomain takeover in GitLab Pages by checking if the domain is enabled every time the custom domain is resolved.
This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, 3.5).
It is now mitigated in the latest release and is assigned CVE-2024-5528.
Thanks fdeleite for reporting this vulnerability through our HackerOne bug bounty program.
symlinkPointsToGitDir version checkTo update GitLab, see the update page. To update GitLab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On June 26, 2024, we released versions 17.1.1, 17.0.3, 16.11.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which could allow an attacker to trigger a pipeline as another user under certain circumstances. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6). It is now resolved in the latest release and is assigned CVE-2024-5655.
Thanks to ahacker1 for reporting this vulnerability through our HackerOne bug bounty program.
Breaking changes:
At this time, we have not found evidence of abuse of this vulnerability on the platforms managed by GitLab, including GitLab.com and GitLab Dedicated instances.
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit notes.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7).
It is now mitigated in the latest release and is assigned CVE-2024-4901.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
IntrospectionQueryAn issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab’s GraphQL API leading to the execution of arbitrary GraphQL mutations. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, 8.1). It is now mitigated in the latest release and is assigned CVE-2024-4994.
Thanks ahacker1 for reporting this vulnerability through our HackerOne bug bounty program
Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, 7.5). It is now mitigated in the latest release and is assigned CVE-2024-6323.
Thanks to GitLab Team Member, @joernchen for reporting this issue.
A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, 6.8). It is now mitigated in the latest release and is assigned CVE-2024-2177.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows a project maintainer can delete the merge request approval policy via graphQL. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N, 6.8).
It is now mitigated in the latest release and is assigned CVE-2024-5430.
Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program.
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions from 7.10 prior before 16.11.5, version 17.0 before 17.0.3, and 17.1 before 17.1.1. It is possible for an attacker to cause a denial of service using a crafted markdown page. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-4025.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows private job artifacts can be accessed by any user. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-3959.
Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program.
Multiple Denial of Service (DoS) issues has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an attacker to cause resource exhaustion via banzai pipeline. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-4557.
Thanks joaxcar and setiawan_ for reporting these vulnerability through our HackerOne bug bounty program
An issue was discovered in GitLab CE/EE affecting all versions starting from 9.2 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, with the processing logic for generating link in dependency files can lead to a regular expression DoS attack on the server. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-1493.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 12.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows for an attacker to cause a denial of service using a crafted OpenAPI file. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, 5.3). It is now mitigated in the latest release and is assigned CVE-2024-1816.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members only. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3).
It is now mitigated in the latest release and is assigned CVE-2024-2191.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to access issues and epics without having an SSO session using Duo Chat. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-3115.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2024-4011.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.
admin_runner ability to change shared runners setting”To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On June 12, 2024, we released versions 17.0.2, 16.11.4, 16.10.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.1 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. It was possible for an attacker to cause a denial of service using maliciously crafted file.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-1495.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab’s CI/CD pipeline editor could allow for denial of service attacks through maliciously crafted configuration files.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-1736.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab’s Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-1963.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 16.10.7, all versions starting from 16.11 before 16.11.4, all versions starting from 17.0 before 17.0.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N, 4.4).
It is now mitigated in the latest release and is assigned CVE-2024-4201.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 and 16.11.0 prior to 16.11.3 allows an attacker to crash KAS via crafted gRPC requests.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L, 3.1).
It is now mitigated in the latest release and is assigned CVE-2024-5469.
This vulnerability has been discovered internally by the Environments team.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On May 22, 2024, we released versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.
This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N, 8.0)
It is now mitigated in the latest release and is assigned CVE-2024-4835.
Thanks matanber for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions up to 16.10.6, versions 16.11 up to 16.11.3, and 17.0 up to 17.0.1. A runner registered with a crafted description has the potential to disrupt the loading of targeted GitLab web resources.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-2874.
Thanks ac7n0w for reporting this vulnerability through our HackerOne bug bounty program
A CSRF vulnerability exists within GitLab CE/EE from versions 16.3 up to 16.10.6, from 16.11 up to 16.11.3, from 17.0 up to 17.0.1. By leveraging this vulnerability, an attacker could exfiltrate anti-CSRF tokens via the Kubernetes Agent Server (KAS).
This is a medium severity issue (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, 5.4).
It is now mitigated in the latest release and is assigned CVE-2023-7045.
Thanks imrerad for reporting this vulnerability through our HackerOne bug bounty program
An authorization vulnerability exists within GitLab from versions 16.10 up to 16.10.6, 16.11 up to 16.11.3, and 17.0 up to 17.0.1 where an authenticated attacker could utilize a crafted naming convention to bypass pipeline authorization logic.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N, 4.4).
It is now mitigated in the latest release and is assigned CVE-2024-5258.
Thanks to GitLab Team Member, Andrew Winata for reporting this issue.
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. It is possible for an attacker to cause a denial of service using a crafted wiki page.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
It is now mitigated in the latest release and is assigned CVE-2023-6502.
Thanks Anonymizer for reporting this vulnerability through our HackerOne bug bounty program.
A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 up to 16.10.6, 16.11 up to 16.11.3, and 17.0 up to 17.0.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-1947.
Thanks luryus for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.11 prior to 16.10.6, starting from 16.11 prior to 16.11.3, and starting from 17.0 prior to 17.0.1. A Guest user can view dependency lists of private projects through job artifacts.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-5318.
Thanks ricardobrito for reporting this vulnerability through our HackerOne bug bounty program.
Mitigations were made to take care of vulnerability in PDF.js CVE-2024-4367.
Thanks h4x0r_dz for reporting this vulnerability through our HackerOne bug bounty program.
Mattermost has been updated to versions 9.7.2, which contains several patches and security fixes.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On May 9, 2024, we released versions 16.9.8 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs. This patch release does not include any security fixes.
