GitLab Patches Six Security Flaws, Urges Immediate Update

CVE-2024-3092

GitLab, the widely-used code collaboration platform, released a security update today that addresses a half-dozen vulnerabilities across multiple versions of its software. While none of the flaws are classified as “critical,” one high-severity cross-site scripting (XSS) bug could have serious consequences for users who don’t upgrade promptly.

The update, which applies to GitLab Community Edition (CE) and Enterprise Edition (EE), includes the following versions:

  • 17.2.1
  • 17.1.3
  • 17.0.5

The most notable fix targets an XSS vulnerability within the “Maven Dependency Proxy” feature. An attacker could exploit this flaw to inject malicious scripts into web pages, potentially leading to session hijacking, data theft, or other malicious activities.

Here’s a quick summary of the vulnerabilities addressed:

  • High: 1 (XSS in Maven Dependency Proxy)
  • Medium: 3 (including CVE-2024-5067 and CVE-2024-7057)
  • Low: 2

At the time of the advisory, the XSS vulnerability had not yet received a CVE number. However, it was assigned a base score of 7.7 using the CVSSv3.1 scoring system, indicating a significant risk. GitLab has credited its internal security team for discovering the flaw.

GitLab strongly recommends that all users upgrade to one of the patched versions as soon as possible.

Related Posts: