UNCLASSIFIED - NO CUI

Skip to content

chore(findings): gitlab/gitlab/gitlab-rails

Summary

gitlab/gitlab/gitlab-rails has 123 new findings discovered during continuous monitoring.

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=gitlab/gitlab/gitlab-rails&tag=18.3.1&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id source severity package impact workaround epss_score kev
CVE-2024-32002 Anchore CVE Critical git-1.19.1 0.77245 false
CVE-2024-46981 Anchore CVE High redis-5.4.1 0.69416 false
CVE-2024-45409 Anchore CVE Critical gitlab-4.19.0 0.16139 false
CVE-2025-25291 Anchore CVE Critical gitlab-4.19.0 0.13868 false
CVE-2024-32004 Anchore CVE High git-1.19.1 0.08038 false
CVE-2024-2651 Anchore CVE Medium gitlab-4.19.0 0.05899 false
CVE-2025-48384 Anchore CVE High git-1.19.1 0.04084 true
CVE-2025-25292 Anchore CVE Critical gitlab-4.19.0 0.03205 false
CVE-2025-25293 Anchore CVE High gitlab-4.19.0 0.02034 false
CVE-2017-17095 Anchore CVE Medium libtiff-4.4.0-13.el9 0.01966 false
CVE-2017-16232 Anchore CVE Low libtiff-4.4.0-13.el9 0.01738 false
CVE-2024-31449 Anchore CVE High redis-5.4.1 0.01413 false
CVE-2024-1485 Twistlock CVE Medium github.com/devfile/registry-support/registry-library-v0.0.0-20240521161747-89fc566cb024 0.00807 false
CVE-2024-13054 Anchore CVE Medium gitlab-4.19.0 0.00615 false
CVE-2017-17973 Anchore CVE Medium libtiff-4.4.0-13.el9 0.00419 false
CVE-2023-6277 Twistlock CVE Medium libtiff-4.4.0-13.el9 0.00418 false
CVE-2023-6277 Anchore CVE Medium libtiff-4.4.0-13.el9 0.00418 false
CVE-2023-6502 Anchore CVE Medium gitlab-4.19.0 0.00289 false
CVE-2023-52356 Twistlock CVE Medium libtiff-4.4.0-13.el9 0.00270 false
CVE-2023-52356 Anchore CVE Medium libtiff-4.4.0-13.el9 0.00270 false
CVE-2025-32023 Anchore CVE High redis-5.4.1 0.00267 false
CVE-2024-36623 Anchore CVE High github.com/docker/docker-v25.0.6+incompatible 0.00239 false
CVE-2024-52006 Anchore CVE Low git-1.19.1 0.00228 false
CVE-2023-25434 Twistlock CVE Medium libtiff-4.4.0-13.el9 0.00209 false
CVE-2023-25434 Anchore CVE Medium libtiff-4.4.0-13.el9 0.00209 false
CVE-2024-36620 Anchore CVE Medium github.com/docker/docker-v25.0.6+incompatible 0.00165 false
CVE-2024-2818 Anchore CVE Medium gitlab-4.19.0 0.00156 false
CVE-2024-8796 Twistlock CVE Medium devise-two-factor-4.1.1 0.00144 false
CVE-2023-49090 Twistlock CVE Medium carrierwave-1.3.4 0.00139 false
CVE-2025-1677 Anchore CVE High gitlab-4.19.0 0.00121 false
CVE-2023-52355 Twistlock CVE Medium libtiff-4.4.0-13.el9 0.00119 false
CVE-2023-52355 Anchore CVE Medium libtiff-4.4.0-13.el9 0.00119 false
CVE-2024-50349 Anchore CVE Low git-1.19.1 0.00117 false
CVE-2024-2874 Anchore CVE Medium gitlab-4.19.0 0.00116 false
CVE-2025-48385 Anchore CVE High git-1.19.1 0.00112 false
CVE-2025-2853 Anchore CVE Medium gitlab-4.19.0 0.00101 false
CVE-2024-52005 Anchore CVE High git-1.19.1 0.00082 false
CVE-2023-6678 Anchore CVE Medium gitlab-4.19.0 0.00082 false
CVE-2022-1056 Twistlock CVE Low libtiff-4.4.0-13.el9 0.00063 false
CVE-2022-1056 Anchore CVE Low libtiff-4.4.0-13.el9 0.00063 false