This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On May 8, 2024, we released versions 16.11.2, 16.10.5, 16.9.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible for an attacker to cause a denial of service by crafting unusual search terms for branch names.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5).
It is now mitigated in the latest release and is assigned CVE-2024-2878.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. It was possible for an attacker to cause a denial of service using maliciously crafted markdown content.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-2651.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. A problem with the processing logic for Discord Integrations Chat Messages can lead to a regular expression DoS attack on the server.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2023-6682.
Thanks to Anonymizer for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.11 prior to 16.11.2. A problem with the processing logic for Google Chat Messages integration may lead to a regular expression DoS attack on the server.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2023-6688.
Thanks to Anonymizer for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. The pins endpoint is susceptible to DoS through a crafted request.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-2454.
Thanks ac7n0w for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 where abusing the API to filter branch and tags could lead to Denial of Service.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-4539.
This vulnerability was reported internally by a GitLab team member Vasilii Iakliushin.
An issue has been discovered in GitLab EE affecting all versions from 16.7 before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. An attacker could force a user with an active SAML session to approve an MR via CSRF.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N, 5.7).
It is now mitigated in the latest release and is assigned CVE-2024-4597.
This vulnerability was reported internally by a GitLab team member joernchen.
An issue has been discovered in GitLab EE affecting all versions starting from 15.2 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose updates to issues to a banned group member using the API.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-1539.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 in which cross-site request forgery may have been possible on GitLab instances configured to use JWT as an OmniAuth provider.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, 6.4).
It is now mitigated in the latest release and is assigned CVE-2024-1211.
Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose via the UI the confidential issues title and description from a public project to unauthorised instance users.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-3976.
Thanks ahacker1 for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.5 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. GitLab was vulnerable to Server Side Request Forgery when an attacker uses a malicious URL in the markdown image value when importing a GitHub repository.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N, 2.6).
It is now mitigated in the latest release and is assigned CVE-2023-6195.
Thanks imrerad for reporting this vulnerability through our HackerOne bug bounty program.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On April 24, 2024, we released versions 16.11.1, 16.10.4, 16.9.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
The following KAS patch releases contain breaking changes from the %17.0 revision, because they were tagged from the wrong source (master instead of stable branches):
The next GitLab patch release will fix those changes. Issue 458462 provides more information.
As a workaround KAS can be downgraded to the last release. Working KAS versions are:
An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.8 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker with their Bitbucket account credentials may be able to take over a GitLab account linked to another user’s Bitbucket account, if Bitbucket is used as an OAuth 2.0 provider on GitLab.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, 7.3).
It is now mitigated in the latest release and is assigned CVE-2024-4024.
This vulnerability has been discovered internally by GitLab team members Sam Word and Rodrigo Tomonari.
On 2024-04-24, GitLab changed the way Bitbucket authentication works with GitLab. To continue using Bitbucket Authentication, please sign in to GitLab with your Bitbucket account credentials, before 2024-05-16.
If you do not sign into GitLab using your Bitbucket account until after 2024-05-16, you will need to re-link your Bitbucket account to your GitLab account manually. For some users, signing in to GitLab using their Bitbucket account may not work after this fix is applied. If this happens to you, your Bitbucket and GitLab accounts have different email addresses. To resolve this, you must log in to your GitLab account with your GitLab username and password and re-link your Bitbucket account.
An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to 16.11.1 where path traversal could lead to DoS and restricted file read. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H, 8.5). It is now mitigated in the latest release and is assigned CVE-2024-2434.
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.5 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. A crafted wildcard filter in FileFinder may lead to a denial of service.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5).
It is now mitigated in the latest release and is assigned CVE-2024-2829.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not honored by GraphQL subscriptions.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-4006.
This vulnerability was internally discovered and reported by a GitLab team member, Dylan Griffith.
An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker through a crafted email address may be able to bypass domain based restrictions on an instance or a group.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-1347.
Thanks garethheyes for reporting this vulnerability through our HackerOne bug bounty program.
golang.org/x/net dependencyTo update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On April 15, 2024, we released versions 16.10.3, 16.9.5, 16.8.7 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs. This patch release does not include any security fixes.
This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On April 10, 2024, we released versions 16.10.2, 16.9.4, 16.8.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
| Title | Severity |
|---|---|
| Stored XSS injected in diff viewer | High |
| Stored XSS via autocomplete results | High |
| Redos on Integrations Chat Messages | Medium |
| Redos During Parse Junit Test Report | Medium |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. A payload may lead to a stored XSS while using the diff viewer, allowing attackers to perform arbitrary actions on behalf of victims.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7).
It is now mitigated in the latest release and is assigned CVE-2024-3092.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 to 16.8.6, all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. Using the autocomplete for issues references feature, a crafted payload may lead to a stored XSS, allowing attackers to perform arbitrary actions on behalf of victims.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7).
It is now mitigated in the latest release and is assigned CVE-2024-2279.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
It is now mitigated in the latest release and is assigned CVE-2023-6489.
Thanks Anonymizer for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions before 16.8.6, all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. It was possible for an attacker to cause a denial of service using malicious crafted content in a junit test report file.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
It is now mitigated in the latest release and is assigned CVE-2023-6678.
Thanks Anonymizer for reporting this vulnerability through our HackerOne bug bounty program.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On March 27, 2024, we released versions 16.10.1, 16.9.3, 16.8.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
| Title | Severity |
|---|---|
| Stored-XSS injected in Wiki page via Banzai pipeline | High |
| DOS using crafted emojis | Medium |
An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. A wiki page with a crafted payload may lead to a Stored XSS, allowing attackers to perform arbitrary actions on behalf of victims.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7).
It is now mitigated in the latest release and is assigned CVE-2023-6371.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. It was possible for an attacker to cause a denial of service using malicious crafted description parameter for labels.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-2818.
