CVE-2025-24362 CodeQL GitHub Action failed workflow writes GitHub PAT to debug artifacts

In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository...

CVE-2024-11931

An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI variables via CI lint...

UBUNTU-CVE-2024-11931

An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI variables via CI lint...

CVE-2024-11931 Insufficient Granularity of Access Control in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI variables via CI lint...

CVE-2024-11931 Insufficient Granularity of Access Control in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI variables via CI lint...

CVE-2024-11931 Insufficient Granularity of Access Control in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI variables via CI lint...

PT-2025-1718 · Gitlab · Gitlab Ce/Ee

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 17.0 through 17.6.3 GitLab CE/EE versions 17.7 through 17.7.2 GitLab CE/EE versions 17.8 through 17.8.0 Description: An issue has been discovered in GitLab CE/EE that affects users with a developer role, allowing them to...

CodeQL Action 日志信息泄露漏洞

CodeQL Action is a GitHub open source application. It is used to run CodeQL, GitHub's industry-leading static analysis engine, on repository source code to find security vulnerabilities. A log message disclosure vulnerability exists in CodeQL Action versions prior to 3.28.3, which stems from...

PT-2025-5344 · Github · Codeql Action +1

Name of the Vulnerable Software and Affected Versions: CodeQL Action versions prior to 3.28.3 CodeQL CLI versions prior to 2.20.3 Description: In certain circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain environment variables from t...

CVE-2021-42718

Information Disclosure in API in Replicated Replicated Classic versions prior to 2.53.1 on all platforms allows authenticated users with Admin Console access to retrieve sensitive data, including application secrets, via accessing container definitions with environment variables through the Admin...

CVE-2021-42718

CVE-2021-42718 affects Replicated Classic versions prior to 2.53.1. An authenticated Admin Console API (port 8800) may exposed container definitions containing environment variables, potentially revealing application secrets. Impact is information disclosure for users with valid credentials and A...

FreeBSD : Gitlab -- Vulnerabilities (24c93a28-d95b-11ef-b6b2-2cf05da270f3)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 24c93a28-d95b-11ef-b6b2-2cf05da270f3 advisory. Gitlab reports: Stored XSS via Asciidoctor render Developer could exfiltrate protected CI/CD...

PT-2025-1359 · Unknown · Replicated Classic

Name of the Vulnerable Software and Affected Versions: Replicated Classic versions prior to 2.53.1 Description: The issue allows authenticated users with Admin Console access to retrieve sensitive data, including application secrets, via accessing container definitions with environment variables...

Cross-site Scripting (XSS)

Overview prestashop/pscontactinfo is a package for displaying additional information about your store's customer service. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the getWidgetVariables function, due to the use of the nofilter tag, which allows malicious...

sniff_csv provides filesystem access even when enable_external_access is disabled in duckdb

Summary Content in filesystem is accessible for reading using sniffcsv, even with enableexternalaccess=false. Details During a pentest, a security researcher was able to access environment variable data and other system data by using the sniffcsv function, even though we set enableexternalaccess ...

PT-2025-4138

Name of the Vulnerable Software and Affected Versions PostgreSQL versions prior to 17.1 Description A high severity flaw allows unprivileged users to alter sensitive environment variables, such as PATH, potentially leading to code execution. Recommendations For versions prior to 17.1, update to t...

LibreOffice 24.8.x < 24.8.4 Multiple vulnerabilities

The version of LibreOffice installed on the remote host is prior to 24.8.4. It is, therefore, affected by multiple vulnerabilities as referenced in the advisory. - Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in The Document Foundation LibreOffice...

SUSE-RU-2025:0145-1 Recommended update for bubblewrap, flatpak, wayland-protocols

This update for bubblewrap, flatpak updates flatpak to 1.16.0. flatpak changes: - Update to version 1.16.0: + Bug fixes: - Update libglnx to 2024-12-06: . Fix an assertion failure if creating a parent directory encounters a dangling symlink. . Fix a Meson warning. . Don't emit terminal progress...

CVE-2024-12226

In affected versions of the Octopus Kubernetes worker or agent, sensitive variables could be written to the Kubernetes script pod log in clear-text. This was identified in Version 2 however it was determined that this could also be achieved in Version 1 and the fix was applied to both versions...

CVE-2024-12226

In affected versions of the Octopus Kubernetes worker or agent, sensitive variables could be written to the Kubernetes script pod log in clear-text. This was identified in Version 2 however it was determined that this could also be achieved in Version 1 and the fix was applied to both versions...