GitLab Security Alert: CVE-2024-8312 and CVE-2024-6826 Patched

bypassing SAML - CVE-2024-8312 and CVE-2024-6826

GitLab has issued a security update to address two significant vulnerabilities affecting multiple versions of its Community Edition (CE) and Enterprise Edition (EE) software. Users are strongly urged to update their installations immediately.

The vulnerabilities, identified as CVE-2024-8312 and CVE-2024-6826, could allow attackers to execute malicious code and disrupt service availability.

CVE-2024-8312: High Severity XSS Vulnerability

This vulnerability, rated as high severity (CVSS:3.1 score of 8.7), allows attackers to inject malicious HTML code into the Global Search field on a diff view. As GitLab explains in their advisory, “An attacker could inject HTML into the Global Search field on a diff view leading to XSS.” This could lead to Cross-Site Scripting (XSS) attacks, enabling attackers to steal user data, hijack sessions, or redirect users to malicious websites.

CVE-2024-6826: Medium Severity DoS Vulnerability

The second vulnerability, CVE-2024-6826, is a medium severity Denial of Service (DoS) vulnerability (CVSS:3.1 score of 6.5). According to GitLab, “A denial of service could occur via importing a malicious crafted XML manifest file.” This flaw could allow attackers to overload the server and disrupt service for legitimate users.

Affected Versions:

A wide range of GitLab versions are impacted by these vulnerabilities, including all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1.

Remediation:

GitLab has addressed these vulnerabilities in the latest versions: 17.5.1, 17.4.3, and 17.3.6. The company “strongly recommends that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

Related Posts: