GitLab has announced the release of updated versions for both its Community Edition (CE) and Enterprise Edition (EE), addressing critical vulnerabilities that could potentially allow attackers to inject malicious scripts and cause denial of service (DoS) attacks.
The versions released—16.10.1, 16.9.3, and 16.8.5—come as a part of GitLab’s ongoing efforts to maintain the highest security standards and protect its users from emerging cyber threats.
CVE-2023-6371: Stored XSS Vulnerability in Wiki Pages
One of the most critical issues addressed in this update is a Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-6371.
Download Free CISO’s Guide to Avoiding the Next Breach
Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.
- Understand the importance of a zero trust strategy
- Complete Network security Checklist
- See why relying on a legacy VPN is no longer a viable security strategy
- Get suggestions on how to present the move to a cloud-based network security solution
- Explore the advantages of converged network security over legacy approaches
- Discover the tools and technologies that maximize network security
Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.
This flaw affected all versions of GitLab CE/EE before 16.8.5, from 16.9 before 16.9.3, and 16.10 before 16.10.1. Attackers could exploit this vulnerability by injecting a crafted payload into a wiki page, leading to arbitrary actions being performed on behalf of the victims.
This high-severity issue, with a CVSS score of 8.7, underscores the potential risks to data integrity and user privacy.
The discovery of CVE-2023-6371 was credited to a user by the pseudonym “yvvdwf,” who reported the vulnerability through GitLab’s HackerOne bug bounty program.
GitLab’s prompt response to this report and subsequent patching of the vulnerability highlights the company’s commitment to security and the effectiveness of collaborative efforts in identifying and mitigating cyber threats.
Another vulnerability patched in the latest release is CVE-2024-2818, a medium-severity issue that could allow attackers to cause a denial of service (DoS) using maliciously crafted emojis.
This vulnerability affected the same version as CVE-2023-6371 and has a CVSS score of 4.3.
The flaw was reported by Quintin Crist of Trend Micro, further emphasizing the importance of community involvement in cybersecurity.
Additional Security Measures and Recommendations
In addition to addressing these vulnerabilities, GitLab has also updated its PostgreSQL versions to 13.14 and 14.11, following the PostgreSQL project’s latest release.
This update is part of GitLab’s non-security patches, which also include various improvements and bug fixes aimed at enhancing the platform’s stability and performance.
GitLab strongly recommends that all users running affected versions upgrade to the latest version as soon as possible to mitigate the risks associated with these vulnerabilities.
The company’s dedication to security is evident in its regular release of patches and updates, as well as its comprehensive security FAQ and best practices for securing GitLab instances.
For more information on the vulnerabilities and the patches released, users are encouraged to visit GitLab’s official security release blog posts and the issue tracker, where details of each vulnerability will be made public 30 days after the release.
GitLab’s proactive approach to security, combined with the active participation of the cybersecurity community, plays a crucial role in safeguarding the platform against evolving cyber threats.
Users are urged to stay informed and take the necessary steps to ensure their installations are secure.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.