Thanks Quintin Crist of Trend Micro for reporting this vulnerability to us.
The PostgreSQL project released an update so we are updating to versions 13.14 and 14.11.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
]]>On March 6, 2024, we released versions 16.9.2, 16.8.4, 16.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
| Title | Severity |
|---|---|
| Bypassing CODEOWNERS approval allowing to steal protected variables | High |
| Guest with manage group access tokens can rotate and see group access token with owner permissions | Medium |
An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old feature branch to perform malicious actions.
This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N, 7.7).
It is now mitigated in the latest release and is assigned CVE-2024-0199.
Thanks ali_shehab for reporting this vulnerability through our HackerOne bug bounty program.
A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of manage_group_access_tokens to rotate group access tokens with owner privileges.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-1299.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.
kubectl has been updated to version 1.29.2.
Mattermost has been updated to version 9.5, which contains several patches and security fixes.
To update GitLab, see the update page. To update GitLab Runner, see the Updating the Runner page.
To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.
]]>On February 21, 2024, we released versions 16.9.1, 16.8.3, 16.7.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue has been discovered in GitLab CE/EE affecting version 16.9 only. A crafted payload added to the user profile page could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now mitigated in the latest release and is assigned CVE-2024-1451.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be able to make a group, other members or themselves Owners of that group, which may lead to privilege escalation. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L, 6.7). It is now mitigated in the latest release and is assigned CVE-2023-6477.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions starting from 11.3 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted content in the CODEOWNERS file.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-6736.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.7.2, all versions starting from 16.8 before 16.8.2, all versions starting from 16.9 before 16.9.2. Under some specialized conditions, an LDAP user may be able to reset their password using their verified secondary email address and sign-in using direct authentication with the reset password, bypassing LDAP. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2024-1525.
This vulnerability was discovered internally by a GitLab team member, Drew Blessing.
An issue has been discovered in GitLab EE affecting all versions starting from 12.0 to 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. This vulnerability allows for bypassing the ‘group ip restriction’ settings to access environment details of projects. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-4895.
Thanks albatraoz for reporting this vulnerability through our HackerOne bug bounty program.
Guest role can change Custom dashboard projects settings for projects in the victim groupAn issue has been discovered in GitLab EE affecting all versions starting from 16.4 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Users with the Guest role can change Custom dashboard projects settings contrary to permissions. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-0861.
Thanks them4les_l1r for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab affecting all versions before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for group members with sub-maintainer role to change the title of privately accessible deploy keys associated with projects in the group.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N, 3.7). It is now mitigated in the latest release and is assigned CVE-2023-3509.
Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program.
An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1. A developer could bypass CODEOWNERS approvals by creating a merge conflict. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N, 3.0). It is now mitigated in the latest release and is assigned CVE-2024-0410.
Thanks ali_shehab for reporting this vulnerability through our HackerOne bug bounty program.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.
]]>On January 12, 2024, we released versions 16.7.3 16.6.5 16.5.7 for GitLab Community Edition and Enterprise Edition.
These versions resolve a single issue with a database migration.
This version fixes an issue with an existing migration that prevented upgrades from completing. It does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On January 11, 2024, we released versions 16.7.2, 16.6.4, 16.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases fixes for security vulnerabilities in security releases. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. If you have not upgraded yet, be aware that there is a newer patch that includes additional fixes for recently discovered DB migration issue. Please upgrade to 16.7.3, 16.6.5, 16.5.7, or newer to prevent the migration issue.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
This is a Critical severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, 10.0).
It is now mitigated in the latest release and is assigned CVE-2023-7028.
This security fix has been backported to GitLab versions and 16.1.6, 16.2.9, 16.3.7, and 16.4.5 in addition to 16.5.6, 16.6.4, and 16.7.2.
Thanks asterion04 for reporting this vulnerability through our HackerOne bug bounty program.
What should I do if I believe my GitLab instance is compromised?
In addition to following your incident response plan
Who is impacted by this?
GitLab self-managed instances using the following affected versions:
Within these versions, all authentication mechanisms are impacted. Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login.
What actions should I take?
Has the vulnerability been resolved?
This vulnerability was resolved with this security release.
Were any accounts actually compromised due to this vulnerability?
We have not detected any abuse of this vulnerability on platforms managed by GitLab, including GitLab.com and GitLab Dedicated instances. Self-managed customers can review their logs to check for possible attempts to exploit this vulnerability:
/users/password path with params.value.email consisting of a JSON array with multiple email addresses.meta.caller_id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.When was the vulnerability introduced?
The vulnerability was introduced in 16.1.0 on May 1, 2023.
How was the vulnerability discovered?
The vulnerability was responsibly reported through our Bug Bounty program.
What security measures do you have in place to prevent such vulnerabilities?
How did this happen?
A change was made in 16.1.0 to allow users to reset their password through a secondary email address. The vulnerability is a result of a bug in the email verification process. The bug has been fixed with this patch, and as mentioned above, we have implemented a number of preventive security measures to protect customers.
Does this affect me if I use an Identity Provider, like Okta or Azure AD?
Users without SSO enforcement are vulnerable. If your configuration allows a username and password to be used in addition to SSO options, then you are impacted. Disabling all password authentication options via Sign-in restrictions settings will mitigate the vulnerability for Self-Managed customers that have an external identity provider configured, as this will disable the ability to perform password reset.
Am I affected by this vulnerability if I have 2FA enforced?
An attacker will not be able to takeover your account if you have 2FA enabled. They may still be able to reset your password but will not be able to access your second factor authentication method. If you are suddenly redirected to login, or see a reset email triggered, please reset your password.
Does this vulnerability affect GitLab Runner?
No, this vulnerability does not affect GitLab Runner. This vulnerability affected the GitLab Rails codebase for impacted versions of GitLab itself. GitLab Runner has a separate code base that is unaffected.
