Tuesday, December 10, 2024
HomeCVE/vulnerabilityGitLab Patches Critical Flaws Leads to Unauthorized Access to Kubernetes Cluster

GitLab Patches Critical Flaws Leads to Unauthorized Access to Kubernetes Cluster

Published on

SIEM as a Service

GitLab has rolled out critical security updates to address multiple vulnerabilities in its Community Edition (CE) and Enterprise Edition (EE), fixing issues that could lead to unauthorized access to Kubernetes clusters and other potential exploits.

The latest patch versions, 17.5.2, 17.4.4, and 17.3.7, are now available, and GitLab strongly urges all self-managed users to upgrade immediately.

The GitLab.com platform is already on the updated version, and GitLab Dedicated customers are unaffected.

- Advertisement - SIEM as a Service

Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)

Critical Kubernetes Cluster Access Vulnerability (CVE-2024-9693)

The most severe issue patched in this release is a high-severity vulnerability (CVE-2024-9693) that could allow unauthorized access to Kubernetes cluster agents.

This flaw affects GitLab CE/EE versions starting from 16.0 up to 17.3.7, 17.4.4, and 17.5.2. The vulnerability, which scored a CVSS rating of 8.5, could allow unauthorized users to gain access to Kubernetes clusters under specific configurations.

The GitLab security team discovered this vulnerability internally, and the issue has now been resolved in the latest patches.

It is highly recommended that all self-managed GitLab users upgrade to the latest versions to mitigate this risk.

Device OAuth Flow Vulnerability (CVE-2024-7404)

Another significant issue addressed is a medium-severity vulnerability (CVE-2024-7404) related to the Device OAuth flow, which could have allowed attackers to gain full API access as the victim.

This issue affects GitLab CE/EE versions from 17.2 to 17.3.7 and has now been mitigated in the latest release. The vulnerability was reported via GitLab’s bug bounty program.

Denial of Service via FogBugz Import

A denial of service (DoS) vulnerability was discovered in GitLab CE/EE versions starting from 7.14.1 to 17.3.7.

This issue could be exploited by importing maliciously crafted content through the FogBugz importer, resulting in service disruption. GitLab is currently awaiting a CVE ID for this vulnerability.

Stored XSS in Analytics Dashboards (CVE-2024-8648)

Another medium-severity vulnerability (CVE-2024-8648) related to stored cross-site scripting (XSS) was found in the Analytics dashboards of GitLab CE/EE.

This flaw could allow attackers to inject malicious JavaScript code through a specially crafted URL. This affects versions from 16.0 to 17.5.2 and has now been fixed.

HTML Injection Leading to XSS (CVE-2024-8180)

An issue allowing HTML injection in the vulnerability code flow, potentially leading to cross-site scripting (XSS), was also addressed.

This medium-severity vulnerability (CVE-2024-8180) affects GitLab CE/EE versions from 17.3 to 17.5 and has been resolved in the latest update.

Information Disclosure via API (CVE-2024-10240)

Lastly, a medium-severity vulnerability (CVE-2024-10240) that could allow unauthorized users to access limited information about merge requests in private projects through an API endpoint has been patched. This vulnerability was discovered internally by a GitLab team member.

GitLab urges all users with self-managed installations to upgrade to the latest patch versions immediately.

These updates contain critical security fixes that protect against potential unauthorized access and other security risks.

Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and...

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin...

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its...

Qlik Sense for Windows Vulnerability Allows Remote Code Execution

Qlik has identified critical vulnerabilities in its Qlik Sense Enterprise for Windows software that...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and...

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin...

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its...