CVE-2024-11828 vulnerabilities

Vulnerabilities for packages: gitlab-runner-fips...

CVE-2024-35255 vulnerabilities

Vulnerabilities for packages: flux-source-controller, hugo-extended, tempo, fluent-bit-plugin-loki, buildkitd, druid, guac, flyte, py3-cassandra-medusa, sigstore-scaffolding, k8sgpt, argo-workflows, py3-azure-identity, thanos, step, rclone, ksops, rekor, sqlpad, datadog-agent, wal-g,...

UBUNTU-CVE-2024-2874

An issue has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. A runner registered with a crafted description has the potential to disrupt the loading of targeted GitLab web resources...

GitLab 1.0 < 13.1.3 / 13.2 < 13.2.3 / 13.3 < 13.3.1 (CVE-2020-13310)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - A vulnerability was discovered in GitLab runner versions before 13.1.3, 13.2.3 and 13.3.1. It was possible to make the gitlab-runner process crash by sending malformed queries, resulting in a denial o...

BIT-GITLAB-2020-13347

A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKERAUTHCONFIG build variable...

BIT-GITLAB-2021-39939

An uncontrolled resource consumption vulnerability in GitLab Runner affecting all versions starting from 13.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker triggering a job with a specially crafted docker image to...

BIT-GITLAB-2022-4201

A blind SSRF in GitLab CE/EE affecting all from 11.3 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 allows an attacker to connect to local addresses when configuring a malicious GitLab Runner...

BIT-GITLAB-RUNNER-2020-13327

An issue has been discovered in GitLab Runner affecting all versions starting from 13.4.0 before 13.4.2, all versions starting from 13.3.0 before 13.3.7, all versions starting from 13.2.0 before 13.2.10. Insecure Runner Configuration in Kubernetes Environments...

BIT-GITLAB-RUNNER-2022-2251

Improper sanitization of branch names in GitLab Runner affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user who creates a branch with a specially crafted name and gets another user to trigger a pipeline to execute commands in the runner as that othe...

CVE-2024-24786 vulnerabilities

Vulnerabilities for packages: trivy, datadog-agent, caddy, crossplane-provider-azure-managedidentity, fulcio, kube-bench, rabbitmq-messaging-topology-operator, kube-state-metrics, prometheus-beat-exporter-fips, metacontroller, external-secrets-fips, haproxy-ingress, cadvisor, sonobuoy, hubble-fip...

GitLab 13.7 < 14.3.4 / 14.4 < 14.4.2 / 14.5 < 14.5.2 (CVE-2021-39939)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An uncontrolled resource consumption vulnerability in GitLab Runner affecting all versions starting from 13.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from...

CVE-2023-39325 vulnerabilities

Vulnerabilities for packages: aws-efs-csi-driver, caddy, kube-logging-logging-operator, newrelic-infrastructure-agent, atlantis, terraform-provider-sendgrid-fips, runc, aactl, kaf, kube-state-metrics, prometheus-adapter-fips, external-dns, kubescape, git-lfs, buildkitd,...

CVE-2023-39325 vulnerabilities

Vulnerabilities for packages: pulumi-language-java, helm, k8sgpt, kubeflow-katib, kind, falco, slsa-verifier, kubernetes-csi-livenessprobe, aws-load-balancer-controller, rqlite, kubernetes-csi-external-provisioner, metacontroller, kubernetes-ingress-defaultbackend, kube-logging-operator,...

GHSA-QPPJ-FM5R-HXR3 vulnerabilities

Vulnerabilities for packages: pulumi-language-java, helm, kubeflow-katib, kind, slsa-verifier, kubernetes-csi-livenessprobe, cortex, rqlite, metacontroller, memcached-exporter, external-dns, flux-notification-controller, grype, nodetaint, nghttp2, minio, conftest, aactl, flux-source-controller,...

CVE-2023-44487 vulnerabilities

Vulnerabilities for packages: pulumi-language-java, helm, kubeflow-katib, kind, slsa-verifier, kubernetes-csi-livenessprobe, cortex, rqlite, metacontroller, memcached-exporter, external-dns, flux-notification-controller, grype, nodetaint, nghttp2, minio, conftest, aactl, flux-source-controller,...

Server-Side Request Forgery (SSRF)

gitlab is vulnerable to Server-Side Request Forgery SSRF. The vulnerability exists in web terminal advertiseaddress which allows an attacker to connect to local addresses when configuring a malicious GitLab Runner...

CVE-2022-4201

A blind SSRF in GitLab CE/EE affecting all from 11.3 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 allows an attacker to connect to local addresses when configuring a malicious GitLab Runner...

CVE-2022-4201

A blind SSRF in GitLab CE/EE affecting all from 11.3 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 allows an attacker to connect to local addresses when configuring a malicious GitLab Runner...

Command Injection

github.com/gitlabhq/gitlab-runner is vulnerable to Command Injection. The vulnerability exists because the library does not properly escape user input commands, allowing an attacker to create a branch with a specially crafted name and get another user to trigger a pipeline to execute commands in...

CVE-2022-2251

Improper sanitization of branch names in GitLab Runner affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user who creates a branch with a specially crafted name and gets another user to trigger a pipeline to execute commands in the runner as that othe...