An issue has been discovered in GitLab affecting all versions starting from 15.3 before 16.5.5, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. The required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge request.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N, 7.6).
It is now mitigated in the latest release and is assigned CVE-2023-4812.
Thanks ali_shehab for reporting this vulnerability through our HackerOne bug bounty program.
Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse Slack/Mattermost integrations to execute slash commands as another user.
This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N, 7.3).
It is now mitigated in the latest release and is assigned CVE-2023-5356.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
An improper access control vulnerability exists in GitLab Workspaces affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N, 6.6).
It is now mitigated in the latest release and is assigned CVE-2023-6955.
This vulnerability was discovered internally by GitLab team member @j.seto.
An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits.
This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, 3.5).
It is now mitigated in the latest release and is assigned CVE-2023-2030.
Thanks lotsofloops for reporting this vulnerability through our HackerOne bug bounty program.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.
]]>On December 13, 2023, we released versions 16.6.2, 16.5.4, and 16.4.4 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An improper certificate validation issue in Smartcard authentication in GitLab EE affecting all versions from 11.6 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows an attacker to authenticate as another user given their public key if they use Smartcard authentication. Smartcard authentication is an experimental feature and has to be manually enabled by an administrator. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, 7.4). It is now mitigated in the latest release and is assigned CVE-2023-6680.
Thanks Lucas Serrano from PEReN (@LSerranoPEReN) for reporting this vulnerability.
An issue has been discovered in GitLab EE Premium and Ultimate affecting versions 16.4.3, 16.5.3, and 16.6.1. In projects using subgroups to define who can push and/or merge to protected branches, there may have been instances in which subgroup members with the Developer role were able to push or merge to protected branches. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-6564.
This vulnerability has been discovered internally by a GitLab team member.
The following script can help you identify projects that may be subject to a vulnerable configuration. This script can be used to create a CSV file listing projects that have a group set as “Allowed to merge” or “Allowed to push and merge” along with the web_url and project_id for the project and the group_name/group_id for the group. Note that this is not an indication that unauthorized changes were made to protected branches, but rather an indication that these projects were subject to this vulnerable configuration. For impacted projects, customers will need to check merge requests that were merged on their self-managed GitLab instances running 16.4.3, 16.5.3, or 16.6.1 prior to updating to 16.4.4, 16.5.4, or 16.6.2 or on GitLab.com prior to 2023-12-04 18:10 UTC.
## install `glab` (if not already installed)
# https://gitlab.com/gitlab-org/cli#installation
## install `jq` (if not already installed)
# https://jqlang.github.io/jq/download/
# authenticate with `glab` as Admin (self-managed) or group owner (SaaS)
glab auth login
## get `project_id` and `web_url` for all projects at the instance level (self-managed) or group level (SaaS), save it as `project-list.csv`
# self-managed - instance level (use Admin PAT for authentication)
glab api --hostname "self-managed-gitlab.example.com" --paginate projects 2>> error.log | jq -c '.[]' | jq -rc '[.id, .web_url] | @csv' | tee -a project-list.csv
# SaaS - group level (use group owner PAT for authentication)
glab api --paginate "groups/$GROUP_ID/projects" 2>> error.log | jq -c '.[]' | jq -rc '[.id, .web_url] | @csv' | tee -a project-list.csv
## add headers to protected_branch_report.csv file
echo "project_id, web_url, group_name_push_access, group_id_push_access, group_name_merge_access, group_id_merge_access" > protected_branch_report.csv
## loop through each project to check for protected branches that have a group with push or merge access
while IFS=',' read -r PROJECT_ID WEB_URL; do
glab api "projects/$PROJECT_ID/protected_branches" 2>> error.log \
| jq -c '.[]' \
| jq 'select((any(.push_access_levels[]; .group_id != null and .access_level == 40)) or (any(.merge_access_levels[]; .group_id != null and .access_level == 40)))' 2>> error.log \
| jq -c "{project_id: $PROJECT_ID, web_url: $WEB_URL, group_id_push_access: .push_access_levels.[].group_id, group_name_push_access: .push_access_levels.[].access_level_description, group_id_merge_access: .merge_access_levels.[].group_id, group_name_merge_access: .merge_access_levels.[].access_level_description}" 2>> error.log \
| jq 'select((.group_id_push_access != null or .group_id_merge_access != null) and (.group_name_push_access != "Maintainers" or .group_name_merge_access != "Maintainers"))' 2>> error.log \
| jq -rc '[.project_id, .web_url, .group_name_push_access, .group_id_push_access, .group_name_merge_access, .group_id_merge_access] | @csv' \
| tee -a protected_branch_report.csv
done < project-list.csvGitLab has conducted limited testing to validate this script. As such this script is provided AS-IS and GitLab makes no warranties of any kind. GITLAB HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.
An issue has been discovered in GitLab CE/EE affecting all versions before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when source code or installation packages are pulled from a specific tag.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N, 5.7).
It is now mitigated in the latest release and is assigned CVE-2023-6051.
Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program.
A privilege escalation vulnerability in GitLab EE affecting all versions from 16.0 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows a project Maintainer to use a Project Access Token to escalate their role to Owner.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N, 4.9).
It is now mitigated in the latest release and is assigned CVE-2023-3907.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when specific HTML encoding is used for file names leading for incorrect representation in the UI.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N, 4.8).
It is now mitigated in the latest release and is assigned CVE-2023-5512.
Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions starting before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible to overflow the time spent on an issue that altered the details shown in the issue boards.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
It is now mitigated in the latest release and is assigned CVE-2023-3904.
Thanks toukakirishima for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab affecting all versions starting from 9.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. In certain situations, it may have been possible for developers to override predefined CI variables via the REST API. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-5061.
