Other official information and services: www.belgium.be

WARNING: GITLAB CE/EE PATCHED TWO CRITICAL XSS VULNERABILITIES, PATCH IMMEDIATELY!

Reference:

Advisory #2024-52

Version:

1.0

Affected software:

GitLab CE/EE

Type:

XSS (Cross-site scripting)

CVE/CVSS:

CVE-2024-3092 : CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
CVE-2024-2279 : CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)

Date:

11/04/2024

Sources

https://about.gitlab.com/releases/2024/04/10/patch-release-gitlab-16-10-2-released/

Risks

GitLab released a security update. The release addresses multiple serious flaws, with the most critical being stored cross-site scripting (XSS) vulnerabilities. Attackers could exploit these vulnerabilities to hijack user sessions, steal sensitive data, or gain further footholds within a targeted system. The impact on the Integrity and Confidentiality is High.

Description

CVE-2024-3092 - Stored XSS injected in diff viewer

A crafted payload may lead to a stored XSS while using the diff viewer, allowing attackers to perform arbitrary actions on behalf of victims.

CVE-2024-3092 affects all versions starting from 16.9 before 16.9. and all versions starting from 16.10 before 16.10.2.

CVE-2024-2279 - Stored XSS via autocomplete results

Using the autocomplete for issues references feature a crafted payload may lead to a stored XSS, allowing attackers to perform arbitrary actions on behalf of victims.

CVE-2024-2279 affects all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4 and all versions starting from 16.10 before 16.10.2.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://securityonline.info/gitlab-races-to-fix-critical-xss-flaws-dont-delay-your-upgrade/