With the security update, GitLab fixes more than fifteen vulnerabilities in the Community Edition (CE) and Enterprise Edition (EE) of its development server. Many gaps with a severity level of critical and “high” make the update a mandatory task – unless you are a cloud customer or have your own instance administered by GitLab.
Advertisement
Unity game engine: unwanted runtime fees are finally off the tableIn a collective report, GitLab handles more than a dozen notices, one of which is a vulnerability (CVE-2024-6678, CVSS 9.9) Serious. Under certain circumstances, attackers were able to run pipelines as any user and thus also intercept deployment environments. However, to do this, they must have a user account on the attacked GitLab instance.
under the gap with High The priority is a code smuggling vulnerability through insufficiently filtered YAML (CVE-2024-8640, CVSS 8.5) and a denial of service opportunity through an oversized external injection parameter (CVE-2024-8124, CVSS 7.5). Security flaws too medium And lower Priority issues have been fixed – see table below.
As usual, GitLab is hiding details about security vulnerabilities: there is only a brief description of the problem and some metadata Safety InformationThe manufacturer will release more details in just a month.
|
English Description |
CVE ID |
CVSS |
seriousness |
Editions |
|
Execute the environment stop action as the owner of the stop action job |
CVE-2024-6678 |
9.9 |
Serious |
8.14 – 17.1.6, 17.2 < 17.2.3, 17.3 < 17.3.2 |
|
Prevent code injection in product analytics funnel YAML |
CVE-2024-8640 |
8.5 |
High |
16.11 – 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
|
SSRF via Dependency Proxy |
CVE-2024-8635 |
7.7 |
High |
16.8 – 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
|
Denial of service by sending a large glm_source parameter |
CVE-2024-8124 |
7.5 |
High |
16.4 – 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
|
CI_JOB_TOKEN can be used to get a GitLab session token |
CVE-2024-8641 |
6.7 |
medium |
13.7 – 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
|
Variables in settings are not overwritten by PEP if a template is included |
CVE-2024-8311 |
6.5 |
medium |
17.2 <17.2.5, 17.3 <17.3.2 |
|
Guests can reveal the full source code of projects using custom group-level templates |
CVE-2024-4660 |
6.5 |
medium |
11.2 – 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
|
IdentitiesController allows adding arbitrary unclaimed provider identities |
N/A |
6.4 |
medium |
16.9.7 – 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
|
Open redirect in repo/tree/:id endpoint can lead to account takeover via broken OAuth flow |
CVE-2024-4283 |
6.4 |
medium |
11.1 – 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
|
Open redirects in release permalinks can lead to account takeover via broken OAuth flow |
CVE-2024-4612 |
6.4 |
medium |
12.9 – 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
|
Guest user with Admins group member permission can edit custom role to get other permissions |
CVE-2024-8631 |
5.5 |
medium |
16.6 – 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
|
Exposure of protected and hidden CI/CD variables by abusing on-demand DAST |
CVE-2024-2763 |
5.3 |
medium |
13.3 – 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
|
Credentials are exposed when repository mirroring fails |
CVE-2024-5435 |
4.5 |
medium |
15.10 – 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
|
Commit information visible to guest users via release atom endpoint |
CVE-2024-6389 |
4.0 |
medium |
16.5 – 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
|
User can spoof application redirect URLs |
CVE-2024-6446 |
3.5 |
Less |
17.1 < 17.1.7, 17.2 < 17.2.5, 17.3 < 17.3.2 |
|
Group developers can view group runners’ information |
CVE-2024-6685 |
3.1 |
Less |
16.7 – 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
Update self-hosted instances!
The three current versions fix the vulnerabilities for the corresponding GitLab CE and EE version trees, namely 17.3.2, 17.2.5 and 17.1.7. Administrators of self-hosted server versions should act quickly to update. Anyone who has saved their software projects in GitLab’s own cloud (using the SaaS offering “gitlab.com” or “GitLab Dedicated”) does not have to worry about anything – these versions have already been repaired.
GitLab regularly fixes critical security issues in its software, such as in June and July of this year. Bad actors often exploit such vulnerabilities for attacks, as CISA discovered in May.
(CKU)
Software-architektur.tv: Team Topology in Practice with Kim Nena Duggan