Thanks ali_shehab for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions starting from 8.17 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible for auditor users to fork and submit merge requests to private projects they’re not a member of. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N, 2.0). It is now mitigated in the latest release and is assigned CVE-2023-3511.
Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.
]]>On November 30, 2023, we released versions 16.6.1, 16.5.3, 16.4.3 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
Improper neutralization of input in Jira integration configuration in GitLab CE/EE, affecting all versions from 15.10 prior to 16.6.1, 16.5 prior to 16.5.3, and 16.4 prior to 16.4.3 allowed attacker to execute javascript in victim’s browser.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7).
It is now mitigated in the latest release and is assigned CVE-2023-6033.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. When a user is assigned a custom role with `admin_group_member`` enabled, they may be able to add a member with a higher static role than themselves to the group which may lead to privilege escalation.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, 8.1).
It is now mitigated in the latest release and is assigned CVE-2023-6396.
This vulnerability was discovered internally by GitLab team member jarka.
An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for unauthorized users to view a public projects’ release descriptions via an atom endpoint when release access on the public was set to only project members
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3).
It is now mitigated in the latest release and is assigned CVE-2023-3949.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab affecting all versions before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. Under certain circumstances, a malicious actor bypass prohibited branch checks using a specially crafted branch name to manipulate repository content in the UI.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N, 4.8).
It is now mitigated in the latest release and is assigned CVE-2023-5226.
Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions starting from 16.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the policy bot to gain access to internal projects.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.4). It is now mitigated in the latest release and is assigned CVE-2023-5995.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions starting from 10.5 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted mermaid diagram input.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L, 2.6).
It is now mitigated in the latest release and is assigned CVE-2023-4912.
Thanks toukakirishima for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a user with the Developer role to update a pipeline schedule from an unprotected branch to a protected branch.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2023-4317.
Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program.
Package registry is turned offAn issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer packages on public projects that have package registry disabled in the project settings.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2023-3964.
Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program.
Allowed to push and merge access and affect integrity of protected branchesAn issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the Allowed to merge permission as a guest user, when granted the permission through a group.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1).
It is now mitigated in the latest release and is assigned CVE-2023-4658.
Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab affecting all versions starting from 12.1 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a Guest user to add an emoji on confidential work items.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1).
It is now mitigated in the latest release and is assigned CVE-2023-3443.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.
Mattermost has been updated to the latest patch release to mitigate several security issues.
PostgreSQL has been updated to 14.9 and 13.12 to mitigate CVE-2023-39417.
pcre2 has been updated to version 10.42 to mitigate CVE-2022-41409.
+ char in abuse detection for global search16-5-stable16-4-stableasdf-bootstrapped-verify version on 16.4To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.
]]>On November 14, 2023, we released versions 16.5.2 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs.
This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On October 31, 2023, we released versions 16.5.1, 16.4.2, 16.3.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
On 2023-10-20 11:03 UTC, GitLab internally discovered (CVE-2023-5831) that a change in the GitLab sidebar feature resulted in self-managed GitLab instances sending version-checks to version.gitlab.com each time they opened a page on their GitLab instance. This means that the hostnames and current versions of self-managed GitLab instances were being sent to version.gitlab.com any time a user of that GitLab instance opened any page, regardless of whether or not the sending of version-check was enabled. This information was only accessible to some GitLab team members and was not exposed externally, and GitLab is working to purge the erroneously collected data from our database.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue has been discovered in GitLab affecting all versions starting from 11.6 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. It was possible for an unauthorised project or group member to read the CI/CD variables using the custom project templates.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, 8.5).
It is now mitigated in the latest release and is assigned CVE-2023-3399.
Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.2 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A low-privileged attacker can point a CI/CD Component to an incorrect path and cause the server to exhaust all available memory through an infinite loop and cause Denial of Service. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-5825.
Thanks blakbat for reporting this vulnerability through our HackerOne bug bounty program"
timeout input leads to Denial of ServiceAn issue has been discovered in GitLab CE/EE affecting all versions starting from 12.3 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A Regular Expression Denial of Service was possible by adding a large string in timeout input in gitlab-ci.yml file." This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3909.
Thanks akadrian for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE/CE affecting all versions starting before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1 which allows an attackers to block Sidekiq job processor. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3246.
Thanks zhutyra for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. Arbitrary access to the titles of an private specific references could be leaked through the service-desk custom email template. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-5600.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
An authorization issue affecting GitLab EE affecting all versions from 14.7 prior to 16.3.6, 16.4 prior to 16.4.2, and 16.5 prior to 16.5.1, allowed a user to run jobs in protected environments, bypassing any required approvals. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N, 3.5). It is now mitigated in the latest release and is assigned CVE-2023-4700.
Thanks Gregor Pirolt for reporting this vulnerability through our HackerOne bug bounty program.
super_sidebar_logged_out feature flag is enabledAn issue has been discovered in GitLab CE/EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, and all versions starting from 16.5.0 before 16.5.1 which have the super_sidebar_logged_out feature flag enabled. Affected versions with this default-disabled feature flag enabled may unintentionally disclose GitLab version metadata to unauthorized actors. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, 3.7).
It is now mitigated in the latest release and is assigned CVE-2023-5831.
This vulnerability was discovered internally by the GitLab team.
An issue has been discovered in GitLab EE with Advanced Search affecting all versions from 13.9 to 16.3.6, 16.4 prior to 16.4.2 and 16.5 prior to 16.5.1 that could allow a denial of service in the Advanced Search function by chaining too many syntax operators. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L, 3.1). It is now mitigated in the latest release. We have requested a CVE ID and will update this blog post when it is assigned.
This vulnerability was found internally by GitLab.
curl has been updated to v8.4.0 to mitigate CVE-2023-38545.
mermaid has been updated to 10.5.0 to mitigate a security issue.
NGINX has been patched to mitigate CVE-2023-44487.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.
