apk package
chainguard/gitlab-workhorse-ce-18.1
pkg:apk/chainguard/gitlab-workhorse-ce-18.1
Vulnerabilities (60)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-58185 | — | < 18.1.6-r1 | 18.1.6-r1 | Oct 29, 2025 | Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. | ||
| CVE-2025-47912 | — | < 18.1.6-r1 | 18.1.6-r1 | Oct 29, 2025 | The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresse | ||
| CVE-2025-61723 | — | < 18.1.6-r1 | 18.1.6-r1 | Oct 29, 2025 | The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. | ||
| CVE-2025-58189 | — | < 18.1.6-r1 | 18.1.6-r1 | Oct 29, 2025 | When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. | ||
| CVE-2025-58187 | — | < 18.1.6-r1 | 18.1.6-r1 | Oct 29, 2025 | Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. | ||
| CVE-2025-10497 | — | < 18.1.6-r3 | 18.1.6-r3 | Oct 27, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to cause a denial of service condition by sending specially crafted payloads. | ||
| CVE-2025-11974 | — | < 18.1.6-r3 | 18.1.6-r3 | Oct 27, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.7 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to create a denial of service condition by uploading large files to specific API endpoints | ||
| CVE-2025-11447 | — | < 18.1.6-r3 | 18.1.6-r3 | Oct 27, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to cause a denial of service condition by sending GraphQL requests with crafted JSON paylo | ||
| CVE-2025-10004 | — | < 18.1.6-r3 | 18.1.6-r3 | Oct 9, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 that could make the GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs. | ||
| CVE-2025-2934 | — | < 18.1.6-r3 | 18.1.6-r3 | Oct 9, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 5.2 prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior to 18.4.2 that could have allowed an authenticated attacker to create a denial of service condition by configuring malicious webhook endpoints that | ||
| CVE-2025-8014 | — | < 18.1.6-r3 | 18.1.6-r3 | Sep 27, 2025 | Denial of Service issue in GraphQL endpoints in Gitlab EE/CE affecting all versions from 11.10 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 allows unauthenticated users to potentially bypass query complexity limits leading to resource exhaustion and service dis | ||
| CVE-2025-11042 | — | < 18.1.6-r3 | 18.1.6-r3 | Sep 26, 2025 | An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while using speci | ||
| CVE-2025-5069 | — | < 18.1.6-r3 | 18.1.6-r3 | Sep 26, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to gain unauthorized access to confidential issues by creating a project with an identical name t | ||
| CVE-2025-10868 | — | < 18.1.6-r3 | 18.1.6-r3 | Sep 26, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.4 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 where certain string conversion methods exhibit performance degradation with large inputs. | ||
| CVE-2025-7691 | — | < 18.1.6-r3 | 18.1.6-r3 | Sep 26, 2025 | A privilege escalation issue has been discovered in GitLab EE affecting all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 that could have allowed a developer with specific group management permissions to escalate their privileges and obtain un | ||
| CVE-2025-9642 | — | < 18.1.6-r3 | 18.1.6-r3 | Sep 26, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could allow an attacker to inject malicious content that may lead to account takeover. | ||
| CVE-2025-9958 | — | < 18.1.6-r3 | 18.1.6-r3 | Sep 26, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that could have allowed Guest users to access sensitive information stored in virtual registry configurations. | ||
| CVE-2025-10858 | — | < 18.1.6-r3 | 18.1.6-r3 | Sep 26, 2025 | An issue was discovered in GitLab CE/EE affecting all versions before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that allows unauthenticated users to cause a Denial of Service (DoS) condition while uploading specifically crafted large JSON files. | ||
| CVE-2025-10867 | — | < 18.1.6-r3 | 18.1.6-r3 | Sep 26, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to create a denial-of-service condition by exploiting an unprotected GraphQL API through repeated | ||
| CVE-2025-10871 | — | < 18.1.6-r3 | 18.1.6-r3 | Sep 26, 2025 | An issue has been discovered in GitLab EE affecting all versions from 16.6 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1. Project Maintainers can exploit a vulnerability where they can assign custom roles to users with permissions exceeding their own, effectively gran |
- CVE-2025-58185Oct 29, 2025affected < 18.1.6-r1fixed 18.1.6-r1
Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.
