apk package

chainguard/gitlab-rails-ee-assets-fips-17.7

pkg:apk/chainguard/gitlab-rails-ee-assets-fips-17.7

Vulnerabilities (31)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2024-40635		—	< 17.7.7-r2	17.7.7-r2	Mar 17, 2025	containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ult
CVE-2025-22870	Med	4.4	< 17.7.7-r1	17.7.7-r1	Mar 12, 2025	Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
CVE-2025-22868		—	< 17.7.6-r2	17.7.6-r2	Feb 26, 2025	An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
CVE-2025-22869		—	< 17.7.6-r2	17.7.6-r2	Feb 26, 2025	SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
CVE-2025-1198		—	< 17.7.7-r2	17.7.7-r2	Feb 13, 2025	An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results.
CVE-2025-0516		—	< 17.7.7-r2	17.7.7-r2	Feb 12, 2025	Improper Authorization in GitLab CE/EE affecting all versions from 17.7 prior to 17.7.4, 17.8 prior to 17.8.2 allow users with limited permissions to perform unauthorized actions on critical project data.
CVE-2024-12379		—	< 17.7.7-r2	17.7.7-r2	Feb 12, 2025	A denial of service vulnerability in GitLab CE/EE affecting all versions from 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to impact the availability of GitLab via unbounded symbol creation via the scopes parameter in a Personal Access T
CVE-2025-0376		—	< 17.7.7-r2	17.7.7-r2	Feb 12, 2025	An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via a change page.
CVE-2025-1212		—	< 17.7.7-r2	17.7.7-r2	Feb 12, 2025	An information disclosure vulnerability in GitLab CE/EE affecting all versions from 8.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send a crafted request to a backend server to reveal sensitive information.
CVE-2025-1042		—	< 17.7.7-r2	17.7.7-r2	Feb 12, 2025	An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way.
CVE-2025-22866	Med	4.0	< 17.7.3-r1	17.7.3-r1	Feb 6, 2025	Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
CVE-2024-45341	Med	6.1	< 17.7.3-r0	17.7.3-r0	Jan 28, 2025	A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
CVE-2024-45336	Med	6.1	< 17.7.3-r0	17.7.3-r0	Jan 28, 2025	The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain re
CVE-2025-21614		—	< 17.7.2-r0	17.7.2-r0	Jan 6, 2025	go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted respons
CVE-2025-21613		—	< 17.7.2-r0	17.7.2-r0	Jan 6, 2025	go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flag
CVE-2024-36361	Med	6.8	< 0	0	May 24, 2024	Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and t
CVE-2021-23383		—	< 0	0	May 4, 2021	The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
CVE-2021-23369		—	< 0	0	Apr 12, 2021	The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
CVE-2021-21353		—	< 0	0	Mar 3, 2021	Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug temp
CVE-2020-7788		—	< 0	0	Dec 11, 2020	This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

CVE-2024-40635Mar 17, 2025
affected < 17.7.7-r2fixed 17.7.7-r2
containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ult
CVE-2025-22870MedMar 12, 2025
affected < 17.7.7-r1fixed 17.7.7-r1
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
CVE-2025-22868Feb 26, 2025
affected < 17.7.6-r2fixed 17.7.6-r2
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
CVE-2025-22869Feb 26, 2025
affected < 17.7.6-r2fixed 17.7.6-r2
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
CVE-2025-1198Feb 13, 2025
affected < 17.7.7-r2fixed 17.7.7-r2
An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results.
CVE-2025-0516Feb 12, 2025
affected < 17.7.7-r2fixed 17.7.7-r2
Improper Authorization in GitLab CE/EE affecting all versions from 17.7 prior to 17.7.4, 17.8 prior to 17.8.2 allow users with limited permissions to perform unauthorized actions on critical project data.
CVE-2024-12379Feb 12, 2025
affected < 17.7.7-r2fixed 17.7.7-r2
A denial of service vulnerability in GitLab CE/EE affecting all versions from 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to impact the availability of GitLab via unbounded symbol creation via the scopes parameter in a Personal Access T
CVE-2025-0376Feb 12, 2025
affected < 17.7.7-r2fixed 17.7.7-r2
An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via a change page.
CVE-2025-1212Feb 12, 2025
affected < 17.7.7-r2fixed 17.7.7-r2
An information disclosure vulnerability in GitLab CE/EE affecting all versions from 8.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send a crafted request to a backend server to reveal sensitive information.
CVE-2025-1042Feb 12, 2025
affected < 17.7.7-r2fixed 17.7.7-r2
An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way.
CVE-2025-22866MedFeb 6, 2025
affected < 17.7.3-r1fixed 17.7.3-r1
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
CVE-2024-45341MedJan 28, 2025
affected < 17.7.3-r0fixed 17.7.3-r0
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
CVE-2024-45336MedJan 28, 2025
affected < 17.7.3-r0fixed 17.7.3-r0
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain re
CVE-2025-21614Jan 6, 2025
affected < 17.7.2-r0fixed 17.7.2-r0
go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted respons
CVE-2025-21613Jan 6, 2025
affected < 17.7.2-r0fixed 17.7.2-r0
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flag
CVE-2024-36361MedMay 24, 2024
affected < 0fixed 0
Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and t
CVE-2021-23383May 4, 2021
affected < 0fixed 0
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
CVE-2021-23369Apr 12, 2021
affected < 0fixed 0
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
CVE-2021-21353Mar 3, 2021
affected < 0fixed 0
Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug temp
CVE-2020-7788Dec 11, 2020
affected < 0fixed 0
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Page 1 of 2