]]>On September 28, 2023, we released versions 16.4.1, 16.3.5, and 16.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N, 8.2). It is now mitigated in the latest release and is assigned CVE-2023-5207.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
Two issues have been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through direct transfer group imports. These are a high severity issues (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N, 8.2). They are now mitigated in the latest release and are assigned CVE-2023-5106.
These issues have been discovered internally by GitLab team member Joern Schneeweisz.
An issue has been discovered in GitLab EE affecting all versions starting 15.3 prior to prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Code owner approval was not removed from merge requests when the target branch was updated. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N, 8.1). It is now mitigated in the latest release and is assigned CVE-2023-4379.
This issue was reported by a customer.
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that an unauthorised user to fork a public project. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-3413.
Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program.
Patch in third party library Consul requires ’enable-script-checks’ to be set to False. This only affects GitLab-EE. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N, 5.9). It is now mitigated in the latest release and is assigned CVE-2023-5332.
This issue was reported by a customer.
A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal projects. A service account is not deleted when a namespace is deleted, allowing access to internal projects. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, 5.4). It is now mitigated in the latest release and is assigned CVE-2023-3914.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions affecting all versions from 11.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Single Sign On restrictions were not correctly enforced for indirect project members accessing public members-only project repositories. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, 5.4). It is now mitigated in the latest release and is assigned CVE-2023-3115.
Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to protected branches using deploy keys. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-5198.
Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of private projects which they are not a member of. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-4532.
Thanks ricardobrito for reporting this vulnerability through our HackerOne bug bounty program.
Denial of Service in pipelines affecting all versions of Gitlab EE and CE prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows attacker to cause pipelines to fail. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3917.
Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork relationship between existing projects contrary to the documentation. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3920.
Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program.
An information disclosure issue in GitLab CE/EE affecting all versions from 13.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows an attacker to extract non-protected CI/CD variables by tricking a user to visit a fork with a malicious CI/CD configuration. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-0989.
Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program.
An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N, 3.5). It is now mitigated in the latest release and is assigned CVE-2023-3906.
Thanks afewgoats for reporting this vulnerability through our HackerOne bug bounty program.
Allowed to push and merge access and affect integrity of protected branchesAn issue has been discovered in GitLab EE affecting all versions starting from X.Y before 16.X, all versions starting from 16.X before 16.X. It was possible for an attacker to abuse the Allowed to merge permission as a guest user, when granted the permission through a group. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-4658.
Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collaborate with you on your branch get permission to write to the merge request’s source branch. . This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-3979.
Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program.
An improper authorization issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.2.x8, all versions starting from 16.3 before 16.3.5 and all versions starting from 16.4.0 before 16.4.1. It allows a project reporter to leak the owner’s Sentry instance projects. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-2233.
Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons on the GitLab UI to a malicious page. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:L, 3.0). It is now mitigated in the latest release and is assigned CVE-2023-3922.
Thanks ammar2 for reporting this vulnerability through our HackerOne bug bounty program.
Exiftool has been updated to version 1.12 in order to mitigate security issues.
Mattermost has been updated to version 8.1.2 in order to mitigate security issues.
Auto deploy image has been updated to version 2.55.0 in order to mitigate security issues.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.
]]>On September 18, 2023, we released versions 16.3.4 and 16.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. For versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4, see the mitigations offered below.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
| Title | Severity |
|---|---|
| Attacker can abuse scan execution policies to run pipeline as another user | high |
An issue has been discovered in GitLab EE affecting all versions starting
from 13.12 before 16.2.7 and all
versions starting from 16.3 before 16.3.4. It was possible for an attacker to run
pipelines as an arbitrary user via scheduled security scan policies.
This was a bypass of CVE-2023-3932 showing additional impact.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 8.2).
It is now mitigated in the latest release and is assigned CVE-2023-5009.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
Instances running versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4 are vulnerable if both of the features below are enabled at the same time. In order to mitigate this vulnerability in situations where it’s not possible to upgrade, it is required to disable one or both features.
If both features are turned on, the instance is in a vulnerable state.
This security release also includes the following non-security patches.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.
]]>On September 12, 2023, we released versions 16.2.6 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs.
This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On September 12, 2023, we released versions 16.3.3 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs.
This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On September 5, 2023, we released versions 16.3.2 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs.
This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On August 31, 2023, we released versions 16.3.1, 16.2.5 and 16.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue has been discovered in GitLab EE affecting all versions starting from 16.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. If an external user is given an owner role on any group, that external user may escalate their privileges on the instance by creating a service account in that group. This service account is not classified as external and may be used to access internal projects. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-3915.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A malicious Maintainer can, under specific circumstances, leak the sentry token by changing the configured URL in the Sentry error tracking settings page. This was as a result of an incomplete fix for CVE-2022-4365. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N, 5.5). It is now mitigated in the latest release and is assigned CVE-2023-4378.
Thanks 70rpedo for reporting this vulnerability through our HackerOne bug bounty program.
An information disclosure issue in GitLab EE affecting all versions from 16.2 prior to 16.2.5, and 16.3 prior to 16.3.1 allowed other Group Owners to see the Public Key for a Google Cloud Logging audit event streaming destination, if configured. Owners can now only write the key, not read it. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N, 5.5), and affects only GitLab EE. It is now mitigated in the latest release and is assigned CVE-2023-3950.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which any user can read limited information about any project’s imports. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N, 5.0). It is now mitigated in the latest release and is assigned CVE-2023-4630.
This vulnerability was found internally by a GitLab team member Rodrigo Tomonari.
An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which a project member can leak credentials stored in site profile. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N, 5.0), and only affects GitLab EE. It is now mitigated in the latest release and is assigned CVE-2022-4343.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.3 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to fork a project outside of current group by an unauthorised user. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-4638.
Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to create model experiments in public projects. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-4018.
