Is Gitlab community version 11.3.1 is affected by CVE-2023-5009

Hi All, We have a self hosted Gitlab instance which is running on very old version i.e 11.3.1. and is marked under critical vulnerability… It is hosting 3000 projects. I have 2 queries as follows :

  1. Is Gitlab CE 11.3.1 is affected due to this vulnerability ? If yes how can i validate if ‘Direct Transfers’ and ‘Security Policies’ features are enabled ?
  2. For upgrading current version to 16.x do we need to upgrade incrementally or can upgrade directly from version 11.3.1 to 16.x
Says the vulnerability is not present in versions before 13.12. I don’t remember the details, but I have been told here, that they actually do some real work to find out when the vulnerable code was added so that might be correct.
I would be pretty sure that some other CVE’s do describe vulnerabilities that exists i code that old.

When upgrading (and you absolutely should), you have to go through a number of versions, as each contain a migration that needs to be done.
The list used to be in the documentation:

now that only contains information from 14.0, for upgrades from versions further back you have to use the tool at

it seems like you’ll have 17 intermediate versions to go through.


Thanks @grove. As i am left with no option other than upgrading. I’ll start and will keep posted here as its a long journey to reach to latest version with 3000 projects.

Yeah with that number of projects (we have 5000+, so I know that is realistic) some of the migrations will take a while, be sure you’ve read the parts of the documentation about background migrations, and don’t try to start an upgrade before the migrations initiated by the previous have finished.

1 Like