Security Advisory

GitLab Product Security Update Advisory

  • Dec 17 2024

Overview

 

We have released security updates to fix vulnerabilities in GitLab products. users of affected products are advised to update to the latest version.
 

 

Affected Products

 

 

CVE-2024-11669

  • GitLab CE/EE Versions: 16.9.8 (inclusive) to 17.4.5 (excluded)
  • GitLab CE/EE Versions: 17.5 (inclusive) to 17.5.3 (excluded)
  • GitLab CE/EE versions: 17.6 (inclusive) to 17.6.1 (excluded)

 

CVE-2024-11828

  • GitLab CE/EE versions: 13.2.4 (inclusive) to 17.4.5 (excluded)
  • GitLab CE/EE versions: 17.5 (inclusive) to 17.5.3 (excluded)
  • GitLab CE/EE versions: 17.6 (inclusive) to 17.6.1 (excluded)

 

CVE-2024-8237

  • GitLab CE/EE versions: 12.6 (inclusive) to 17.4.5 (excluded)
  • GitLab CE/EE versions: 17.5 (inclusive) to 17.5.3 (excluded)
  • GitLab CE/EE versions: 17.6 (inclusive) to 17.6.1 (excluded)

 

CVE-2024-8177

  • GitLab CE/EE versions: 15.6 (inclusive) to 17.4.5 (excluded)
  • GitLab CE/EE versions: 17.5 (inclusive) to 17.5.3 (excluded)
  • GitLab CE/EE versions: 17.6 (inclusive) to 17.6.1 (excluded)

 

CVE-2024-11274

  • GitLab CE/EE versions: 16.1 (inclusive) to 17.4.6 (excluded)
  • GitLab CE/EE versions: 17.5 (inclusive) to 17.5.4 (excluded)
  • GitLab CE/EE versions: 17.6 (inclusive) to 17.6.2 (excluded)

 

CVE-2024-8233

  • GitLab CE/EE versions: 9.4 (inclusive) to 17.4.6 (excluded)
  • GitLab CE/EE versions: 17.5 (inclusive) to 17.5.4 (excluded)
  • GitLab CE/EE versions: 17.6 (inclusive) to 17.6.2 (excluded)

 

 

 

Resolved Vulnerabilities

 

Vulnerability in certain API endpoints that could allow unauthorized access to sensitive data due to overly broad token scoping (CVE-2024-11669)

Vulnerability that could cause a denial of service condition due to a specially crafted API call (CVE-2024-11828)

Vulnerability that could allow an attacker to cause a denial of service via a crafted cargo.toml file (CVE-2024-8237)

Vulnerability that could cause a denial of service by integrating a malicious harbor registry (CVE-2024-8177)

Vulnerability injecting network error logging (NEL) headers into Kubernetes proxy responses could allow session data leakage (CVE-2024-11274)

Vulnerability that could allow an attacker to cause a denial of service via a diff file request in a commit or merge request (CVE-2024-8233)

 

 

Vulnerability Patches

vulnerability patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

Cve-2024-11669, cve-2024-11828, cve-2024-8237, cve-2024-8177

  • GitLab CE/EE version: 17.4.5
  • GitLab CE/EE version: 17.5.3
  • GitLab CE/EE version: 17.6.1

 

Cve-2024-11274, cve-2024-8233

  • GitLab CE/EE version: 17.4.6
  • GitLab CE/EE version: 17.5.4
  • GitLab CE/EE version: 17.6.2

 

references

 

[1] GitLab Patch Release: 17.6.2, 17.5.4, 17.4.6

https://about.gitlab.com/releases/2024/12/11/patch-release-gitlab-17-6-2-released/

[2] GitLab Patch Release: 17.6.1, 17.5.3, 17.4.5

https://about.gitlab.com/releases/2024/11/26/patch-release-gitlab-17-6-1-released/

Tags:

Previous Post

Next Post