GitLab Races to Fix Critical XSS Flaws – Don’t Delay Your Upgrade

GitLab, the widely used DevOps platform for code collaboration and project management, has released a significant security update. This release addresses multiple serious flaws, with the most critical being stored cross-site scripting (XSS) vulnerabilities. Attackers could exploit these vulnerabilities to hijack user sessions, steal sensitive data, or gain further footholds within a targeted system.

XSS: A Weapon for Attackers

Central to this update is the rectification of two stored Cross-Site Scripting (XSS) vulnerabilities, which had cast a shadow over the platform’s robustness. Stored XSS, a nefarious avenue for attackers, allows malicious scripts to be injected directly into web applications, enabling attackers to masquerade as legitimate users and perform unauthorized actions. The first of these vulnerabilities was discovered in the diff viewer of all GitLab versions from 16.9 to before 16.9.4 and from 16.10 to before 16.10.2, allowing attackers to deploy a payload that could compromise user integrity. Dubbed CVE-2024-3092, this high-severity issue was promptly neutralized in the latest GitLab release.

Equally critical was the discovery of a second stored XSS vulnerability, facilitated through the autocomplete for issue references feature. Affecting versions from 16.7 to before the newly released patches, this vulnerability, identified as CVE-2024-2279, posed a significant risk, potentially enabling attackers to hijack user sessions and execute arbitrary actions.

Denial of Service

The updates also shore up defenses against Denial of Service (DoS) vulnerabilities, particularly through Redos (Regular Expression Denial of Service) attacks. These vulnerabilities, inherent in chat integration messages and parsing junit test reports, could allow attackers to dramatically spike resource usage, leading to service degradation. The vulnerabilities, CVE-2023-6489 and CVE-2023-6678, although of medium severity, spotlight the critical need for vigilance against service disruption tactics.

Call to action

GitLab.com has already transitioned to the patched version, setting a precedent for users and organizations running GitLab CE or EE to follow suit. The urgency to upgrade to versions 16.10.2, 16.9.4, or 16.8.6 cannot be overstated—with the integrity of systems and data at stake, delaying updates could leave doors open for adversaries to exploit these vulnerabilities.