Security patch: Gitlab fixes vulnerabilities in server versions
Attackers could inject code, take over other people's accounts and disable the server. Admins of self-hosted instances should patch.
With a security update, GitLab fixes more than fifteen security vulnerabilities in the Community Edition (CE) and Enterprise Edition (EE) of its development server. One critical and several "high" severity vulnerabilities make the update a mandatory task – unless you are a cloud customer or have your own instance administered by GitLab.
In a collective report, GitLab handles more than a dozen notices, of which one vulnerability (CVE-2024-6678, CVSS 9.9) is critical. Under certain circumstances, attackers could execute pipelines as an arbitrary user and thus also stop the deployment environments. However, they had to have a user account on the attacked GitLab instance to do so.
Among the high-priority vulnerabilities is a code smuggling vulnerability via insufficiently filtered YAML (CVE-2024-8640, CVSS 8.5) and a denial of service possibility via an oversized externally injected parameter (CVE-2024-8124, CVSS 7.5). Medium and low priority vulnerabilities have also been fixed – see table below.
As usual, GitLab is holding back on details about the security vulnerabilities: there is only a brief description of the problem and some metadata in the security advisory, and the vendor will not publish further details for another month.
Engl. Beschreibung | CVE-ID | CVSS | Schweregrad | Versionen |
Execute environment stop actions as the owner of the stop action job | CVE-2024-6678 |
9,9 |
kritisch | 8.14 - 17.1.6, 17.2 < 17.2.3, 17.3 < 17.3.2 |
Prevent code injection in Product Analytics funnels YAML | CVE-2024-8640 | 8,5 | hoch | 16.11 - 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
SSRF via Dependency Proxy |
CVE-2024-8635 | 7,7 | hoch | 16.8 - 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
Denial of Service via sending a large glm_source parameter |
CVE-2024-8124 | 7,5 | hoch | 16.4 - 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
CI_JOB_TOKEN can be used to obtain GitLab session token |
CVE-2024-8641 | 6,7 | mittel | 13.7 - 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
Variables from settings are not overwritten by PEP if a template is included |
CVE-2024-8311 | 6,5 | mittel | 17.2 < 17.2.5, 17.3 < 17.3.2 |
Guests can disclose the full source code of projects using custom group-level templates |
CVE-2024-4660 | 6,5 | mittel | 11.2 - 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
IdentitiesController allows linking of arbitrary unclaimed provider identities |
n.v. | 6,4 | mittel | 16.9.7 - 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
Open redirect in repo/tree/:id endpoint can lead to account takeover through broken OAuth flow |
CVE-2024-4283 | 6,4 | mittel | 11.1 - 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
Open redirect in release permanent links can lead to account takeover through broken OAuth flow |
CVE-2024-4612 | 6,4 | mittel | 12.9 - 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
Guest user with Admin group member permission can edit custom role to gain other permissions | CVE-2024-8631 | 5,5 | mittel | 16.6 - 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
Exposure of protected and masked CI/CD variables by abusing on-demand DAST |
CVE-2024-2763 | 5,3 | mittel | 13.3 - 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
Credentials disclosed when repository mirroring fails |
CVE-2024-5435 | 4,5 | mittel | 15.10 - 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
Commit information visible through release atom endpoint for guest users |
CVE-2024-6389 | 4,0 | mittel | 16.5 - 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
User Application can spoof the redirect url |
CVE-2024-6446 | 3,5 | niedrig | 17.1 < 17.1.7, 17.2 < 17.2.5, 17.3 < 17.3.2 |
Group Developers can view group runners information |
CVE-2024-6685 | 3,1 | niedrig | 16.7 - 17.1.6, 17.2 < 17.2.5, 17.3 < 17.3.2 |
Update self-hosted instances!
Three current versions fix the vulnerabilities, namely 17.3.2, 17.2.5 and 17.1.7 for the respective version trees of GitLab CE and EE. Administrators of self-hosted server versions should make sure to update as soon as possible. Those who have stored their software projects in GitLab's own cloud (using the SaaS offerings "gitlab.com" or "GitLab Dedicated") do not need to worry about anything – these versions have already been repaired.
GitLab regularly fixes critical security issues in its software, such as in June and July of this year. Malicious actors often exploit such gaps for attacks, as CISA discovered in May .
(cku)