VYPR

apk package

wolfi/gitlab-runner-helper-18.11

pkg:apk/wolfi/gitlab-runner-helper-18.11

Vulnerabilities (24)

  • CVE-2026-42507MedJun 2, 2026
    affected < 18.11.3-r5fixed 18.11.3-r5

    When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

  • CVE-2026-42504HigJun 2, 2026
    affected < 0fixed 0

    Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

  • CVE-2026-27145MedJun 2, 2026
    affected < 18.11.3-r5fixed 18.11.3-r5

    (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratic

  • CVE-2026-8716MedMay 27, 2026
    affected < 18.11.4-r0fixed 18.11.4-r0

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to access CI data from a different ref type than intended.

  • CVE-2026-6713MedMay 27, 2026
    affected < 18.11.4-r0fixed 18.11.4-r0

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an unauthorized user to enumerate private projects due to incorrect authorization checks.

  • CVE-2026-1402MedMay 27, 2026
    affected < 18.11.4-r0fixed 18.11.4-r0

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to cause denial of service due to insufficient validation.

  • CVE-2026-45571MedMay 27, 2026
    affected < 18.11.3-r2fixed 18.11.3-r2

    go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. These v

  • CVE-2026-45570CriMay 27, 2026
    affected < 18.11.3-r2fixed 18.11.3-r2

    go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A reposito

  • CVE-2026-45022HigMay 27, 2026
    affected < 18.11.3-r1fixed 18.11.3-r1

    go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representa

  • CVE-2026-46598MedMay 22, 2026
    affected < 0fixed 0

    For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

  • CVE-2026-46597HigMay 22, 2026
    affected < 18.11.3-r4fixed 18.11.3-r4

    An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

  • CVE-2026-46595CriMay 22, 2026
    affected < 0fixed 0

    Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

  • CVE-2026-39835MedMay 22, 2026
    affected < 18.11.3-r4fixed 18.11.3-r4

    SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

  • CVE-2026-39834CriMay 22, 2026
    affected < 18.11.3-r4fixed 18.11.3-r4

    When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent trunca

  • CVE-2026-39833CriMay 22, 2026
    affected < 0fixed 0

    The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns a

  • CVE-2026-39832CriMay 22, 2026
    affected < 18.11.3-r4fixed 18.11.3-r4

    When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now

  • CVE-2026-39831CriMay 22, 2026
    affected < 18.11.3-r4fixed 18.11.3-r4

    The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the

  • CVE-2026-39830CriMay 22, 2026
    affected < 18.11.3-r4fixed 18.11.3-r4

    A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now

  • CVE-2026-39829HigMay 22, 2026
    affected < 18.11.3-r4fixed 18.11.3-r4

    The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clien

  • CVE-2026-39828MedMay 22, 2026
    affected < 0fixed 0

    When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with Par

Page 1 of 2