www.belgium.be Logo of the federal government

WARNING: MULTIPLE VULNERABILITIES PATCHED IN GITLAB CE/EE

Referentie: 
Advisory #2024-99
Versie: 
1.0
Geïmpacteerde software: 
GitLab CE/EE
Type: 
Different types e.g. Stored XSS, CSRF, Cross window forgery, DoS
CVE/CVSS: 
CVE-2024-5655: CVSS 9.6(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N)
CVE-2024-4901: CVSS 8.7(CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
CVE-2024-4994: CVSS 8.1(CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
CVE-2024-6323: CVSS 7.5(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Bronnen

https://about.gitlab.com/releases/2024/06/26/patch-release-gitlab-17-1-1...

Risico’s

GitLab has released critical updates for their version management platform. The vulnerabilities addressed in versions 17.1.1, 17.0.3, and 16.11.5 impact both the Community Edition (CE) and the Enterprise Edition (EE).
 
A total of 14 vulnerabilities were patched. As of the time of writing, none of these vulnerabilities are being actively exploited.

Beschrijving

CVE-2024-5655 is a vulnerability that could allow an attacker to trigger a CI pipeline as another user under certain circumstances. This vulnerability is labeled as critical and received a score of 9.6. 
 
CVE-2024-4901 is a stored XSS vulnerability that could be used to get code that is persistent on the target server, to be introduced into a project when imported via commit notes. 
 
CVE-2024-4994 allows a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations.
 
CVE-2024-6323 allows an attacker leak content of a private repository in a public project.
Other vulnerabilities patched by GitLab:
  • CVE-2024-2177 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, 6.8)
  • CVE-2024-5430 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N, 6.8)
  • CVE-2024-4025 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5)
  • CVE-2024-3959 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, 6.5)
  • CVE-2024-4557 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5)
  • CVE-2024-1493 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5)
  • CVE-2024-1816 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, 5.3)
  • CVE-2024-2191 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3)
  • CVE-2024-3115 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3)
  • CVE-2024-4011 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1)
 

Aanbevolen acties

Patch
 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
 
Monitor/Detect
 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.