GitLab, the popular online DevOps platform, has released urgent security updates for both the Community Edition (CE) and Enterprise Edition (EE) to address multiple critical vulnerabilities, including taking over of accounts by unauthenticated attackers in cross-site scripting (XSS) attacks.
High Severity Account Takeover Vulnerability
The most severe vulnerability, CVE-2024-4835 (CVSS 8.0), is an XSS vulnerability in the VS code editor (Web IDE) on gitlab.com that allows an attacker to craft a malicious page to exfiltrate sensitive user information, potentially leading to a complete account takeover.
While successful exploitation does not require any authentication, it still requires user interaction which increases the attacks’ complexity.
Security researcher matanber discovered and reported the issue to GitLab via the HackerOne bug bounty platform. It was patched on May 22, 2024, with versions 17.0.1, 16.11.3, and 16.10.6.
“Today, we are releasing versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE),” GitLab said in a security press release on Wednesday.
“These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.”
Additional Medium-Severity Vulnerabilities Addressed
Besides the above, the company has also fixed the following six medium-severity security flaws in GitLab CE/EE given below:
- CVE-2024-2874: This Denial of Service (DoS) vulnerability in the ‘description’ field of the runner affects all GitLab CE/EE from versions up to 16.10.6, versions 16.11 up to 16.11.3, and 17.0 up to 17.0.1. A runner registered with a crafted description has the potential to disrupt the loading of targeted GitLab web resources.
- CVE-2023-7045: By leveraging this vulnerability, an attacker could exfiltrate anti-CSRF (Cross-Site Request Forgery) tokens via the Kubernetes Agent Server (KAS). This CSRF vulnerability exists within GitLab CE/EE from versions 16.3 up to 16.10.6, from 16.11 up to 16.11.3, and from 17.0 up to 17.0.1.
- CVE-2023-6502: This vulnerability makes it possible for an attacker to cause a DoS using a crafted wiki page. This DoS condition has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1.
- CVE-2024-1947: By leveraging this vulnerability, an attacker could create a DoS condition by sending crafted API calls. This DoS condition was found in GitLab CE/EE, affecting all versions from 13.2.4 to 16.10.6, 16.11 to 16.11.3, and 17.0 to 17.0.1.
- An authorization vulnerability in the “Set Pipeline Status of a Commit” API could be exploited by an authenticated attacker by utilizing a crafted naming convention to bypass pipeline authorization logic. It has been found within GitLab from versions 16.10 up to 16.10.6, 16.11 up to 16.11.3, and 17.0 up to 17.0.1. This vulnerability has yet to be assigned a CVE (Common Vulnerability and Exposure) ID.
- This vulnerability, which has yet to be assigned a CVE ID, allows a guest user to view dependency lists of private projects through job artifacts. It has been discovered in GitLab CE/EE affecting all versions starting from 11.11 prior to 16.10.6, starting from 16.11 prior to 16.11.3, and starting from 17.0 prior to 17.0.1.
To protect against the above-mentioned vulnerabilities, GitLab users are strongly recommended to upgrade their installations to any of the latest released versions, 17.0.1, 16.11.3, and 16.10.6, as soon as possible.
