Summary: GitLab has released a security update to fix two critical vulnerabilities in its Community and Enterprise Editions, urging users to update immediately to prevent potential exploitation. The vulnerabilities, CVE-2024-8312 and CVE-2024-6826, could allow attackers to execute malicious code and disrupt service availability.
Threat Actor: Unknown | unknown
Victim: GitLab Users | GitLab Users
Key Point :
- Two vulnerabilities identified: CVE-2024-8312 (High Severity XSS) and CVE-2024-6826 (Medium Severity DoS).
- CVE-2024-8312 allows for Cross-Site Scripting attacks, potentially compromising user data and sessions.
- CVE-2024-6826 could lead to Denial of Service by importing a malicious XML manifest file.
- Affected versions include all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1.
- Users are strongly advised to upgrade to the latest versions: 17.5.1, 17.4.3, and 17.3.6.
GitLab has issued a security update to address two significant vulnerabilities affecting multiple versions of its Community Edition (CE) and Enterprise Edition (EE) software. Users are strongly urged to update their installations immediately.
The vulnerabilities, identified as CVE-2024-8312 and CVE-2024-6826, could allow attackers to execute malicious code and disrupt service availability.
CVE-2024-8312: High Severity XSS Vulnerability
This vulnerability, rated as high severity (CVSS:3.1 score of 8.7), allows attackers to inject malicious HTML code into the Global Search field on a diff view. As GitLab explains in their advisory, “An attacker could inject HTML into the Global Search field on a diff view leading to XSS.” This could lead to Cross-Site Scripting (XSS) attacks, enabling attackers to steal user data, hijack sessions, or redirect users to malicious websites.
CVE-2024-6826: Medium Severity DoS Vulnerability
The second vulnerability, CVE-2024-6826, is a medium severity Denial of Service (DoS) vulnerability (CVSS:3.1 score of 6.5). According to GitLab, “A denial of service could occur via importing a malicious crafted XML manifest file.” This flaw could allow attackers to overload the server and disrupt service for legitimate users.
Affected Versions:
A wide range of GitLab versions are impacted by these vulnerabilities, including all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1.
Remediation:
GitLab has addressed these vulnerabilities in the latest versions: 17.5.1, 17.4.3, and 17.3.6. The company “strongly recommends that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.“
Related Posts:
Source: https://securityonline.info/gitlab-security-alert-cve-2024-8312-and-cve-2024-6826-patched
Views: 1