apk package
chainguard/gitlab-workhorse-ce-18.3
pkg:apk/chainguard/gitlab-workhorse-ce-18.3
Vulnerabilities (42)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-61731 | — | < 18.3.6-r3 | 18.3.6-r3 | Jan 28, 2026 | Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can | ||
| CVE-2025-68119 | — | < 18.3.6-r3 | 18.3.6-r3 | Jan 28, 2026 | Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are | ||
| CVE-2025-3950 | — | < 18.3.6-r2 | 18.3.6-r2 | Jan 9, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection. | ||
| CVE-2025-9222 | — | < 18.3.6-r2 | 18.3.6-r2 | Jan 9, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown. | ||
| CVE-2025-10569 | — | < 18.3.6-r2 | 18.3.6-r2 | Jan 9, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls. | ||
| CVE-2025-11246 | — | < 18.3.6-r2 | 18.3.6-r2 | Jan 9, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating | ||
| CVE-2025-12029 | — | < 18.3.6-r2 | 18.3.6-r2 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by in | ||
| CVE-2025-12734 | — | < 18.3.6-r2 | 18.3.6-r2 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to, under certain conditions, render content in dialogs to other users by injecting malicious HT | ||
| CVE-2025-4097 | — | < 18.3.6-r2 | 18.3.6-r2 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images. | ||
| CVE-2025-8405 | — | < 18.3.6-r2 | 18.3.6-r2 | Dec 11, 2025 | GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML int | ||
| CVE-2025-11984 | — | < 18.3.6-r2 | 18.3.6-r2 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain con | ||
| CVE-2025-12562 | — | < 18.3.6-r2 | 18.3.6-r2 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted GraphQL queries that bypass query | ||
| CVE-2025-13978 | — | < 18.3.6-r2 | 18.3.6-r2 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests. | ||
| CVE-2025-14157 | — | < 18.3.6-r2 | 18.3.6-r2 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with large content parameters | ||
| CVE-2025-61727 | — | < 18.3.6-r2 | 18.3.6-r2 | Dec 3, 2025 | An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. | ||
| CVE-2025-61729 | — | < 18.3.6-r2 | 18.3.6-r2 | Dec 2, 2025 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a | ||
| CVE-2025-7449 | — | < 18.3.6-r2 | 18.3.6-r2 | Nov 26, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with specific permissions to cause a denial of service condition through HTTP response processing | ||
| CVE-2025-12571 | — | < 18.3.6-r2 | 18.3.6-r2 | Nov 26, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing ma | ||
| CVE-2025-12653 | — | < 18.3.6-r2 | 18.3.6-r2 | Nov 26, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that under specific conditions could have allowed an unauthenticated user to join arbitrary organizations by changing headers on some requests | ||
| CVE-2025-13611 | — | < 18.3.6-r2 | 18.3.6-r2 | Nov 26, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.5.5 and 18.6 before 18.6.3 that could have allowed an authenticated user with access to certain logs to obtain sensitive tokens under specific conditions. |
- CVE-2025-61731Jan 28, 2026affected < 18.3.6-r3fixed 18.3.6-r3
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can
- CVE-2025-68119Jan 28, 2026affected < 18.3.6-r3fixed 18.3.6-r3
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are
- CVE-2025-3950Jan 9, 2026affected < 18.3.6-r2fixed 18.3.6-r2
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection.
- CVE-2025-9222Jan 9, 2026affected < 18.3.6-r2fixed 18.3.6-r2
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.
- CVE-2025-10569Jan 9, 2026affected < 18.3.6-r2fixed 18.3.6-r2
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls.
- CVE-2025-11246Jan 9, 2026affected < 18.3.6-r2fixed 18.3.6-r2
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating
- CVE-2025-12029Dec 11, 2025affected < 18.3.6-r2fixed 18.3.6-r2
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by in
- CVE-2025-12734Dec 11, 2025affected < 18.3.6-r2fixed 18.3.6-r2
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to, under certain conditions, render content in dialogs to other users by injecting malicious HT
- CVE-2025-4097Dec 11, 2025affected < 18.3.6-r2fixed 18.3.6-r2
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images.
- CVE-2025-8405Dec 11, 2025affected < 18.3.6-r2fixed 18.3.6-r2
GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML int
- CVE-2025-11984Dec 11, 2025affected < 18.3.6-r2fixed 18.3.6-r2
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain con
- CVE-2025-12562Dec 11, 2025affected < 18.3.6-r2fixed 18.3.6-r2
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted GraphQL queries that bypass query
- CVE-2025-13978Dec 11, 2025affected < 18.3.6-r2fixed 18.3.6-r2
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests.
- CVE-2025-14157Dec 11, 2025affected < 18.3.6-r2fixed 18.3.6-r2
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with large content parameters
- CVE-2025-61727Dec 3, 2025affected < 18.3.6-r2fixed 18.3.6-r2
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
- CVE-2025-61729Dec 2, 2025affected < 18.3.6-r2fixed 18.3.6-r2
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
- CVE-2025-7449Nov 26, 2025affected < 18.3.6-r2fixed 18.3.6-r2
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with specific permissions to cause a denial of service condition through HTTP response processing
- CVE-2025-12571Nov 26, 2025affected < 18.3.6-r2fixed 18.3.6-r2
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing ma
- CVE-2025-12653Nov 26, 2025affected < 18.3.6-r2fixed 18.3.6-r2
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that under specific conditions could have allowed an unauthenticated user to join arbitrary organizations by changing headers on some requests
- CVE-2025-13611Nov 26, 2025affected < 18.3.6-r2fixed 18.3.6-r2
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.5.5 and 18.6 before 18.6.3 that could have allowed an authenticated user with access to certain logs to obtain sensitive tokens under specific conditions.
Page 2 of 3