Thanks ricardobrito for reporting this vulnerability through our HackerOne bug bounty program
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,6.5). It is now mitigated in the latest release and is assigned CVE-2023-3205.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which the projects API pagination can be skipped, potentially leading to DoS on certain instances. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-4647.
This vulnerability has been discovered internally by GitLab team member Vasilii Iakliushin
An issue has been discovered in GitLab CE/EE affecting all versions starting from 4.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 where it was possible to create a URL that would redirect to a different project. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, 3.5). It is now mitigated in the latest release and is assigned CVE-2023-1279.
Thanks akadrian for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to edit labels description by an unauthorised user. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, 3.5). It is now mitigated in the latest release and is assigned CVE-2023-0120.
Thanks drjgouveia for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A namespace-level banned user can access the API. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N, 2.7). It is now mitigated in the latest release and is assigned CVE-2023-1555.
Thanks ali_shehab for reporting this vulnerability through our HackerOne bug bounty program.
Commonmarker has been updated to version 0.23.10 in order to mitigate security issues.
Openssl has been updated to version to 1.1.1u in order to mitigate security issues.
This security release also includes the following non-security patches.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.
]]>On August 11, 2023, we released versions 16.2.4 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs.
This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On August 3, 2023, we released version 16.1.4 for GitLab Community Edition and Enterprise Edition.
This version resolves a number of regressions and bugs.
This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On August 3, 2023, we released versions 16.2.3 for GitLab Community Edition and Enterprise Edition.
This version resolves a bug.
This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On August 1, 2023, we released versions 16.2.2, 16.1.3, and 16.0.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 9.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use ProjectReferenceFilter to the preview_markdown endpoint. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5). It is now mitigated in the latest release and is assigned CVE-2023-3994.
Thanks ryhmnlfj for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use AutolinkFilter to the preview_markdown endpoint. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5). It is now mitigated in the latest release and is assigned CVE-2023-3364.
Thanks ryhmnlfj for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N, 8.2). It is now mitigated in the latest release and is assigned CVE-2023-3932.
Thanks vaib25vicky for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible by using crafted payloads to search Harbor Registry. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-0632.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.10 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Under specific circumstances, a user importing a project ‘from export’ could access and read unrelated files via uploading a specially crafted file. This was due to a bug in tar, fixed in tar-1.35. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N, 6.3). It is now mitigated in the latest release and is assigned CVE-2023-3385.
Thanks ubercomp for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to trigger a stored XSS vulnerability via user interaction with a crafted URL in the WebIDE beta. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, 5.4). It is now mitigated in the latest release and is assigned CVE-2023-2164.
Thanks viridian_40826d for reporting this vulnerability through our HackerOne bug bounty program.
securityPolicyProjectAssign mutation does not authorize security policy project IDAn issue has been discovered in GitLab EE affecting all versions starting from 14.1 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for EE-licensed users to link any security policy project by its ID to projects or groups the user has access to, potentially revealing the security projects’s configured security policies. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-4002.
This vulnerability has been discovered internally by GitLab team member bauerdominic.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to takeover GitLab Pages with unique domain URLs if the random string added was known. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N, 5.0). It is now mitigated in the latest release and is assigned CVE-2023-4008.
This vulnerability was discovered internally by GitLab team member kassio.
An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Access tokens may have been logged when a query was made to a specific endpoint. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.9). It is now mitigated in the latest release and is assigned CVE-2023-3993.
This vulnerability was discovered internally by GitLab team member mjozenazemian.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A reflected XSS was possible when creating specific PlantUML diagrams that allowed the attacker to perform arbitrary actions on behalf of victims. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N, 4.8). It is now mitigated in the latest release and is assigned CVE-2023-3500.
Thanks ankitsingh for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab affecting all versions before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N, 4.8). It is now mitigated in the latest release and is assigned CVE-2023-3401.
Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. An invalid ‘start_sha’ value on merge requests page may lead to Denial of Service as Changes tab would not load. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3900.
Thanks toukakirishima for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2, which leads to developers being able to create pipeline schedules on protected branches even if they don’t have access to merge. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-2022.
Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions from 15.11 prior to 16.2.2 which allows an attacker to spike the resource consumption by loading Dependency List page, resulting in a possible DoS. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is mitigated in the latest 16.2.2 release and is assigned CVE-2023-4011.
This vulnerability was discovered internally by GitLab team member gonzoyumo.
An issue has been discovered in GitLab affecting all versions starting from 12.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to leak a user’s email via an error message for groups that restrict membership by email domain. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-1210.
Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program.
Mattermost has been updated to version 7.10.4 in order to mitigate security issues.
Redis has been updated to version 6.2.13 in order to mitigate security issues.
This security release also includes the following non-security patches.
descendant_security_scans by defaultrecommend_pg_upgrade to false for nowTo update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.
]]>On July 25, 2023, we released versions 16.2.1 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs.
This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On July 5, 2023, we released versions 16.1.2, 16.0.7, and 15.11.11 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that all GitLab Enterprise Edition installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all GitLab EE installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
| Title | Severity |
|---|---|
| A user can change the name and path of some public GitLab groups | high |
An issue has been discovered in GitLab EE affecting all versions starting from 12.8 before 15.11.11, all versions starting from 16.0 before 16.0.7, all versions starting from 16.1 before 16.1.2. An attacker could change the name or path of a public top-level group in certain situations. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H, 8.0). It is now mitigated in the latest release and is assigned CVE-2023-3484.
Thanks zeb0x01 for reporting this vulnerability through our HackerOne bug bounty program.
This security release also includes the following non-security patches.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.
]]>On June 29, 2023, we released versions 16.1.1, 16.0.6, and 15.11.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5). It is now mitigated in the latest release and is assigned CVE-2023-3424.
Thanks ryhmnlfj for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-2190.
