GitLab CE/EE 安全漏洞

GitLab Enterprise Edition EE and GitLab Community Edition CE are both products of GitLab, Inc. GitLab Enterprise Edition is a content management system. GitLab Enterprise Edition is a content management system. A security vulnerability exists in GitLab CE/EE versions 14.1 through prior to 18.1.5,...

PT-2025-34933 · Gitlab · Gitlab Ce/Ee

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 14.1 through 18.1.4 GitLab CE/EE versions 18.2 through 18.2.4 GitLab CE/EE versions 18.3 through 18.3.0 Description: An issue exists in GitLab CE/EE that, under certain conditions, could allow an unauthenticated attacker...

Linux Distros Unpatched Vulnerability : CVE-2021-4191

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted...

Linux Distros Unpatched Vulnerability : CVE-2025-3279

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed...

GitLab 14.1 < 18.1.5 / 18.2 < 18.2.5 / 18.3 < 18.3.1 (CVE-2025-4225)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue has been discovered in GitLab CE/EE affecting all versions from 14.1 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that that under certain conditions could have allowed an...

Linux Distros Unpatched Vulnerability : CVE-2021-22224

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call...

Linux Distros Unpatched Vulnerability : CVE-2024-5430

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1...

Linux Distros Unpatched Vulnerability : CVE-2020-26417

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions =13.6 to =13.5 to =13.1 to...

Linux Distros Unpatched Vulnerability : CVE-2024-3127

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions...

Linux Distros Unpatched Vulnerability : CVE-2022-3411

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated...

Linux Distros Unpatched Vulnerability : CVE-2020-26415

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab =12.2 ...

GitLab < 18.1.5 / 18.2 < 18.2.5 / 18.3 < 18.3.1 (CVE-2025-2246)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have allowed unauthenticated users to access sensitive manual...

GraphQL Armor Max-Depth Plugin Bypass via fragment caching

Summary A query depth restriction using the max-depth can be bypassed if ignoreIntrospection is enabled which is the default configuration by naming your query/fragment schema. Details In the countDepth function, we have the following code that calculates the depth of a used fragment: typescript...

Allocation of Resources Without Limits or Throttling

Overview @escape.tech/graphql-armor-max-depth is a Limit the depth allowed in a GraphQL query. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the countDepth function. An attacker can cause excessive resource consumption by crafting...

@cedarjs/api-server (>=0.0.4 <=9.0.0-canary.1784), @cedarjs/cli (>=0.0.4 <=9.0.0-canary.1784) +49 more potentially affected by unknown CVE via @escape.tech/graphql-armor-max-depth (>=2.0.0 <=2.4.1)

@escape.tech/graphql-armor-max-depth NPM version =2.0.0, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.9.1-next.19, =0.0.4, =0.0.4, =0.0.2, =2.0.0, =2.0.6, =2.2.2, =2.19.6 and more Source cves: unknown CVE Source advisory: SNYK:JS-ESCAPETECHGRAPHQLARMORMAXDEPTH-12219956...

GHSA-224P-V68G-5G8F GraphQL Armor Max-Depth Plugin Bypass via fragment caching

Summary A query depth restriction using the max-depth can be bypassed if ignoreIntrospection is enabled which is the default configuration by naming your query/fragment schema. Details In the countDepth function, we have the following code that calculates the depth of a used fragment: typescript...

GraphQL Armor Max-Depth Plugin Bypass via Introspection Query Obfuscation

Summary A query depth restriction using the max-depth property can be bypassed if ignoreIntrospection is enabled which is the default configuration by naming your query/fragment schema. Details At the start of the countDepth function, we have the following check for the ignoreIntrospection option...

@cedarjs/api-server (>=0.0.4 <=9.0.0-canary.1784), @cedarjs/cli (>=0.0.4 <=9.0.0-canary.1784) +49 more potentially affected by unknown CVE via @escape.tech/graphql-armor-max-depth (>=2.0.0 <=2.4.1)

@escape.tech/graphql-armor-max-depth NPM version =2.0.0, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.9.1-next.19, =0.0.4, =0.0.4, =0.0.2, =2.0.0, =2.0.6, =2.2.2, =2.19.6 and more Source cves: unknown CVE Source advisory: SNYK:JS-ESCAPETECHGRAPHQLARMORMAXDEPTH-12219686...

Allocation of Resources Without Limits or Throttling

Overview @escape.tech/graphql-armor-max-depth is a Limit the depth allowed in a GraphQL query. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the countDepth function when the ignoreIntrospection configuration is enabled. An attacker ca...

GHSA-HMFR-RX46-4JX2 GraphQL Armor Max-Depth Plugin Bypass via Introspection Query Obfuscation

Summary A query depth restriction using the max-depth property can be bypassed if ignoreIntrospection is enabled which is the default configuration by naming your query/fragment schema. Details At the start of the countDepth function, we have the following check for the ignoreIntrospection option...