GitLab addressed numerous security updates with the latest release. These include a high-severity XSS vulnerability that could allow account takeover for a target GitLab user. The developers urge all users to upgrade to the latest patched versions to receive the security fixes.
High-Severity GitLab XSS Vulnerability Patched
According to a recent post from GitLab, the developers addressed numerous security vulnerabilities with the latest release. The most important in the entire update bundle includes a high-severity cross-site scripting (XSS) vulnerability.
Describing this flaw, identified as CVE-2024-4835, GitLab stated that the vulnerability existed in the VS code editor (Web IDE). Exploiting the flaw could allow an adversary to exfiltrate sensitive data by creating maliciously crafted pages.
This vulnerability received a CVSS score of 8.0, and it affected GitLab versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. It first caught the attention of security researcher Matan Berson, who reported the matter to GitLab via its HackerOne bug bounty program.
Other Security Fixes With The Latest GitLab Update
Besides the high-severity XSS flaw, GitLab also patched numerous other security vulnerabilities with the latest updates. These include the following.
- CVE-2024-2874 (CVSS 6.5): A medium-severity DoS vulnerability affecting the
description
field of the runner. Exploiting the flaw merely required registering a runner with a crafted description, which would then disrupt loading of targeted GitLab web resources. - CVE-2023-7045 (CVSS 5.4): A medium-severity cross-site request forgery (CSRF) vulnerability that an attacker could exploit via the Kubernetes Agent Server (KAS).
- CVE-2024-5258 (CVSS 4.4): A medium-severity authorization vulnerability that could let an authenticated adversary bypass pipeline authorization logic via a crafted naming convention. GitLab credited its team member Andrew Winata for reporting this issue.
- CVE-2023-6502 (CVSS 4.3): A medium-severity denial of service that an adversary could trigger via a maliciously crafted wiki page.
- CVE-2024-1947 (CVSS 4.3): Another medium severity DoS flaw affecting the test_report API calls. An attacker could trigger by sending maliciously crafted API calls.
- CVE-2024-5318 (CVSS 4.3): A medium severity vulnerability that could allow an adversary to “view dependency lists of private projects through job artifacts”.
GitLab patched all these vulnerabilities with GitLab Community Edition (CE) and Enterprise Edition (EE) versions 17.0.1, 16.11.3, and 16.10.6, urging users to update their installations accordingly.
Let us know your thoughts in the comments.