GitLab released a security advisory to address 18 vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE). One of these vulnerabilities tracked as CVE-2024-6678, is given a critical severity rating with a CVSS score of 9.9. Successful exploitation of the vulnerability may allow an attacker to trigger a pipeline as an arbitrary user.
GitLab is a web-based DevOps lifecycle solution built by GitLab Inc., providing unrivaled insight and productivity across the DevOps lifecycle in a single application.
The vulnerabilities patched in the updates are listed below:
- CVE-2024-8641: The vulnerability allows an attacker with a target CI_JOB_TOKEN to obtain a user’s GitLab session token.
- CVE-2024-8311: The vulnerability allows authenticated users to bypass variable overwrite protection by including a CI/CD template.
- CVE-2024-8631: A user assigned the Admin Group Member custom role may exploit the vulnerability to elevate their privileges to include other custom roles.
- CVE-2024-2743: The vulnerability may allow an attacker to modify an on-demand DAST scan without permissions and leak variables.
- CVE-2024-8635: The vulnerability allows an attacker to request internal resources using a custom Maven Dependency Proxy URL.
- CVE-2024-4283: This open redirect vulnerability may allow an attacker to take over the account by breaking the OAuth flow.
- CVE-2024-5435: The vulnerability may allow attackers to disclose user passwords from the repository mirror configuration.
- CVE-2024-6446: An attacker may use a crafted URL to trick a victim into trusting an attacker-controlled application.
- CVE-2024-8640: The vulnerability originates from an incomplete input filtering. Successful exploitation of the vulnerability may allow an attacker to inject commands into a connected Cube server.
- CVE-2024-8124: Successful exploitation of the vulnerability may cause Denial of Service via sending a significant glm_source parameter.
- CVE-2024-4472: The vulnerability in dependency proxy credentials is retained in graphql Logs.
- CVE-2024-4612: This open redirect vulnerability may allow an attacker to take over the account by breaking the OAuth flow.
- CVE-2024-6685: Successful exploitation of the vulnerability may allow group runners’ information disclosure to unauthorized group members.
- CVE-2024-4660: The vulnerability allows a guest to read the source code of a private project by using group templates.
- CVE-2024-6389: An attacker as a guest user may access commit information via the release Atom endpoint, contrary to permissions.
Affected versions
The vulnerability affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions 17.3.0, 17.3.1, 17.2.0, 17.2.1, 17.2.2, 17.2.3, 17.2.4, 17.1.0, 17.1.1, 17.1.2, 17.1.3, 17.1.4, 17.1.5, 17.1.6, and below.
Mitigation
To patch the vulnerability, GitLab has released versions 17.3.2, 17.2.5, and 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). The fix has also been backported to 16.1.6, 16.2.9, and 16.3.7.
For more information, please visit the GitLab release announcement page.
Qualys Detection
Qualys customers can scan their devices with QID 380490 to detect vulnerable assets.
Please follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/