apk package
chainguard/gitlab-cng-fips-17.6
pkg:apk/chainguard/gitlab-cng-fips-17.6
Vulnerabilities (27)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-1198 | — | < 17.6.5-r0 | 17.6.5-r0 | Feb 13, 2025 | An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results. | ||
| CVE-2024-12379 | — | < 17.6.5-r0 | 17.6.5-r0 | Feb 12, 2025 | A denial of service vulnerability in GitLab CE/EE affecting all versions from 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to impact the availability of GitLab via unbounded symbol creation via the scopes parameter in a Personal Access T | ||
| CVE-2025-0376 | — | < 17.6.5-r0 | 17.6.5-r0 | Feb 12, 2025 | An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via a change page. | ||
| CVE-2025-1212 | — | < 17.6.5-r0 | 17.6.5-r0 | Feb 12, 2025 | An information disclosure vulnerability in GitLab CE/EE affecting all versions from 8.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send a crafted request to a backend server to reveal sensitive information. | ||
| CVE-2025-1042 | — | < 17.6.5-r0 | 17.6.5-r0 | Feb 12, 2025 | An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way. | ||
| CVE-2025-22866 | Med | 4.0 | < 17.6.1-r6 | 17.6.1-r6 | Feb 6, 2025 | Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover | |
| CVE-2025-0290 | — | < 17.6.5-r0 | 17.6.5-r0 | Jan 28, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.0 prior to 17.5.5, from 17.6 prior to 17.6.3, and from 17.7 prior to 17.7.1. Under certain conditions, processing of CI artifacts metadata could cause background jobs to become unresponsive. | ||
| CVE-2024-45341 | Med | 6.1 | < 17.6.1-r5 | 17.6.1-r5 | Jan 28, 2025 | A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs. | |
| CVE-2024-45336 | Med | 6.1 | < 17.6.1-r5 | 17.6.1-r5 | Jan 28, 2025 | The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain re | |
| CVE-2024-11931 | — | < 17.6.5-r0 | 17.6.5-r0 | Jan 24, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI variables | ||
| CVE-2025-0314 | — | < 17.6.5-r0 | 17.6.5-r0 | Jan 24, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. Improper rendering of certain file types lead to cross-site scripting. | ||
| CVE-2024-13041 | — | < 17.6.5-r0 | 17.6.5-r0 | Jan 9, 2025 | An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. When a user is created via the SAML provider, the external groups setting overrides the external provider | ||
| CVE-2024-6324 | — | < 17.6.5-r0 | 17.6.5-r0 | Jan 9, 2025 | An issue was discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. It was possible to trigger a DoS by creating cyclic references between epics. | ||
| CVE-2024-12431 | — | < 17.6.5-r0 | 17.6.5-r0 | Jan 8, 2025 | An issue was discovered in GitLab CE/EE affecting all versions starting from 15.5 before 17.5.5, 17.6 before 17.6.3, and 17.7 before 17.7.1, in which unauthorized users could manipulate the status of issues in public projects. | ||
| CVE-2025-0194 | — | < 17.6.5-r0 | 17.6.5-r0 | Jan 8, 2025 | An issue was discovered in GitLab CE/EE affecting all versions starting from 17.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. Under certain conditions, access tokens may have been logged when API requests were made in a specific ma | ||
| CVE-2024-45338 | Med | 5.3 | < 17.6.1-r4 | 17.6.1-r4 | Dec 18, 2024 | An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. | |
| CVE-2024-8116 | — | < 17.6.5-r0 | 17.6.5-r0 | Dec 16, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. By using a specific GraphQL query, under specific conditions an unauthorized user can retrieve branch names. | ||
| CVE-2024-8650 | — | < 17.6.5-r0 | 17.6.5-r0 | Dec 16, 2024 | An issue was discovered in GitLab CE/EE affecting all versions from 15.0 prior to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2 that allowed non-member users to view unresolved threads marked as internal notes in public projects merge requests. | ||
| CVE-2024-8179 | — | < 17.6.5-r0 | 17.6.5-r0 | Dec 12, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. Improper output encoding could lead to XSS if CSP is not enabled. | ||
| CVE-2024-8233 | — | < 17.6.5-r0 | 17.6.5-r0 | Dec 12, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could cause a denial of service with requests for diff files on a commit or merge request. |
- CVE-2025-1198Feb 13, 2025affected < 17.6.5-r0fixed 17.6.5-r0
An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results.
