Cyber Security News

GitLab Patches Critical Flaws Leads to Unauthorized Access to Kubernetes Cluster

GitLab has rolled out critical security updates to address multiple vulnerabilities in its Community Edition (CE) and Enterprise Edition (EE), fixing issues that could lead to unauthorized access to Kubernetes clusters and other potential exploits.

The latest patch versions, 17.5.2, 17.4.4, and 17.3.7, are now available, and GitLab strongly urges all self-managed users to upgrade immediately.

The GitLab.com platform is already on the updated version, and GitLab Dedicated customers are unaffected.

Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)

Critical Kubernetes Cluster Access Vulnerability (CVE-2024-9693)

The most severe issue patched in this release is a high-severity vulnerability (CVE-2024-9693) that could allow unauthorized access to Kubernetes cluster agents.

This flaw affects GitLab CE/EE versions starting from 16.0 up to 17.3.7, 17.4.4, and 17.5.2. The vulnerability, which scored a CVSS rating of 8.5, could allow unauthorized users to gain access to Kubernetes clusters under specific configurations.

The GitLab security team discovered this vulnerability internally, and the issue has now been resolved in the latest patches.

It is highly recommended that all self-managed GitLab users upgrade to the latest versions to mitigate this risk.

Device OAuth Flow Vulnerability (CVE-2024-7404)

Another significant issue addressed is a medium-severity vulnerability (CVE-2024-7404) related to the Device OAuth flow, which could have allowed attackers to gain full API access as the victim.

This issue affects GitLab CE/EE versions from 17.2 to 17.3.7 and has now been mitigated in the latest release. The vulnerability was reported via GitLab’s bug bounty program.

Denial of Service via FogBugz Import

A denial of service (DoS) vulnerability was discovered in GitLab CE/EE versions starting from 7.14.1 to 17.3.7.

This issue could be exploited by importing maliciously crafted content through the FogBugz importer, resulting in service disruption. GitLab is currently awaiting a CVE ID for this vulnerability.

Stored XSS in Analytics Dashboards (CVE-2024-8648)

Another medium-severity vulnerability (CVE-2024-8648) related to stored cross-site scripting (XSS) was found in the Analytics dashboards of GitLab CE/EE.

This flaw could allow attackers to inject malicious JavaScript code through a specially crafted URL. This affects versions from 16.0 to 17.5.2 and has now been fixed.

HTML Injection Leading to XSS (CVE-2024-8180)

An issue allowing HTML injection in the vulnerability code flow, potentially leading to cross-site scripting (XSS), was also addressed.

This medium-severity vulnerability (CVE-2024-8180) affects GitLab CE/EE versions from 17.3 to 17.5 and has been resolved in the latest update.

Information Disclosure via API (CVE-2024-10240)

Lastly, a medium-severity vulnerability (CVE-2024-10240) that could allow unauthorized users to access limited information about merge requests in private projects through an API endpoint has been patched. This vulnerability was discovered internally by a GitLab team member.

GitLab urges all users with self-managed installations to upgrade to the latest patch versions immediately.

These updates contain critical security fixes that protect against potential unauthorized access and other security risks.

Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

GitLab Security Update, Patch for Critical Vulnerabilities

GitLab announced the release of critical security patches for its Community Edition (CE) and Enterprise…

1 hour ago

BadRAM Attack Breaches AMD Secure VMs with $10 Device

Researchers have uncovered a vulnerability that allows attackers to compromise AMD's Secure Encrypted Virtualization (SEV)…

2 hours ago

Splunk RCE Vulnerability Let Attackers Execute Remote Code

Splunk, the data analysis and monitoring platform, is grappling with a Remote Code Execution (RCE)…

4 hours ago

Europol Shutsdown 27 DDoS Service Provider Platforms

In a major international operation codenamed “PowerOFF,” Europol, collaborating with law enforcement agencies across 15…

4 hours ago

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center (GSOC)…

19 hours ago

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and destructive…

19 hours ago