products / gitlab

GitLab

GitLab packages Git repository hosting, CI/CD, container registry, and security scanning in one Rails application. Core product vulnerabilities in NVD are attributed to gitlab:gitlab with explicit semver ranges for Community and Enterprise editions.

api usage

Querying GitLab

product sluggitlab

version format16.7.0, 17.2.0

bash

curl "https://api.attestd.io/v1/check?product=gitlab&version=16.7.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"

16.7.0 is vulnerable to CVE-2023-7028 (CVSS 10.0, CISA KEV): an account takeover via user-controlled email addresses receiving password reset tokens without verification on secondary emails.

json

{
  "product": "gitlab",
  "version": "16.7.0",
  "supported": true,
  "risk_state": "critical",
  "risk_factors": ["account_takeover", "actively_exploited", "patch_available"],
  "actively_exploited": true,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "16.7.2",
  "confidence": 0.95,
  "cve_ids": ["CVE-2023-7028"],
  "last_updated": "2026-05-11T00:00:00Z"
}

patched line

16.7.2 includes the fix for CVE-2023-7028 on the 16.7 stable train. Always map your install to the exact GitLab patch release in NVD.

bash

curl "https://api.attestd.io/v1/check?product=gitlab&version=16.7.2" \
  -H "Authorization: Bearer $ATTESTD_KEY"

notable cves

CVE history

CVE	Description	CVSS
`CVE-2023-7028`	Password reset sent to unverified emails (CISA KEV).	10.0
`CVE-2024-6385`	Pipeline job token reuse across projects.	9.6
`CVE-2023-2825`	Path traversal via nested repository import.	10.0

All products Jenkins Gitea Response Field Reference