apk package
chainguard/gitaly-config-17.7
pkg:apk/chainguard/gitaly-config-17.7
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-29923 | Low | 3.7 | < 17.7.7-r2 | 17.7.7-r2 | Mar 20, 2025 | go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit i | |
| CVE-2025-22870 | Med | 4.4 | < 17.7.7-r1 | 17.7.7-r1 | Mar 12, 2025 | Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. | |
| CVE-2025-1198 | — | < 17.7.4-r0 | 17.7.4-r0 | Feb 13, 2025 | An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results. | ||
| CVE-2025-25184 | — | < 17.7.4-r0 | 17.7.4-r0 | Feb 12, 2025 | Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting | ||
| CVE-2025-0516 | — | < 17.7.4-r0 | 17.7.4-r0 | Feb 12, 2025 | Improper Authorization in GitLab CE/EE affecting all versions from 17.7 prior to 17.7.4, 17.8 prior to 17.8.2 allow users with limited permissions to perform unauthorized actions on critical project data. | ||
| CVE-2024-12379 | — | < 17.7.4-r0 | 17.7.4-r0 | Feb 12, 2025 | A denial of service vulnerability in GitLab CE/EE affecting all versions from 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to impact the availability of GitLab via unbounded symbol creation via the scopes parameter in a Personal Access T | ||
| CVE-2025-0376 | — | < 17.7.4-r0 | 17.7.4-r0 | Feb 12, 2025 | An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via a change page. | ||
| CVE-2025-1212 | — | < 17.7.4-r0 | 17.7.4-r0 | Feb 12, 2025 | An information disclosure vulnerability in GitLab CE/EE affecting all versions from 8.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send a crafted request to a backend server to reveal sensitive information. | ||
| CVE-2025-1042 | — | < 17.7.4-r0 | 17.7.4-r0 | Feb 12, 2025 | An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way. | ||
| CVE-2025-22866 | Med | 4.0 | < 17.7.3-r1 | 17.7.3-r1 | Feb 6, 2025 | Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover |
- affected < 17.7.7-r2fixed 17.7.7-r2
go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit i
- affected < 17.7.7-r1fixed 17.7.7-r1
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
- CVE-2025-1198Feb 13, 2025affected < 17.7.4-r0fixed 17.7.4-r0
An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results.
- CVE-2025-25184Feb 12, 2025affected < 17.7.4-r0fixed 17.7.4-r0
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting
- CVE-2025-0516Feb 12, 2025affected < 17.7.4-r0fixed 17.7.4-r0
Improper Authorization in GitLab CE/EE affecting all versions from 17.7 prior to 17.7.4, 17.8 prior to 17.8.2 allow users with limited permissions to perform unauthorized actions on critical project data.
- CVE-2024-12379Feb 12, 2025affected < 17.7.4-r0fixed 17.7.4-r0
A denial of service vulnerability in GitLab CE/EE affecting all versions from 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to impact the availability of GitLab via unbounded symbol creation via the scopes parameter in a Personal Access T
- CVE-2025-0376Feb 12, 2025affected < 17.7.4-r0fixed 17.7.4-r0
An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via a change page.
- CVE-2025-1212Feb 12, 2025affected < 17.7.4-r0fixed 17.7.4-r0
An information disclosure vulnerability in GitLab CE/EE affecting all versions from 8.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send a crafted request to a backend server to reveal sensitive information.
- CVE-2025-1042Feb 12, 2025affected < 17.7.4-r0fixed 17.7.4-r0
An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way.
- affected < 17.7.3-r1fixed 17.7.3-r1
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover