apk package
wolfi/gitlab-runner-18.1
pkg:apk/wolfi/gitlab-runner-18.1
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-47906 | — | < 18.1.3-r2 | 18.1.3-r2 | Sep 18, 2025 | If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. | ||
| CVE-2025-2246 | — | < 18.1.3-r1 | 18.1.3-r1 | Aug 27, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have allowed unauthenticated users to access sensitive manual CI/CD variables by querying the GraphQL API. | ||
| CVE-2025-3601 | — | < 18.1.3-r1 | 18.1.3-r1 | Aug 27, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 8.15 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have could have allowed an authenticated user to cause a Denial of Service (DoS) condition by submitting URLs that generate excessive | ||
| CVE-2025-4225 | — | < 18.1.3-r1 | 18.1.3-r1 | Aug 27, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 14.1 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that that under certain conditions could have allowed an unauthenticated attacker to cause a denial-of-service condition affecting all users by | ||
| CVE-2025-5101 | — | < 18.1.3-r1 | 18.1.3-r1 | Aug 27, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appears harmless in the web interface by taki | ||
| CVE-2024-12303 | — | < 18.1.3-r1 | 18.1.3-r1 | Aug 13, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated users with specific roles and permissions to delete issues including confidential | ||
| CVE-2025-1477 | — | < 18.1.3-r1 | 18.1.3-r1 | Aug 13, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 8.14 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an unauthenticated user to create a denial of service condition by sending specially crafted payloads to specific integr | ||
| CVE-2025-2614 | — | < 18.1.3-r1 | 18.1.3-r1 | Aug 13, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an authenticated user to cause a denial of service condition by creating specially crafted content that consumes excessi | ||
| CVE-2025-2937 | — | < 18.1.3-r1 | 18.1.3-r1 | Aug 13, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 13.2 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to create a denial of service condition by sending specially crafted markdown payloads to the Wiki f | ||
| CVE-2025-6186 | — | < 18.1.3-r1 | 18.1.3-r1 | Aug 13, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to achieve account takeover by injecting malicious HTML into work item names. | ||
| CVE-2025-7734 | — | < 18.1.3-r1 | 18.1.3-r1 | Aug 13, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 14.2 before 18.0.6, 18.1 before 18.1.4 and 18.2 before 18.2.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content. | ||
| CVE-2025-47907 | — | < 0 | 0 | Aug 7, 2025 | Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex | ||
| CVE-2024-36623 | — | < 0 | 0 | Nov 29, 2024 | moby through v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application crashes. |
- CVE-2025-47906Sep 18, 2025affected < 18.1.3-r2fixed 18.1.3-r2
If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
- CVE-2025-2246Aug 27, 2025affected < 18.1.3-r1fixed 18.1.3-r1
An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have allowed unauthenticated users to access sensitive manual CI/CD variables by querying the GraphQL API.
- CVE-2025-3601Aug 27, 2025affected < 18.1.3-r1fixed 18.1.3-r1
An issue has been discovered in GitLab CE/EE affecting all versions from 8.15 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have could have allowed an authenticated user to cause a Denial of Service (DoS) condition by submitting URLs that generate excessive
- CVE-2025-4225Aug 27, 2025affected < 18.1.3-r1fixed 18.1.3-r1
An issue has been discovered in GitLab CE/EE affecting all versions from 14.1 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that that under certain conditions could have allowed an unauthenticated attacker to cause a denial-of-service condition affecting all users by
- CVE-2025-5101Aug 27, 2025affected < 18.1.3-r1fixed 18.1.3-r1
An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appears harmless in the web interface by taki
- CVE-2024-12303Aug 13, 2025affected < 18.1.3-r1fixed 18.1.3-r1
An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated users with specific roles and permissions to delete issues including confidential
- CVE-2025-1477Aug 13, 2025affected < 18.1.3-r1fixed 18.1.3-r1
An issue has been discovered in GitLab CE/EE affecting all versions from 8.14 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an unauthenticated user to create a denial of service condition by sending specially crafted payloads to specific integr
- CVE-2025-2614Aug 13, 2025affected < 18.1.3-r1fixed 18.1.3-r1
An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an authenticated user to cause a denial of service condition by creating specially crafted content that consumes excessi
- CVE-2025-2937Aug 13, 2025affected < 18.1.3-r1fixed 18.1.3-r1
An issue has been discovered in GitLab CE/EE affecting all versions from 13.2 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to create a denial of service condition by sending specially crafted markdown payloads to the Wiki f
- CVE-2025-6186Aug 13, 2025affected < 18.1.3-r1fixed 18.1.3-r1
An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to achieve account takeover by injecting malicious HTML into work item names.
- CVE-2025-7734Aug 13, 2025affected < 18.1.3-r1fixed 18.1.3-r1
An issue has been discovered in GitLab CE/EE affecting all versions from 14.2 before 18.0.6, 18.1 before 18.1.4 and 18.2 before 18.2.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.
- CVE-2025-47907Aug 7, 2025affected < 0fixed 0
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex
- CVE-2024-36623Nov 29, 2024affected < 0fixed 0
moby through v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application crashes.