Thursday, November 21, 2024
HomeCVE/vulnerabilityGitLab Patches Critical Flaws Leads to Unauthorized Access to Kubernetes Cluster

GitLab Patches Critical Flaws Leads to Unauthorized Access to Kubernetes Cluster

Published on

GitLab has rolled out critical security updates to address multiple vulnerabilities in its Community Edition (CE) and Enterprise Edition (EE), fixing issues that could lead to unauthorized access to Kubernetes clusters and other potential exploits.

The latest patch versions, 17.5.2, 17.4.4, and 17.3.7, are now available, and GitLab strongly urges all self-managed users to upgrade immediately.

The GitLab.com platform is already on the updated version, and GitLab Dedicated customers are unaffected.

- Advertisement - SIEM as a Service

Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)

Critical Kubernetes Cluster Access Vulnerability (CVE-2024-9693)

The most severe issue patched in this release is a high-severity vulnerability (CVE-2024-9693) that could allow unauthorized access to Kubernetes cluster agents.

This flaw affects GitLab CE/EE versions starting from 16.0 up to 17.3.7, 17.4.4, and 17.5.2. The vulnerability, which scored a CVSS rating of 8.5, could allow unauthorized users to gain access to Kubernetes clusters under specific configurations.

The GitLab security team discovered this vulnerability internally, and the issue has now been resolved in the latest patches.

It is highly recommended that all self-managed GitLab users upgrade to the latest versions to mitigate this risk.

Device OAuth Flow Vulnerability (CVE-2024-7404)

Another significant issue addressed is a medium-severity vulnerability (CVE-2024-7404) related to the Device OAuth flow, which could have allowed attackers to gain full API access as the victim.

This issue affects GitLab CE/EE versions from 17.2 to 17.3.7 and has now been mitigated in the latest release. The vulnerability was reported via GitLab’s bug bounty program.

Denial of Service via FogBugz Import

A denial of service (DoS) vulnerability was discovered in GitLab CE/EE versions starting from 7.14.1 to 17.3.7.

This issue could be exploited by importing maliciously crafted content through the FogBugz importer, resulting in service disruption. GitLab is currently awaiting a CVE ID for this vulnerability.

Stored XSS in Analytics Dashboards (CVE-2024-8648)

Another medium-severity vulnerability (CVE-2024-8648) related to stored cross-site scripting (XSS) was found in the Analytics dashboards of GitLab CE/EE.

This flaw could allow attackers to inject malicious JavaScript code through a specially crafted URL. This affects versions from 16.0 to 17.5.2 and has now been fixed.

HTML Injection Leading to XSS (CVE-2024-8180)

An issue allowing HTML injection in the vulnerability code flow, potentially leading to cross-site scripting (XSS), was also addressed.

This medium-severity vulnerability (CVE-2024-8180) affects GitLab CE/EE versions from 17.3 to 17.5 and has been resolved in the latest update.

Information Disclosure via API (CVE-2024-10240)

Lastly, a medium-severity vulnerability (CVE-2024-10240) that could allow unauthorized users to access limited information about merge requests in private projects through an API endpoint has been patched. This vulnerability was discovered internally by a GitLab team member.

GitLab urges all users with self-managed installations to upgrade to the latest patch versions immediately.

These updates contain critical security fixes that protect against potential unauthorized access and other security risks.

Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Halo Security Launches Slack Integration for Real-Time Alerts on New Assets and Vulnerabilities

Halo Security, a leader in external attack surface management and penetration testing, has announced...

Researchers Detailed FrostyGoop Malware Attacking ICS Devices

FrostyGoop, a newly discovered OT-centric malware that exploited Modbus TCP to disrupt critical infrastructure...

5 Hackers Charged for Attacking Companies via Phishing Text Messages

Federal authorities have unsealed charges against five individuals accused of orchestrating sophisticated phishing schemes...

Two PyPi Malicious Package Mimic ChatGPT & Claude Steals Developers Data

Two malicious Python packages masquerading as tools for interacting with popular AI models ChatGPT...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed FrostyGoop Malware Attacking ICS Devices

FrostyGoop, a newly discovered OT-centric malware that exploited Modbus TCP to disrupt critical infrastructure...

5 Hackers Charged for Attacking Companies via Phishing Text Messages

Federal authorities have unsealed charges against five individuals accused of orchestrating sophisticated phishing schemes...

Two PyPi Malicious Package Mimic ChatGPT & Claude Steals Developers Data

Two malicious Python packages masquerading as tools for interacting with popular AI models ChatGPT...