GitLab Product Security Update Advisory

Oct 11 2024

Overview

An update has been released to address vulnerabilities in GitLab Products. Users of the affected versions are advised to update to the latest version.

Affected Products

CVE-2024-9164

GitLab EE versions: 12.5 (inclusive) ~ 17.2.9 (excluded)
GitLab EE versions: 17.3 (inclusive) ~ 17.3.5 (excluded)
GitLab EE versions: 17.4 (inclusive) ~ 17.4.2 (excluded)

CVE-2024-8970

GitLab CE/EE versions: 11.6 (inclusive) ~ 17.2.9 (excluded)
GitLab CE/EE versions: 17.3 (inclusive) ~ 17.3.5 (excluded)
GitLab CE/EE versions: 17.4 (inclusive) ~ 17.4.2 (excluded)

CVE-2024-8977

GitLab EE versions: 15.10 (inclusive) ~ 17.2.9 (excluded)
GitLab EE versions: 17.3 (inclusive) ~ 17.3.5 (excluded)
GitLab EE versions: 17.4 (inclusive) ~ 17.4.2 (excluded)

CVE-2024-9631

GitLab CE/EE versions: 13.6 (inclusive) ~ 17.2.9 (excluded)
GitLab CE/EE versions: 17.3 (inclusive) ~ 17.3.5 (excluded)
GitLab CE/EE versions: 17.4 (inclusive) ~ 17.4.2 (excluded)

CVE-2024-6530

GitLab CE/EE versions: 17.1 (inclusive) ~ 17.2.9 (excluded)
GitLab CE/EE versions: 17.3 (inclusive) ~ 17.3.5 (excluded)
GitLab CE/EE versions: 17.4 (inclusive) ~ 17.4.2 (excluded)

Resolved Vulnerabilities

Vulnerability that could allow pipelines to run on arbitrary branches (CVE-2024-9164)

Vulnerability that could allow an attacker to trigger a pipeline as a different user under certain circumstances (CVE-2024-8970)

SSRF vulnerability in Product Analytics Dashboard configured and enabled instantly (CVE-2024-8977)

Vulnerability due to possible slow viewing of diffs of MRs with conflicts (CVE-2024-9631)

XSS vulnerability due to adding authorization to an application causing it to render to HTML under certain circumstances (CVE-2024-6530)

Vulnerability Patches

The following product-specific Vulnerability Patches have been made available in the latest update. If you are using an affected version, Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2024-8970, CVE-2024-9631, CVE-2024-6530

GitLab CE/EE version: 17.2.9
GitLab CE/EE version: 17.3.5
GitLab CE/EE version: 17.4.2

CVE-2024-9164, CVE-2024-8977

GitLab EE version: 17.2.9
GitLab EE version: 17.3.5
GitLab EE version: 17.4.2

References

[1] GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9

https://about.gitlab.com/releases/2024/10/09/patch-release-gitlab-17-4-2-released/

GitLab Product Security Update Advisory

Adobe Family October 2024 Routine Security Update Advisory

Keycloak Security Update Advisory (CVE-2024-3656)

Tags:

Adobe Family October 2024 Routine Security Update Advisory

Keycloak Security Update Advisory (CVE-2024-3656)