GitLab has rolled out critical security updates to address multiple vulnerabilities in its Community Edition (CE) and Enterprise Edition (EE), fixing issues that could lead to unauthorized access to Kubernetes clusters and other potential exploits.
The latest patch versions, 17.5.2, 17.4.4, and 17.3.7, are now available, and GitLab strongly urges all self-managed users to upgrade immediately.
The GitLab.com platform is already on the updated version, and GitLab Dedicated customers are unaffected.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
The most severe issue patched in this release is a high-severity vulnerability (CVE-2024-9693) that could allow unauthorized access to Kubernetes cluster agents.
This flaw affects GitLab CE/EE versions starting from 16.0 up to 17.3.7, 17.4.4, and 17.5.2. The vulnerability, which scored a CVSS rating of 8.5, could allow unauthorized users to gain access to Kubernetes clusters under specific configurations.
The GitLab security team discovered this vulnerability internally, and the issue has now been resolved in the latest patches.
It is highly recommended that all self-managed GitLab users upgrade to the latest versions to mitigate this risk.
Another significant issue addressed is a medium-severity vulnerability (CVE-2024-7404) related to the Device OAuth flow, which could have allowed attackers to gain full API access as the victim.
This issue affects GitLab CE/EE versions from 17.2 to 17.3.7 and has now been mitigated in the latest release. The vulnerability was reported via GitLab’s bug bounty program.
A denial of service (DoS) vulnerability was discovered in GitLab CE/EE versions starting from 7.14.1 to 17.3.7.
This issue could be exploited by importing maliciously crafted content through the FogBugz importer, resulting in service disruption. GitLab is currently awaiting a CVE ID for this vulnerability.
Another medium-severity vulnerability (CVE-2024-8648) related to stored cross-site scripting (XSS) was found in the Analytics dashboards of GitLab CE/EE.
This flaw could allow attackers to inject malicious JavaScript code through a specially crafted URL. This affects versions from 16.0 to 17.5.2 and has now been fixed.
An issue allowing HTML injection in the vulnerability code flow, potentially leading to cross-site scripting (XSS), was also addressed.
This medium-severity vulnerability (CVE-2024-8180) affects GitLab CE/EE versions from 17.3 to 17.5 and has been resolved in the latest update.
Lastly, a medium-severity vulnerability (CVE-2024-10240) that could allow unauthorized users to access limited information about merge requests in private projects through an API endpoint has been patched. This vulnerability was discovered internally by a GitLab team member.
GitLab urges all users with self-managed installations to upgrade to the latest patch versions immediately.
These updates contain critical security fixes that protect against potential unauthorized access and other security risks.
Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.
GitLab, the widely adopted DevOps platform, has announced the immediate release of versions 17.8.1, 17.7.3, and…
The Oligo Research team has disclosed a critical vulnerability in Meta’s widely used Llama-stack framework.…
INE Security, a leading global provider of cybersecurity training and certifications, today announced a new…
In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a colleague…
A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a grave…
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS) advisories…