GitLab CE/EE Product Security Update Advisory

Feb 26 2024

Overview

An update has been made available to fix vulnerabilities in the GitLab CE/EE product. Users of affected versions are advised to update to the latest version.

Affected Products

CVE-2024-1451

GitLab CE/EE products version 16.9

CVE-2023-6477

GitLab EE versions 16.5 through before 16.7.6
GitLab EE 16.8 through through before 16.8.3
GitLab EE 16.9 through through before 16.9.1

CVE-2023-6736

GitLab EE 11.3 through before 16.7.6
GitLab EE 16.8 through before 16.8.3
GitLab EE 16.9 through before 16.9.1

CVE-2024-1525

GitLab CE/EE 16.1 through before 16.7.2
GitLab CE/EE 16.8 through before 16.8.2
GitLab CE/EE 16.9 through before 16.9.2

CVE-2023-4895

GitLab EE 12.0 through 16.7.6 and earlier
GitLab EE 16.8 through 16.8.3 and earlier
GitLab EE 16.9 through 16.9.1 and earlier

CVE-2024-0861

GitLab EE 16.4 through before 16.7.6
GitLab EE 16.8 through before 16.8.3
GitLab EE 16.9 through before 16.9.1

CVE-2023-3509

All versions of GitLab before 16.7.6
GitLab 16.8 through all versions before 16.8.3
GitLab 16.9 through all versions before 16.9.1

CVE-2024-0410

GitLab 15.1 through all versions before 16.7.6
GitLab 16.8 through all versions before 16.8.3
GitLab 16.9 through all versions before 16.9.1

Resolved Vulnerabilities

Stored XSS vulnerability in the user profile page in GitLab CE/EE (CVE-2024-1451)
Elevation of privilege vulnerability in GitLab EE that could allow a user with admin_group_members privilege to be designated as the owner of a group (CVE-2023-6477)
ReDoS vulnerability in the Codeowners reference extractor in GitLab EE (CVE-2023-6736)
Vulnerability in GitLab CE/EE that allows LDAP users to reset their password using a secondary email and log in using direct authentication (CVE-2024-1525)
Group IP restriction setting bypass vulnerability via the Environment/Operations dashboard to access a project’s environment details in GitLab EE (CVE-2023-4895)
Vulnerability in GitLab EE that allows a user with guest privileges to change custom dashboard project settings for a project (CVE-2024-0861)
Vulnerability in GitLab that allows group members with sub-administrator roles to change the title of a shared private distribution key (CVE-2023-3509)
Code owner approval bypass vulnerability in GitLab (CVE-2024-0410)

Vulnerability Patches

Vulnerability patches were made available in the February 21, 2024 update. Please update to the latest vulnerability patch version as per the reference site.

GitLab versions 16.9.1, 16.8.3, 16.7.6

Referenced Sites

[1] GitLab Security Release: 16.9.1, 16.8.3, 16.7.6
https://about.gitlab.com/releases/2024/02/21/security-release-gitlab-16-9-1-released/

GitLab CE/EE Product Security Update Advisory

Overview

Affected Products

Resolved Vulnerabilities

Vulnerability Patches

Referenced Sites

QNAP Security Update Advisory (CVE-2023-47218, CVE-2023-50358)

Joomla Vulnerability Security Update Advisory

Overview

Affected Products

Resolved Vulnerabilities

Vulnerability Patches

Referenced Sites

Tags:

QNAP Security Update Advisory (CVE-2023-47218, CVE-2023-50358)

Joomla Vulnerability Security Update Advisory