GitLab, the popular DevOps platform, has released a patch update addressing several security vulnerabilities affecting its import functionality and other core features. Versions 17.7.1, 17.6.3, and 17.5.5 are now available for immediate download and upgrade.
This patch release comes in response to vulnerabilities discovered through GitLab’s HackerOne bug bounty program.
Vulnerabilities Impacting Import Functionality
A series of vulnerabilities (CVE-2024-5655, CVE-2024-6385, CVE-2024-6678, CVE-2024-8970) were identified in GitLab’s import functionality, potentially allowing attackers to exploit the system. GitLab has redesigned the user contribution mapping functionality to address these issues.
“To address these vulnerabilities and further enhance security, GitLab redesigned the importers’ user contribution mapping functionality,” the company stated in its official release announcement.
Key Changes to Import Functionality:
- Post-import mapping: This new feature allows administrators to assign imported contributions and memberships to users after the import process is complete, enhancing control and security.
- Email-independent mapping: The updated mapping process no longer relies on email addresses, providing greater flexibility and security when importing from instances with different email domains.
- User control: Users on the destination instance now have the power to accept or reject assigned contributions, adding another layer of security and preventing unauthorized access.
Additional Security Fixes:
Beyond the import functionality, the patch release addresses other critical vulnerabilities, including:
- Possible access token exposure in GitLab logs (CVE-2025-0194): This vulnerability could have exposed access tokens under certain conditions, potentially leading to unauthorized access.
- Cyclic reference of epics leading to resource exhaustion (CVE-2024-6324): Attackers could have exploited this vulnerability to trigger a Denial of Service (DoS) attack by creating cyclic references between epics.
- Unauthorized manipulation of issue status in public projects (CVE-2024-12431): This vulnerability allowed unauthorized users to manipulate the status of issues in public projects, potentially disrupting workflows and compromising data integrity.
- Instance SAML bypass (CVE-2024-13041): A flaw in the instance SAML configuration could allow users to bypass external provider settings, potentially granting unauthorized access to internal projects or groups.
Recommended Actions:
GitLab strongly recommends that all self-managed GitLab installations be upgraded to one of the patched versions immediately.
“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” GitLab urged in its security advisory.
Additionally, GitLab advises disabling importers until the upgrade is complete or, if necessary, enabling them only temporarily during the import process.
