GitLab 16.4.0 Enterprise Edition

Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE.

Published: 2023-12-04T06:30:33.856Z
Updated: 2024-10-03T06:23:16.051Z

A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user.

Published: 2023-09-30T08:30:30.788Z
Updated: 2025-11-20T04:10:28.256Z

An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to protected branches using deploy keys.

Published: 2023-09-29T07:01:42.219Z
Updated: 2026-05-17T04:06:13.122Z

An issue has been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through direct transfer group imports.

Published: 2023-10-02T11:49:56.333Z
Updated: 2026-04-07T04:06:43.836Z

An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of private projects which they are not a member of.

Published: 2023-09-29T06:02:01.299Z
Updated: 2026-04-26T04:06:54.749Z

An issue has been discovered in GitLab EE affecting all versions starting from 15.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Code owner approval was not removed from merge requests when the target branch was updated.

Published: 2023-11-09T21:01:10.733Z
Updated: 2026-06-02T04:13:04.410Z

An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collaborate with you on your branch get permission to write to the merge request’s source branch.

Published: 2023-09-29T06:02:06.310Z
Updated: 2026-05-08T04:06:39.092Z

An issue has been discovered in GitLab affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons on the GitLab UI to a malicious page.

Published: 2023-09-29T07:30:50.402Z
Updated: 2026-04-25T04:05:19.195Z

An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork relationship between existing projects contrary to the documentation.

Published: 2023-09-29T06:02:31.303Z
Updated: 2026-04-25T04:05:14.315Z

Denial of Service in pipelines affecting all versions of Gitlab EE and CE prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows attacker to cause pipelines to fail.

Published: 2023-09-29T06:02:26.304Z
Updated: 2026-04-29T04:04:53.712Z

A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal projects. A service account is not deleted when a namespace is deleted, allowing access to internal projects.

Published: 2023-09-29T06:02:21.304Z
Updated: 2026-04-28T04:04:57.469Z

An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.

Published: 2023-09-29T06:02:16.308Z
Updated: 2025-11-20T04:08:18.260Z

An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members.

Published: 2023-09-29T08:30:56.742Z
Updated: 2025-11-20T04:07:38.285Z

An issue has been discovered in GitLab EE affecting all versions affecting all versions from 11.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Single Sign On restrictions were not correctly enforced for indirect project members accessing public members-only project repositories.

Published: 2023-09-29T06:02:51.300Z
Updated: 2025-11-20T04:06:58.296Z

An improper authorization issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.2.8, all versions starting from 16.3 before 16.3.5 and all versions starting from 16.4 before 16.4.1. It allows a project reporter to leak the owner's Sentry instance projects.

Published: 2023-09-29T06:30:51.179Z
Updated: 2025-11-20T04:06:48.254Z

An information disclosure issue in GitLab CE/EE affecting all versions starting from 13.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows an attacker to extract non-protected CI/CD variables by tricking a user to visit a fork with a malicious CI/CD configuration.

Published: 2023-09-29T06:30:56.081Z
Updated: 2025-11-20T04:06:08.264Z