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to merge arbitrary code into protected branches due to a CODEOWNERS approval bug. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N, 5.7). It is now mitigated in the latest release and is assigned CVE-2023-3444.
Thanks glan1k for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1. A maintainer could modify a webhook URL to leak masked webhook secrets by manipulating other masked portions. This addresses an incomplete fix for CVE-2023-0838. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N, 5.5). It is now mitigated in the latest release and is assigned CVE-2023-2620.
Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program.
An information disclosure issue in GitLab CE/EE affecting all versions from 16.0 prior to 16.0.6, and version 16.1.0 allows unauthenticated actors to access the import error information if a project was imported from GitHub. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-3362.
This vulnerability has been discovered internally by GitLab team member Rodrigo Tomonari.
A sensitive information leak issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows access to titles of private issues and merge requests. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-3102.
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. This allowed a developer to remove the CODEOWNERS rules and merge to a protected branch. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-2576.
Thanks inspector-ambitious for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to inject HTML in an email address field. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N, 4.1). It is now mitigated in the latest release and is assigned CVE-2023-2200.
Thanks cryptopone for reporting this vulnerability through our HackerOne bug bounty program.
An information disclosure issue in Gitlab CE/EE affecting all versions from 13.6 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1, resulted in the Sidekiq log including webhook tokens when the log format was set to default. This is a low severity issue (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N, 3.9). It is now mitigated in the latest release and is assigned CVE-2023-3363.
This vulnerability was reported by Martin Vaisset from MyMoneyBank.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to leak the email address of a user who created a service desk issue. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N, 3.5). It is now mitigated in the latest release and is assigned CVE-2023-1936.
Thanks ricardobrito for reporting this vulnerability through our HackerOne bug bounty program.
Mattermost has been updated to version 7.10.2 in GitLab 16.0.6 and version 7.9.4 in GitLab 15.11.10 in order to mitigate security issues.
xmlsoft/libxml2 has been updated to version 2.10.4 in order to mitigate security issues.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.
]]>On June 16, 2023, we released versions 16.0.5 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs.
This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On June 8, 2023, we released versions 16.0.4 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs.
This version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On June 7, 2023, we released versions 16.0.3 for GitLab Community Edition and Enterprise Edition.
These versions resolve a number of regressions and bugs.
/lfs/objects/batchThis version does not include any new migrations, and for multi-node deployments, should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-reconfigure file,
which is only used for updates.
To update, check out our update page.
Access to GitLab Premium and Ultimate features is granted by a paid subscription.
Alternatively, sign up for GitLab.com to use GitLab’s own infrastructure.
]]>On June 5, 2023, we released versions 16.0.2, 15.11.7, and 15.10.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A specially crafted merge request could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now mitigated in the latest release and is assigned CVE-2023-2442.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5). It is now mitigated in the latest release and is assigned CVE-2023-2199.
Thanks ryhmnlfj for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5). It is now mitigated in the latest release and is assigned CVE-2023-2198.
Thanks ryhmnlfj for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A DollarMathPostFilter Regular Expression Denial of Service in was possible by sending crafted payloads to the preview_markdown endpoint. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5). It is now mitigated in the latest release and is assigned CVE-2023-2132.
Thanks ryhmnlfj for reporting this vulnerability through our HackerOne bug bounty program.
A denial of service issue was discovered in GitLab CE/EE affecting all versions starting from 13.2.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2 which allows an attacker to cause high resource consumption using malicious test report artifacts. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-0121.
Thanks luryus for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker can clone a repository from a public project, from a disallowed IP, even after the top-level group has enabled IP restrictions on the group. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, 5.9). It is now mitigated in the latest release and is assigned CVE-2023-2589.
Thanks ali_shehab for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.8 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A reflected XSS was possible when creating new abuse reports which allows attackers to perform arbitrary actions on behalf of victims. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N, 4.4). It is now mitigated in the latest release and is assigned CVE-2023-2015.
Thanks akadrian for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A malicious maintainer in a project can escalate other users to Owners in that project if they import members from another project that those other users are Owners of. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N, 4.4). It is now mitigated in the latest release and is assigned CVE-2023-2485.
Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker was able to spoof protected tags, which could potentially lead a victim to download malicious code. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-2001.
Thanks inspector-ambitious for reporting this vulnerability through our HackerOne bug bounty program.
A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-0921.
Thanks cryptopone for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A user could use an unverified email as a public email and commit email by sending a specifically crafted request on user update settings. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-1204.
Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the NPM package API. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-0508.
Thanks akadrian for reporting this vulnerability through our HackerOne bug bounty program.
An issue has been discovered in GitLab EE affecting all versions starting from 15.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. It was possible to disclose issue notes to an unauthorized user at project export. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-1825.
This vulnerability has been discovered internally by GitLab team member.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 1.2 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N, 2.6). It is now mitigated in the latest release and is assigned CVE-2023-2013.
Thanks inspector-ambitious for reporting this vulnerability through our HackerOne bug bounty program.
Mattermost has been updated to version 7.9.3 in order to mitigate security issues.
Ncurses has been updated to version 6.4-20230225 in order to mitigate security issues.
PostgreSQL has been updated to versions 12.14 and 13.11 in order to mitigate security issues.
This security release also includes the following non-security patches.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.
]]>On May 23, 2023, we released version 16.0.1 for GitLab Community Edition (CE) and Enterprise Edition (EE). It is only required for installations running 16.0.0. Earlier versions are not affected.
This version contains important security fixes, and we strongly recommend that GitLab installations running 16.0.0 be upgraded immediately. GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
| Title | Severity |
|---|---|
| Arbitrary file read via uploads path traversal | critical |
An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read
arbitrary files on the server when an attachment exists in a public project nested within at least five groups. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N, 10.0). It is now mitigated in the latest release and is assigned CVE-2023-2825.
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.
To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.
]]>