CVE-2025-54572 Twistlock CVE Low ruby-saml-1.18.0 0.00061 false
CVE-2025-21605 Anchore CVE High redis-5.4.1 0.00061 false
CVE-2025-0993 Anchore CVE Medium gitlab-4.19.0 0.00060 false
CVE-2025-55193 Twistlock CVE Low activerecord-7.1.5.1 0.00056 false
CVE-2025-47907 Anchore CVE High stdlib-go1.24.2 0.00054 false
CVE-2023-6371 Anchore CVE Medium gitlab-4.19.0 0.00052 false
CVE-2024-5528 Anchore CVE Medium gitlab-4.19.0 0.00047 false
CVE-2025-5996 Anchore CVE Medium gitlab-4.19.0 0.00046 false
CVE-2024-29034 Twistlock CVE Medium carrierwave-1.3.4 0.00044 false
CVE-2022-27943 Anchore CVE Low libstdc++-11.5.0-5.el9_5 0.00044 false
CVE-2024-32020 Anchore CVE Low git-1.19.1 0.00038 false
CVE-2025-48367 Anchore CVE High redis-5.4.1 0.00037 false
CVE-2024-53382 Twistlock CVE Medium prism-1.28.0 0.00036 false
CVE-2023-25435 Twistlock CVE Medium libtiff-4.4.0-13.el9 0.00033 false
CVE-2023-25435 Anchore CVE Medium libtiff-4.4.0-13.el9 0.00033 false
CVE-2024-32465 Anchore CVE High git-1.19.1 0.00032 false
CVE-2025-49112 Anchore CVE Low redis-5.4.1 0.00027 false
CVE-2023-25433 Twistlock CVE Medium libtiff-4.4.0-13.el9 0.00026 false
CVE-2023-25433 Anchore CVE Medium libtiff-4.4.0-13.el9 0.00026 false
CVE-2023-5117 Anchore CVE Low gitlab-4.19.0 0.00025 false
CVE-2025-8556 Twistlock CVE Low github.com/cloudflare/circl-v1.3.7 0.00022 false
CVE-2025-4673 Twistlock CVE Low net/http-1.24.2 0.00019 false
CVE-2025-4673 Anchore CVE Medium stdlib-go1.24.2 0.00019 false
CVE-2024-0232 Twistlock CVE Low sqlite-3.34.1-8.el9_6 0.00018 false
CVE-2024-0232 Anchore CVE Low sqlite-libs-3.34.1-8.el9_6 0.00018 false
CVE-2025-8961 Twistlock CVE Low libtiff-4.4.0-13.el9 0.00017 false
CVE-2025-8961 Anchore CVE Low libtiff-4.4.0-13.el9 0.00017 false
CVE-2025-8177 Twistlock CVE Medium libtiff-4.4.0-13.el9 0.00017 false
CVE-2025-8177 Anchore CVE Medium libtiff-4.4.0-13.el9 0.00017 false
CVE-2025-8176 Twistlock CVE Medium libtiff-4.4.0-13.el9 0.00017 false
CVE-2025-8176 Anchore CVE Medium libtiff-4.4.0-13.el9 0.00017 false
CVE-2025-30258 Twistlock CVE Low gnupg2-2.3.3-4.el9 0.00017 false
CVE-2025-30258 Anchore CVE Low gnupg2-2.3.3-4.el9 0.00017 false
CVE-2023-1916 Twistlock CVE Low libtiff-4.4.0-13.el9 0.00017 false
CVE-2023-1916 Anchore CVE Low libtiff-4.4.0-13.el9 0.00017 false
CVE-2025-2246 Anchore CVE Medium gitlab-4.19.0 0.00016 false
CVE-2025-4979 Anchore CVE High gitlab-4.19.0 0.00015 false
CVE-2025-48386 Anchore CVE Medium git-1.19.1 0.00015 false
CVE-2025-22870 Twistlock CVE Medium golang.org/x/net/proxy-v0.33.0 0.00015 false
CVE-2024-31228 Anchore CVE Medium redis-5.4.1 0.00015 false
CVE-2025-9165 Twistlock CVE Low libtiff-4.4.0-13.el9 0.00014 false
CVE-2025-9165 Anchore CVE Low libtiff-4.4.0-13.el9 0.00014 false
CVE-2025-8851 Twistlock CVE Medium libtiff-4.4.0-13.el9 0.00014 false
CVE-2025-8851 Anchore CVE Medium libtiff-4.4.0-13.el9 0.00014 false
CVE-2025-54410 Twistlock CVE Low github.com/docker/docker-v25.0.6 0.00014 false
CVE-2024-40635 Twistlock CVE Medium github.com/containerd/containerd-v1.7.13 0.00014 false
