GitLab has released new Community Edition (CE) and Enterprise Edition (EE) versions to address multiple vulnerabilities.
Among these, a high-severity cross-site scripting (XSS) vulnerability has garnered particular attention due to its potential to allow attackers to execute arbitrary code.
Summary of the Update
On July 25, 2024, GitLab announced the release of versions 17.2.1, 17.1.3, and 17.0.5 for both CE and EE. These updates contain critical bugs and security fixes, and GitLab strongly recommends that all installations be upgraded immediately.
GitLab issues fixes vulnerabilities through two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. GitLab.com has already been updated to the patched version.
Security Fixes
XSS via the Maven Dependency Proxy
A cross-site scripting vulnerability in GitLab CE/EE, affecting versions from 16.6 before 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1, allows an attacker to execute arbitrary scripts under the context of the currently logged-in user.
GitLab team member Joern Schneeweisz discovered this high-severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N, 7.7) internally.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
CVE-2024-5067-Project Level Analytics Settings Leaked in DOM
An issue in GitLab EE affecting versions 16.11 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 could leak certain project-level analytics settings in the DOM to group members with Developer or higher roles.
This medium-severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.4) is now mitigated in the latest release and is assigned CVE-2024-5067.
Thanks to yvvdwf and zebraman for reporting this vulnerability through GitLab’s HackerOne bug bounty program.
CVE-2024-7057 – Reports Can Access and Download Job Artifacts Despite Use of Settings to Prevent It
An information disclosure vulnerability in GitLab CE/EE, affecting versions from 16.7 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1, allowed job artifacts to be inappropriately exposed to unauthorized users.
This medium-severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3) is now mitigated and is assigned CVE-2024-7057. Thanks to ricardobrito for reporting this vulnerability through GitLab’s HackerOne bug bounty program.
Direct Transfer – Authorized Project/Group Exports Accessible to Other Users
An issue in GitLab CE/EE, affecting versions from 15.6 before 17.0.5, 17.1 before 17.1.3, and 17.2 before 17.2.1, allowed limited information of an exported group or project to be disclosed to another user.
GitLab team member James Nutt found this medium-severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N, 4.1) internally.
CVE-2024-0231 – Bypassing Tag Check and Branch Check Through Imports
A resource misdirection vulnerability in GitLab CE/EE, affecting versions from 12.0 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1, allowed an attacker to craft a repository import to misdirect commits.
This low-severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N, 2.7) is now mitigated and is assigned CVE-2024-0231.
Thanks to aaron_dewes for reporting this vulnerability through GitLab’s HackerOne bug bounty program.
Project Import/Export – Make Project/Group Export Files Hidden to Everyone Except User Who Initiated It
An information disclosure vulnerability in GitLab CE/EE in project/group exports, affecting versions from 15.4 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1, allowed unauthorized users to view the resultant export.
GitLab team member Martin Wortschack discovered this low-severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N, 2.6) internally.
GitLab strongly recommends that all installations running affected versions be upgraded to the latest version immediately. This applies to all deployment types, including omnibus, source code, and helm chart.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo