GitLab has made numerous security updates in the latest release. These include a high-severity XSS vulnerability that could allow account takeover for a targeted GitLab user. The developers urge all users to upgrade to the latest patched versions to receive the security fixes.
Fixed high severity GitLab XSS vulnerability
According to a recent post from GitLab, the developers have addressed numerous security issues with the latest release. The most significant in the entire update bundle includes a very serious cross-site scripting (XSS) vulnerability.
Describing this error, identified as CVE-2024-4835, GitLab stated that the vulnerability existed in the VS Code Editor (Web IDE). Exploiting the flaw could allow an adversary to exfiltrate sensitive data by creating maliciously crafted pages.
This vulnerability received a CVSS score of 8.0 and affected GitLab versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. It first caught the attention of security researcher Matan Berson, who reported the matter to GitLab through his HackerOne bug bounty program.
Other security fixes with the latest GitLab update
In addition to the very serious XSS flaw, GitLab has also patched numerous other security issues with the latest updates. These include the following.
- CVE-2024-2874 (CVSS 6.5): A DoS vulnerability of medium severity that affects the
description
bishop’s field. Exploiting the flaw simply required registering a runner with a crafted description, which would then disrupt the loading of targeted GitLab web resources. - CVE-2023-7045 (CVSS 5.4): A moderate cross-site request forgery (CSRF) vulnerability that an attacker can exploit via the Kubernetes Agent Server (KAS).
- CVE-2024-5258 (CVSS 4.4): A medium severity authorization vulnerability that allows an authenticated adversary to bypass the pipeline’s authorization logic via a crafted naming convention. GitLab credited its team member Andrew Winata with reporting this issue.
- CVE-2023-6502 (CVSS 4.3): A medium severity denial of service that an adversary can trigger via a maliciously crafted wiki page.
- CVE-2024-1947 (CVSS 4.3): Another moderate DoS bug affecting test_report API calls. An attacker can trigger an attack by sending maliciously crafted API calls.
- CVE-2024-5318 (CVSS 4.3): A medium severity vulnerability that allows an adversary to “view private project dependency lists via task artifacts.”
GitLab has patched all these vulnerabilities with GitLab Community Edition (CE) and Enterprise Edition (EE) versions 17.0.1, 16.11.3, and 16.10.6, urging users to update their installations accordingly.
Let us know your thoughts in the comments.