CVE-2024-4835: GitLab Fixes Account Takeover Vulnerability
GitLab, the popular web-based DevOps platform, has released urgent security patches to address multiple critical vulnerabilities affecting various versions of its Community Edition (CE) and Enterprise Edition (EE). These vulnerabilities, ranging from high to medium severity, could potentially lead to account takeovers, denial of service attacks, information leaks, and unauthorized access.
High Severity Account Takeover Risk
The most severe vulnerability, CVE-2024-4835 (CVSS 8.0), involves a cross-site scripting (XSS) flaw in the code editor on gitlab.com. Attackers could exploit this flaw to steal sensitive user information, potentially leading to a full account takeover. GitLab strongly urges all users to update their installations immediately to mitigate this risk.
Additional Vulnerabilities Addressed
In addition to the XSS vulnerability, GitLab has patched several other security flaws:
- Denial of Service (DoS): A DoS vulnerability in the runner’s description field (CVE-2024-2874) and a separate DoS condition in the wiki render API/Page (CVE-2023-6502) could disrupt service availability.
- Cross-Site Request Forgery (CSRF): A CSRF vulnerability via Kubernetes cluster integration (CVE-2023-7045) could allow attackers to steal anti-CSRF tokens.
- Authorization Bypass: An authorization vulnerability in the “Set Pipeline Status of a Commit” API could be exploited to bypass pipeline authorization logic.
- Information Disclosure: A vulnerability allows guest users to view dependency lists of private projects through job artifacts.
- Resource Exhaustion DoS: A vulnerability in the test_report API calls could lead to resource exhaustion and denial of service.
- Stored XSS via PDFjs: Mitigations were made to address a vulnerability in PDF.js (CVE-2024-4367).
Update Urgently to Protect Your GitLab Installation
GitLab has released versions 17.0.1, 16.11.3, and 16.10.6 for CE and EE to address these vulnerabilities. Users are strongly advised to upgrade their installations to the latest version as soon as possible.
