What critical vulnerabilities were addressed in the latest GitLab security update?

The latest GitLab security update addressed several vulnerabilities, including four critical and high-severity flaws: CVE-2024-6678 (CVSS score 9.6), CVE-2024-8640 (CVSS score 8.5), CVE-2024-8635 (CVSS score 7.7), and CVE-2024-8124 (CVSS score 7.5). These vulnerabilities could allow an attacker to trigger pipelines as another user, inject commands, perform SSRF attacks, and cause denial-of-service (DoS) conditions.

What is CVE-2024-6678 and how does it affect GitLab?

CVE-2024-6678 (CVSS score 9.6) is a critical vulnerability that allows an attacker to trigger a pipeline as another user under certain circumstances. It affects GitLab CE/EE versions starting from 8.14 up to 17.1.6, 17.2.4, and 17.3.1.

What is CVE-2024-8640 and which versions of GitLab are affected?

CVE-2024-8640 (CVSS score 8.5) is a vulnerability due to incomplete input filtering, allowing command injection into a connected Cube server in GitLab EE. It affects GitLab EE versions starting from 16.11 up to 17.1.6, 17.2.4, and 17.3.1.

What is CVE-2024-8635 and how does it impact GitLab?

CVE-2024-8635 (CVSS score 7.7) is a high-severity Server-Side Request Forgery (SSRF) vulnerability in GitLab EE that could allow an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL. It affects GitLab EE versions starting from 16.8 up to 17.1.6, 17.2.4, and 17.3.1.

What is CVE-2024-8124 and what are the affected versions?

CVE-2024-8124 (CVSS score 7.5) is a Denial-of-Service (DoS) vulnerability in GitLab that could be triggered by sending a large glm_source parameter. It affects GitLab CE/EE versions starting from 16.4 up to 17.1.6, 17.2.4, and 17.3.1.

What additional security practices should organizations using GitLab implement?

Organizations using GitLab should regularly monitor for security updates and apply patches promptly. They should also implement multi-factor authentication (MFA) to enhance account security.

Advisory

GitLab releases patches to multiple flaws, including critical - patch ASAP

Q: What should GitLab users do to protect against these vulnerabilities?

GitLab recommends that all self-managed installations be upgraded to the latest patched versions: 17.3.2, 17.2.5, or 17.1.7. GitLab.com users do not need to take any action as the platform is already running the patched versions.

published: Sept. 12, 2024

Take action: If you are running GitLab Enterprise, plan a quick patch. All flaws require certain preconditions to be exploited, so it's not immediately hacked. But it will be very soon, so don't delay.

Learn More

GitLab has released a critical security update that addresses several vulnerabilities, including four critical and high-severity flaws tracked as CVE-2024-6678, CVE-2024-8640, CVE-2024-8635, and CVE-2024-8124. GitLab urges all installations running affected versions to upgrade to the latest patched releases (17.3.2, 17.2.5, and 17.1.7) immediately to mitigate potential security risks.

Critical and High-Severity Vulnerabilities

CVE-2024-6678 (CVSS score 9.6) - Allows an attacker to trigger a pipeline as another user under certain circumstances.
- Affected Versions: GitLab CE/EE versions starting from 8.14 up to 17.1.6, 17.2.4, and 17.3.1.
CVE-2024-8640 (CVSS score 8.5) - Due to incomplete input filtering, it was possible to inject commands into a connected Cube server in GitLab EE.
- Affected Versions: GitLab EE versions starting from 16.11 up to 17.1.6, 17.2.4, and 17.3.1.
CVE-2024-8635 (High, CVSS score 7.7) - A Server-Side Request Forgery (SSRF) vulnerability in GitLab EE could allow an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL.
- Affected Versions: GitLab EE versions starting from 16.8 up to 17.1.6, 17.2.4, and 17.3.1.
CVE-2024-8124 (High, CVSS score 7.5) - A Denial-of-Service (DoS) vulnerability could be triggered by sending a large glm_source parameter.
- Affected Versions: GitLab CE/EE versions starting from 16.4 up to 17.1.6, 17.2.4, and 17.3.1.

Additional medium and low-severity vulnerabilities were also patched, including issues related to unauthorized access, privilege escalation, command injection, open redirect vulnerabilities, and potential exposure of sensitive data. These vulnerabilities could potentially allow attackers to manipulate code, exfiltrate private information, and compromise critical infrastructure components.

GitLab recommends upgrading all self-managed installations to the latest patched versions: 17.3.2, 17.2.5, or 17.1.7. GitLab.com users don't need to take action - the platform is already running the patched versions; no action is needed.

Organizations using GitLab should:

Regularly monitor for security updates and apply patches promptly.
Implement multi-factor authentication (MFA) to enhance account security.

GitLab releases patches to multiple flaws, including critical - patch ASAP

Read More
Critical path traversal flaw reported in jsPDF library
Critical arbitrary code execution flaw reported in JavaScript …
Critical Langflow RCE Vulnerability CVE-2026-33017 Exploited Within Hours
PHP releases version 8.0.30, patching two critical vulnerabilities
Critical Authentication Bypass in Dgraph Database Allows Remote …