apk package
chainguard/gitlab-cng-fips-17.6
pkg:apk/chainguard/gitlab-cng-fips-17.6
Vulnerabilities (27)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-8647 | — | < 17.6.5-r0 | 17.6.5-r0 | Dec 12, 2024 | An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted installs, it was possible to leak the anti-CSRF-token to an external site while the Harbor integration was enabled. | ||
| CVE-2024-9367 | — | < 17.6.5-r0 | 17.6.5-r0 | Dec 12, 2024 | An issue was discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while parsing tem | ||
| CVE-2024-9387 | — | < 17.6.5-r0 | 17.6.5-r0 | Dec 12, 2024 | An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint. | ||
| CVE-2024-11274 | — | < 17.6.5-r0 | 17.6.5-r0 | Dec 12, 2024 | An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, injection of NEL headers in k8s proxy response could lead to session data exfiltration. | ||
| CVE-2024-12570 | — | < 17.6.5-r0 | 17.6.5-r0 | Dec 12, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.4.6, from 17.5 prior to 17.5.4, and from 17.6 prior to 17.6.2. It may have been possible for an attacker with a victim's `CI_JOB_TOKEN` to obtain a GitLab session token belonging to | ||
| CVE-2024-12292 | — | < 17.6.5-r0 | 17.6.5-r0 | Dec 12, 2024 | An issue was discovered in GitLab CE/EE affecting all versions starting from 11.0 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, where sensitive information passed in GraphQL mutations may have been retained in GraphQL logs. | ||
| CVE-2024-45337 | Cri | 9.1 | < 17.6.1-r2 | 17.6.1-r2 | Dec 12, 2024 | Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that |
- CVE-2024-8647Dec 12, 2024affected < 17.6.5-r0fixed 17.6.5-r0
An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted installs, it was possible to leak the anti-CSRF-token to an external site while the Harbor integration was enabled.
- CVE-2024-9367Dec 12, 2024affected < 17.6.5-r0fixed 17.6.5-r0
An issue was discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while parsing tem
- CVE-2024-9387Dec 12, 2024affected < 17.6.5-r0fixed 17.6.5-r0
An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint.
- CVE-2024-11274Dec 12, 2024affected < 17.6.5-r0fixed 17.6.5-r0
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, injection of NEL headers in k8s proxy response could lead to session data exfiltration.
- CVE-2024-12570Dec 12, 2024affected < 17.6.5-r0fixed 17.6.5-r0
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.4.6, from 17.5 prior to 17.5.4, and from 17.6 prior to 17.6.2. It may have been possible for an attacker with a victim's `CI_JOB_TOKEN` to obtain a GitLab session token belonging to
- CVE-2024-12292Dec 12, 2024affected < 17.6.5-r0fixed 17.6.5-r0
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.0 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, where sensitive information passed in GraphQL mutations may have been retained in GraphQL logs.
- affected < 17.6.1-r2fixed 17.6.1-r2
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
Page 2 of 2