CVE-2024-13978 Twistlock CVE Low libtiff-4.4.0-13.el9 0.00014 false
CVE-2024-13978 Anchore CVE Low libtiff-4.4.0-13.el9 0.00014 false
CVE-2024-32021 Anchore CVE Low git-1.19.1 0.00013 false
CVE-2025-22874 Twistlock CVE Low crypto/x509-1.24.2 0.00012 false
CVE-2025-22874 Anchore CVE High stdlib-go1.24.2 0.00012 false
CVE-2022-3219 Twistlock CVE Low gnupg2-2.3.3-4.el9 0.00012 false
CVE-2022-3219 Anchore CVE Low gnupg2-2.3.3-4.el9 0.00012 false
CVE-2024-9512 Anchore CVE Medium gitlab-4.19.0 0.00011 false
CVE-2024-1347 Anchore CVE Medium gitlab-4.19.0 0.00011 false
CVE-2023-3164 Twistlock CVE Medium libtiff-4.4.0-13.el9 0.00010 false
CVE-2023-3164 Anchore CVE Medium libtiff-4.4.0-13.el9 0.00010 false
CVE-2025-5101 Anchore CVE Medium gitlab-4.19.0 0.00007 false
CVE-2025-4674 Anchore CVE High stdlib-go1.24.2 0.00006 false
CVE-2025-24293 Twistlock CVE Low activestorage-7.1.5.1 N/A false
CVE-2022-3857 Anchore CVE Low libpng-2:1.6.37-12.el9 N/A false
b4337f21f7bd782b4b213936b00998df Anchore Compliance Critical N/A N/A
GHSA-vvgc-356p-c3xw Anchore CVE Medium golang.org/x/net-v0.33.0 N/A N/A
GHSA-vfmv-jfc5-pjjw Anchore CVE Medium carrierwave-1.3.4 N/A N/A
GHSA-rrqh-93c8-j966 Anchore CVE Medium ruby-saml-1.18.0 N/A N/A
GHSA-r4mg-4433-c7g3 Anchore CVE Critical activestorage-7.1.5.1 N/A N/A
GHSA-qxp5-gwg8-xv66 Anchore CVE Medium golang.org/x/net-v0.33.0 N/A N/A
GHSA-qjxf-mc72-wjr2 Anchore CVE Medium devise-two-factor-4.1.1 N/A N/A
GHSA-gxhx-g4fq-49hj Anchore CVE Medium carrierwave-1.3.4 N/A N/A
GHSA-76r7-hhxj-r776 Anchore CVE Medium activerecord-7.1.5.1 N/A N/A
GHSA-6v2p-p543-phr9 Anchore CVE High golang.org/x/oauth2-v0.16.0 N/A N/A
GHSA-4vq8-7jfc-9cvp Anchore CVE Low github.com/docker/docker-v25.0.6+incompatible N/A N/A
GHSA-3965-hpx2-q597 Anchore CVE Medium pug-1.0.0 N/A N/A
GHSA-2x5j-vhc8-9cwm Anchore CVE Low github.com/cloudflare/circl-v1.3.7 N/A N/A
GHSA-265r-hfxg-fhmg Anchore CVE Medium github.com/containerd/containerd-v1.7.13 N/A N/A
CCE-88048-4 OSCAP Compliance Medium N/A N/A
CCE-83613-0 OSCAP Compliance Low N/A N/A
9d45a8e938140f46af01fe87fa4003fa Anchore Compliance Critical N/A N/A
85567da27ab943cdfb6f54ec28a6fb7d Anchore Compliance Critical N/A N/A
82146aec4e12f16ec2c3fe690f9484e5 Anchore Compliance Critical N/A N/A
30cfb17e730480765f1bc2bad28a81c8 Anchore Compliance Critical N/A N/A
2a31d02643eaefbbe4c387f3922a0fe7 Anchore Compliance Critical N/A N/A
21fa99e6694d546b7f2d4e436f4d1ba4 Anchore Compliance Critical N/A N/A

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=gitlab/gitlab/gitlab-rails&tag=18.3.1&branch=master

Tasks

Contributor:

  • Provide justifications for findings in the VAT (docs)
  • Apply the StatusVerification label to this issue and wait for feedback

Iron Bank:

  • Review findings and justifications

Note: If the above process is rejected for any reason, the Verification label will be removed and the issue will be sent back to Open. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited by CHORE_TOKEN
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI