WARNING: TWO CRITICAL AND THREE HIGH-SEVERITY VULNERABILITIES ARE AFFECTING GITLAB COMMUNITY EDITION (CE) AND GITLAB ENTERPRISE EDITION (EE)
Référence:
Advisory #2024-240
Version:
1.1
Logiciels concernés :
GitLab Enterprise Edition versions < 3.15
GitLab Community Edition: all versions starting from: 11.6 prior to 17.2.9; 12.5 prior to 17.2.9; 17.3 prior to 17.3.5; 17.4 prior to 17.4.2
Type:
Authorization bypass; Remote Code Execution (RCE); Server-Side Request Forgery (SSRF)
CVE/CVSS:
CVE-2024-9164 CVSS:9.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N)
CVE-2024-8970 CVSS:8.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N)
CVE-2024-8977 CVSS:8.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N)
CVE-2024-6530 CVSS:7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)
CVE-2024-6530 CVSS:7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)
Date:
14/10/2024
Sources
Risques
GitLab an Open Source code repository and collaborative software development platform for large DevOps and DevSecOps projects.
The present vulnerabilities have a HIGH impact on Confidentiality and Integrity.
Description
CVE-2024-9164
Allows unauthorized users to trigger Continuous Integration/Continuous Delivery (CI/CD) pipelines on any branch of a repository, which could potentially lead to code execution.
CVE-2024-8970
Allows an attacker to trigger a pipeline as another user under certain circumstances.
CVE-2024-8977
Instances with Product Analytics Dashboard configured and enabled could be vulnerable to Cross-Site Request Forgery SSRF attacks.
CVE-2024-6530
A cross-site scripting issue. When authorising a new application, it can be made to render as HTML under specific circumstances. This could allow attackers to inject malicious scripts and steal user data.
A cross-site scripting issue. When authorising a new application, it can be made to render as HTML under specific circumstances. This could allow attackers to inject malicious scripts and steal user data.
Actions recommandées
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for any of the vulnerable software mentioned in the present advisory.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.