GitLab Product Security Update Advisory

Overview

An update has been released to address vulnerability in our GitLab products. Users of affected versions are advised to update to the latest version.

Affected Products

CVE-2024-5655

• GitLab CE/EE versions: 15.8 (inclusive) ~ 16.11.5 (excluded)
• GitLab CE/EE versions: 17.0 (inclusive) ~ 17.0.3 (excluded)
• GitLab CE/EE versions: 17.1 (inclusive) ~ 17.1.1 (excluded)

 

CVE-2024-4901

• GitLab CE/EE versions: 16.9 (inclusive) ~ 16.11.5 (excluded)
• GitLab CE/EE versions: 17.0 (inclusive) ~ 17.0.3 (excluded)
• GitLab CE/EE versions: 17.1 (inclusive) ~ 17.1.1 (excluded)

 

CVE-2024-6323

• GitLab CE/EE versions: 16.11 (inclusive) ~ 16.11.5 (excluded)
• GitLab CE/EE versions: 17.0 (inclusive) ~ 17.0.3 (excluded)
• GitLab CE/EE versions: 17.1 (inclusive) ~ 17.1.1 (excluded)

 

Resolved Vulnerabilities

Vulnerability in GitLab CE/EE that could allow an attacker to trigger a pipeline to a different version (CVE-2024-5655)
Vulnerability in GitLab’s GraphQL API to execute arbitrary GraphQL variants in GitLab CE/EE (CVE-2024-4901)
Vulnerability in GitLab CE/EE due to improper authentication for global searches in GitLab EE, which could allow an attacker to exfiltrate private repository content in public projects (CVE-2024-6323)

 

Vulnerability Patches

vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

Cve-2024-5655, cve-2024-4901, cve-2024-6323

• GitLab CE/EE version 16.11.5
• GitLab CE/EE 17.0.3
• GitLab CE/EE 17.1.1

Referenced Sites

[1] CVE-2024-5655 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-5655

[2] CVE-2024-4901 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-4901

[3] CVE-2024-6323 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-6323

[4] GitLab Critical Patch Release: 17.1.1, 17.0.3, 16.11.5

https://about.gitlab.com/releases/2024/06/26/patch-release-gitlab-17-1-1-released/