CVE-2024-9693: GitLab Issues Critical Patch for Kubernetes Agent

CVE-2024-9693

GitLab has released a critical security update addressing a high-severity vulnerability that could grant unauthorized access to Kubernetes clusters. Versions 17.5.2, 17.4.4, and 17.3.7 of both the Community Edition (CE) and Enterprise Edition (EE) patch a total of six security flaws, including the critical Kubernetes issue and several other medium-severity vulnerabilities.

The most serious vulnerability (CVE-2024-9693) allows unauthorized access to the Kubernetes agent within a cluster under specific configurations. “This is a high severity issue (CVSS 8.5),” warns the GitLab security advisory. This vulnerability was discovered internally by GitLab team member Tiger Watson.

In addition to the Kubernetes flaw, GitLab patched several other vulnerabilities, including:

  • Device OAuth flow vulnerability (CVE-2024-7404): This flaw could allow an attacker to gain full API access as the victim.
  • Denial of Service (DoS) vulnerability: Maliciously crafted content imported using the Fogbugz importer could trigger a denial of service.
  • Stored XSS vulnerability (CVE-2024-8648): Attackers could inject malicious JavaScript code into Analytics Dashboards through a specially crafted URL.
  • HTML injection vulnerability (CVE-2024-8180): Improper output encoding could lead to cross-site scripting (XSS) attacks if Content Security Policy (CSP) is not enabled.
  • Information disclosure vulnerability (CVE-2024-10240): An unauthenticated user could potentially read information about merge requests in private projects under specific circumstances.

GitLab urges all users to upgrade their self-managed installations to the latest versions immediately.

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” states the advisory.

Related Posts: