GitLab Product Security Update Advisory

Sep 13 2024

Overview

An update has been released to address vulnerabilities in GitLab Products. Users of the affected versions are advised to update to the latest version.

Affected Products

CVE-2024-8635

GitLab EE versions: 16.8 (inclusive) ~ 17.1.7 (excluded)
GitLab EE versions: 17.2 (inclusive) ~ 17.2.5 (excluded)
GitLab EE versions: 17.3 (inclusive) ~ 17.3.2 (excluded)

CVE-2024-6678

GitLab CE/EE versions: 8.14 (inclusive) ~ 17.1.7 (excluded)
GitLab CE/EE versions: 17.2 (inclusive) ~ 17.2.5 (excluded)
GitLab CE/EE versions: 17.3 (inclusive) ~ 17.3.2 (excluded)

CVE-2024-8640

GitLab EE versions: 16.11 (inclusive) to 17.1.7 (excluded)
GitLab EE versions: 17.2 (inclusive) to 17.2.5 (excluded)
GitLab EE versions: 17.3 (inclusive) to 17.3.2 (excluded)

CVE-2024-8124

GitLab CE/EE versions: 16.4 (inclusive) ~ 17.1.7 (excluded)
GitLab CE/EE versions: 17.2 (inclusive) ~ 17.2.5 (excluded)
GitLab CE/EE versions: 17.3 (inclusive) ~ 17.3.2 (excluded)

Resolved Vulnerabilities

Vulnerability that could allow an attacker to make requests to internal resources using a custom Maven dependency proxy URL (CVE-2024-8635)

Vulnerability that could allow an attacker to trigger a pipeline as arbitrary user under certain circumstances (CVE-2024-6678)

Vulnerability that could allow command injection to a connected Cube server due to incomplete input filtering (CVE-2024-8640)

Vulnerability that could cause a denial of service by sending a large parameter glm_source variable (CVE-2024-8124)

Vulnerability Patches

The following product-specific vulnerability patches have been made available in the latest update. If you are using an affected version, Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2024-8635, CVE-2024-6678, CVE-2024-8640, CVE-2024-8124

GitLab CE/EE version: 17.1.7
GitLab CE/EE version: 17.2.5
GitLab CE/EE version: 17.3.2

References

[1] GitLab Critical Patch Release: 17.3.2, 17.2.5, 17.1.7

https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/

GitLab Product Security Update Advisory

Cisco Family September 2024 First Security Update Advisory

Palo Alto Networks (PAN-OS,Cloud NGFW,Prisma Access,Prisma Access Browser,PAN-OS,GlobalProtect App,Cloud NGFW,Prisma Access,ActiveMQ Content Pack,Cortex XDR Agent) Family September 2024 Security Update Advisory

Tags:

Cisco Family September 2024 First Security Update Advisory

Palo Alto Networks (PAN-OS,Cloud NGFW,Prisma Access,Prisma Access Browser,PAN-OS,GlobalProtect App,Cloud NGFW,Prisma Access,ActiveMQ Content Pack,Cortex XDR Agent) Family September 2024 Security Update Advisory