GitLab Product Security Update Advisory
Overview
An update has been released to address vulnerabilities in GitLab Products. Users of the affected versions are advised to update to the latest version.
Affected Products
CVE-2024-4660
- GitLab EE versions: 11.2 (inclusive) ~ 17.1.7 (excluded)
- GitLab EE versions: 17.2 (inclusive) ~ 17.2.5 (excluded)
- GitLab EE versions: 17.3 (inclusive) ~ 17.3.2 (excluded)
CVE-2024-2743
- GitLab EE versions: 13.3 (inclusive) ~ 17.1.7 (excluded)
- GitLab EE versions: 17.2 (inclusive) ~ 17.2.5 (excluded)
- GitLab EE versions: 17.3 (inclusive) ~ 17.3.2 (excluded)
CVE-2024-8631
- GitLab EE versions: 16.6 (inclusive) ~ 17.1.7 (excluded)
- GitLab EE versions: 17.2 (inclusive) ~ 17.2.5 (excluded)
- GitLab EE versions: 17.3 (inclusive) ~ 17.3.2 (excluded)
CVE-2024-8640
- GitLab EE versions: 16.11 (inclusive) ~ 17.1.7 (excluded)
- GitLab EE versions: 17.2 (inclusive) ~ 17.2.5 (excluded)
- GitLab EE versions: 17.3 (inclusive) ~ 17.3.2 (excluded)
CVE-2024-8635
- GitLab EE versions: 16.8 (inclusive) ~ 17.1.7 (excluded)
- GitLab EE versions: 17.2 (inclusive) ~ 17.2.5 (excluded)
- GitLab EE versions: 17.3 (inclusive) ~ 17.3.2 (excluded)
CVE-2024-8311
- GitLab EE versions: 17.2 (inclusive) ~ 17.2.5 (excluded)
- GitLab EE versions: 17.3 (inclusive) ~ 17.3.2 (excluded)
CVE-2024-4283
- GitLab EE versions: 11.1 (inclusive) ~ 17.1.7 (excluded)
- GitLab EE versions: 17.2 (inclusive) ~ 17.2.5 (excluded)
- GitLab EE versions: 17.3 (inclusive) ~ 17.3.2 (excluded)
CVE-2024-8124
- GitLab CE/EE versions: 16.4 (inclusive) ~ 17.1.7 (excluded)
- GitLab CE/EE versions: 17.2 (inclusive) ~ 17.2.5 (excluded)
- GitLab CE/EE versions: 17.3 (inclusive) ~ 17.3.2 (excluded)
CVE-2024-8641
- GitLab CE/EE versions: 13.7 (inclusive) ~ 17.1.7 (excluded)
- GitLab CE/EE versions: 17.2 (inclusive) ~ 17.2.5 (excluded)
- GitLab CE/EE versions: 17.3 (inclusive) ~ 17.3.2 (excluded)
Resolved Vulnerabilities
Vulnerability in GitLab EE that allows guests to read the source code of personal projects using group templates (CVE-2024-4660)
Vulnerability in GitLab EE that could allow an attacker to modify on-demand DAST checks without privileges and leak variables (CVE-2024-2743)
Privilege escalation vulnerability in GitLab EE where the Admin Group Member user role could expand its privileges to include other custom roles (CVE-2024-8631)
Vulnerability in GitLab EE due to incomplete input filtering that could allow command injection to a connected Cube server (CVE-2024-8640)
Vulnerability in GitLab EE that could allow an attacker to make requests to internal resources using a custom Maven dependency proxy URL (CVE-2024-8635)
Vulnerability in GitLab EE that could allow authenticated users to bypass variable overwrite protection, including in CI/CD templates (CVE-2024-8311)
An open redirect vulnerability in GitLab EE could allow account takeover by breaking OAuth flow under certain conditions (CVE-2024-4283)
Vulnerability in GitLab CE/EE where sending certain POST requests could result in a denial of service (CVE-2024-8124)
Vulnerability in GitLab CE/EE that could allow an attacker with the victim’s CI_JOB_TOKEN to obtain the GitLab session token belonging to the victim (CVE-2024-8641)
Vulnerability Patches
The following product-specific Vulnerability Patches have been made available in the latest update. If you are using an affected version, Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
CVE-2024-4660, CVE-2024-2743, CVE-2024-8631, CVE-2024-8640, CVE-2024-8635, CVE-2024-4283
- GitLab EE version: 17.1.7
- GitLab EE version: 17.2.5
- GitLab EE version: 17.3.2
CVE-2024-8311
- GitLab EE version: 17.2.5
- GitLab EE version: 17.3.2
CVE-2024-8124, CVE-2024-8641
- GitLab CE/EE version: 17.1.7
- GitLab CE/EE version: 17.2.5
- GitLab CE/EE version: 17.3.2
Referenced Sites
[1] GitLab Critical Patch Release: 17.3.2, 17.2.5, 17.1.7
https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/