GitLab Product Security Update Advisory
Overview
An update has been released to address vulnerabilities in GitLab Products. Users of the affected versions are advised to update to the latest version.
Affected Products
CVE-2024-2800
- GitLab EE/CE versions: 11.3 (inclusive) ~ 17.0.6 (excluded)
- GitLab EE/CE versions: 17.1 (inclusive) ~ 17.1.4 (excluded)
- GitLab EE/CE versions: 17.2 (inclusive) ~ 17.2.2 (excluded)
CVE-2024-6329
- GitLab EE/CE versions: 8.16 (inclusive) ~ 17.0.6 (excluded)
- GitLab EE/CE versions: 17.1 (inclusive) ~ 17.1.4 (excluded)
- GitLab EE/CE versions: 17.2 (included) ~ 17.2.2 (excluded)
CVE-2024-3035
- GitLab CE/EE versions: 8.12 (inclusive) ~ 17.0.6 (excluded)
- GitLab CE/EE versions: 17.1 (inclusive) ~ 17.1.4 (excluded)
- GitLab CE/EE versions: 17.2 (inclusive) ~ 17.2.2 (excluded)
Resolved Vulnerabilities
Vulnerability in GitLab EE/CE that allows denial of service via regular expression backtracking (CVE-2024-2800)
Vulnerability in GitLab EE/CE that prevents the web interface from rendering diffs correctly when the path is encoded (CVE-2024-6329)
Vulnerability in GitLab CE/EE where an LFS token checks for permission to read and write user-owned repositories (CVE-2024-3035)
Vulnerability Patches
The following product-specific vulnerability patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
CVE-2024-2800, CVE-2024-6329, CVE-2024-3035
- GitLab EE/CE version: 17.0.6
- GitLab EE/CE version: 17.1.4
- GitLab EE/CE version: 17.2.2
References
[1] CVE-2024-2800 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-2800
[2] GitLab Patch Release: 17.2.2, 17.1.4, 17.0.6
https://about.gitlab.com/releases/2024/08/07/patch-release-gitlab-17-2-2-released/
[3] CVE-2024-6329 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-6329
[4] CVE-2024-3035 Detail