- CVE-2025-47912Oct 29, 2025affected < 18.1.6-r1fixed 18.1.6-r1
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresse
- CVE-2025-61723Oct 29, 2025affected < 18.1.6-r1fixed 18.1.6-r1
The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.
- CVE-2025-58189Oct 29, 2025affected < 18.1.6-r1fixed 18.1.6-r1
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
- CVE-2025-58187Oct 29, 2025affected < 18.1.6-r1fixed 18.1.6-r1
Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
- CVE-2025-10497Oct 27, 2025affected < 18.1.6-r3fixed 18.1.6-r3
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to cause a denial of service condition by sending specially crafted payloads.
- CVE-2025-11974Oct 27, 2025affected < 18.1.6-r3fixed 18.1.6-r3
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.7 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to create a denial of service condition by uploading large files to specific API endpoints
- CVE-2025-11447Oct 27, 2025affected < 18.1.6-r3fixed 18.1.6-r3
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to cause a denial of service condition by sending GraphQL requests with crafted JSON paylo
- CVE-2025-10004Oct 9, 2025affected < 18.1.6-r3fixed 18.1.6-r3
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 that could make the GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs.
- CVE-2025-2934Oct 9, 2025affected < 18.1.6-r3fixed 18.1.6-r3
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 5.2 prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior to 18.4.2 that could have allowed an authenticated attacker to create a denial of service condition by configuring malicious webhook endpoints that
- CVE-2025-8014Sep 27, 2025affected < 18.1.6-r3fixed 18.1.6-r3
Denial of Service issue in GraphQL endpoints in Gitlab EE/CE affecting all versions from 11.10 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 allows unauthenticated users to potentially bypass query complexity limits leading to resource exhaustion and service dis
- CVE-2025-11042Sep 26, 2025affected < 18.1.6-r3fixed 18.1.6-r3
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while using speci
- CVE-2025-5069Sep 26, 2025affected < 18.1.6-r3fixed 18.1.6-r3
An issue has been discovered in GitLab CE/EE affecting all versions from 17.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to gain unauthorized access to confidential issues by creating a project with an identical name t
- CVE-2025-10868Sep 26, 2025affected < 18.1.6-r3fixed 18.1.6-r3
An issue has been discovered in GitLab CE/EE affecting all versions from 17.4 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 where certain string conversion methods exhibit performance degradation with large inputs.
- CVE-2025-7691Sep 26, 2025affected < 18.1.6-r3fixed 18.1.6-r3
A privilege escalation issue has been discovered in GitLab EE affecting all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 that could have allowed a developer with specific group management permissions to escalate their privileges and obtain un
- CVE-2025-9642Sep 26, 2025affected < 18.1.6-r3fixed 18.1.6-r3
An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could allow an attacker to inject malicious content that may lead to account takeover.
- CVE-2025-9958Sep 26, 2025affected < 18.1.6-r3fixed 18.1.6-r3
An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that could have allowed Guest users to access sensitive information stored in virtual registry configurations.
- CVE-2025-10858Sep 26, 2025affected < 18.1.6-r3fixed 18.1.6-r3
An issue was discovered in GitLab CE/EE affecting all versions before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that allows unauthenticated users to cause a Denial of Service (DoS) condition while uploading specifically crafted large JSON files.
- CVE-2025-10867Sep 26, 2025affected < 18.1.6-r3fixed 18.1.6-r3
An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to create a denial-of-service condition by exploiting an unprotected GraphQL API through repeated
- CVE-2025-10871Sep 26, 2025affected < 18.1.6-r3fixed 18.1.6-r3
An issue has been discovered in GitLab EE affecting all versions from 16.6 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1. Project Maintainers can exploit a vulnerability where they can assign custom roles to users with permissions exceeding their own, effectively gran
Page 3 of 3