WARNING: GITLAB CE/EE PATCHED TWO CRITICAL XSS VULNERABILITIES, PATCH IMMEDIATELY!
CVE-2024-3092 : CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
CVE-2024-2279 : CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
Sources
https://about.gitlab.com/releases/2024/04/10/patch-release-gitlab-16-10-2-released/
Risks
GitLab released a security update. The release addresses multiple serious flaws, with the most critical being stored cross-site scripting (XSS) vulnerabilities. Attackers could exploit these vulnerabilities to hijack user sessions, steal sensitive data, or gain further footholds within a targeted system. The impact on the Integrity and Confidentiality is High.
Description
CVE-2024-3092 - Stored XSS injected in diff viewer
A crafted payload may lead to a stored XSS while using the diff viewer, allowing attackers to perform arbitrary actions on behalf of victims.
CVE-2024-3092 affects all versions starting from 16.9 before 16.9. and all versions starting from 16.10 before 16.10.2.
CVE-2024-2279 - Stored XSS via autocomplete results
Using the autocomplete for issues references feature a crafted payload may lead to a stored XSS, allowing attackers to perform arbitrary actions on behalf of victims.
CVE-2024-2279 affects all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4 and all versions starting from 16.10 before 16.10.2.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://securityonline.info/gitlab-races-to-fix-critical-xss-flaws-dont-delay-your-upgrade/