- CVE-2024-12379Feb 12, 2025affected < 17.6.5-r0fixed 17.6.5-r0
A denial of service vulnerability in GitLab CE/EE affecting all versions from 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to impact the availability of GitLab via unbounded symbol creation via the scopes parameter in a Personal Access T
- CVE-2025-0376Feb 12, 2025affected < 17.6.5-r0fixed 17.6.5-r0
An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via a change page.
- CVE-2025-1212Feb 12, 2025affected < 17.6.5-r0fixed 17.6.5-r0
An information disclosure vulnerability in GitLab CE/EE affecting all versions from 8.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send a crafted request to a backend server to reveal sensitive information.
- CVE-2025-1042Feb 12, 2025affected < 17.6.5-r0fixed 17.6.5-r0
An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way.
- affected < 17.6.1-r6fixed 17.6.1-r6
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
- CVE-2025-0290Jan 28, 2025affected < 17.6.5-r0fixed 17.6.5-r0
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.0 prior to 17.5.5, from 17.6 prior to 17.6.3, and from 17.7 prior to 17.7.1. Under certain conditions, processing of CI artifacts metadata could cause background jobs to become unresponsive.
- affected < 17.6.1-r5fixed 17.6.1-r5
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
- affected < 17.6.1-r5fixed 17.6.1-r5
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain re
- CVE-2024-11931Jan 24, 2025affected < 17.6.5-r0fixed 17.6.5-r0
An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI variables
- CVE-2025-0314Jan 24, 2025affected < 17.6.5-r0fixed 17.6.5-r0
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. Improper rendering of certain file types lead to cross-site scripting.
- CVE-2024-13041Jan 9, 2025affected < 17.6.5-r0fixed 17.6.5-r0
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. When a user is created via the SAML provider, the external groups setting overrides the external provider
- CVE-2024-6324Jan 9, 2025affected < 17.6.5-r0fixed 17.6.5-r0
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. It was possible to trigger a DoS by creating cyclic references between epics.
- CVE-2024-12431Jan 8, 2025affected < 17.6.5-r0fixed 17.6.5-r0
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.5 before 17.5.5, 17.6 before 17.6.3, and 17.7 before 17.7.1, in which unauthorized users could manipulate the status of issues in public projects.
- CVE-2025-0194Jan 8, 2025affected < 17.6.5-r0fixed 17.6.5-r0
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. Under certain conditions, access tokens may have been logged when API requests were made in a specific ma
- affected < 17.6.1-r4fixed 17.6.1-r4
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
- CVE-2024-8116Dec 16, 2024affected < 17.6.5-r0fixed 17.6.5-r0
An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. By using a specific GraphQL query, under specific conditions an unauthorized user can retrieve branch names.
- CVE-2024-8650Dec 16, 2024affected < 17.6.5-r0fixed 17.6.5-r0
An issue was discovered in GitLab CE/EE affecting all versions from 15.0 prior to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2 that allowed non-member users to view unresolved threads marked as internal notes in public projects merge requests.
- CVE-2024-8179Dec 12, 2024affected < 17.6.5-r0fixed 17.6.5-r0
An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. Improper output encoding could lead to XSS if CSP is not enabled.
- CVE-2024-8233Dec 12, 2024affected < 17.6.5-r0fixed 17.6.5-r0
An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could cause a denial of service with requests for diff files on a commit or merge request.
Page 1 of 2