GitLab has rolled out critical security updates to address multiple vulnerabilities in its Community Edition (CE) and Enterprise Edition (EE), fixing issues that could lead to unauthorized access to Kubernetes clusters and other potential exploits.
The latest patch versions, 17.5.2, 17.4.4, and 17.3.7, are now available, and GitLab strongly urges all self-managed users to upgrade immediately.
The GitLab.com platform is already on the updated version, and GitLab Dedicated customers are unaffected.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
Critical Kubernetes Cluster Access Vulnerability (CVE-2024-9693)
The most severe issue patched in this release is a high-severity vulnerability (CVE-2024-9693) that could allow unauthorized access to Kubernetes cluster agents.
This flaw affects GitLab CE/EE versions starting from 16.0 up to 17.3.7, 17.4.4, and 17.5.2. The vulnerability, which scored a CVSS rating of 8.5, could allow unauthorized users to gain access to Kubernetes clusters under specific configurations.
The GitLab security team discovered this vulnerability internally, and the issue has now been resolved in the latest patches.
It is highly recommended that all self-managed GitLab users upgrade to the latest versions to mitigate this risk.
Device OAuth Flow Vulnerability (CVE-2024-7404)
Another significant issue addressed is a medium-severity vulnerability (CVE-2024-7404) related to the Device OAuth flow, which could have allowed attackers to gain full API access as the victim.
This issue affects GitLab CE/EE versions from 17.2 to 17.3.7 and has now been mitigated in the latest release. The vulnerability was reported via GitLab’s bug bounty program.
Denial of Service via FogBugz Import
A denial of service (DoS) vulnerability was discovered in GitLab CE/EE versions starting from 7.14.1 to 17.3.7.
This issue could be exploited by importing maliciously crafted content through the FogBugz importer, resulting in service disruption. GitLab is currently awaiting a CVE ID for this vulnerability.
Stored XSS in Analytics Dashboards (CVE-2024-8648)
Another medium-severity vulnerability (CVE-2024-8648) related to stored cross-site scripting (XSS) was found in the Analytics dashboards of GitLab CE/EE.
This flaw could allow attackers to inject malicious JavaScript code through a specially crafted URL. This affects versions from 16.0 to 17.5.2 and has now been fixed.
HTML Injection Leading to XSS (CVE-2024-8180)
An issue allowing HTML injection in the vulnerability code flow, potentially leading to cross-site scripting (XSS), was also addressed.
This medium-severity vulnerability (CVE-2024-8180) affects GitLab CE/EE versions from 17.3 to 17.5 and has been resolved in the latest update.
Information Disclosure via API (CVE-2024-10240)
Lastly, a medium-severity vulnerability (CVE-2024-10240) that could allow unauthorized users to access limited information about merge requests in private projects through an API endpoint has been patched. This vulnerability was discovered internally by a GitLab team member.
GitLab urges all users with self-managed installations to upgrade to the latest patch versions immediately.
These updates contain critical security fixes that protect against potential unauthorized access and other security risks.
Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.