GitLab patched a high-severity vulnerability that unauthenticatedĀ attackers might exploit to take over person accounts in cross-site scripting (XSS) assaults.
The safety flaw (tracked as CVE-2024-4835) is an XSS weak point within the VS code editor (Net IDE) that lets risk actors steal restricted info utilizing maliciously crafted pages.
Whereas theyĀ can exploit this vulnerability in assaults that do not require authentication, person interplay remains to be wanted, rising the assaults’ complexity.
“Today, we are releasing versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE),” GitLab mentioned.
“These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.”
On Wednesday, the corporate additionally mounted six different medium-severity safety flaws, together with a Cross-Web site Request Forgery (CSRF) by way of the Kubernetes Agent Server (CVE-2023-7045) and a denial-of-service bug that may let attackers disrupt the loading of GitLab net assets (CVE-2024-2874).
| Vulnerability | Severity |
|---|---|
| 1-click account takeover by way of XSS leveraging the VS code editor (Net IDE) | Excessive |
| A DOS vulnerability within the ‘description’ discipline of the runner | Medium |
| CSRF by way of K8s cluster-integration | Medium |
| Utilizing Set Pipeline Standing of a Commit API incorrectly creates a brand new pipeline | Medium |
| Redos on wiki render API/Web page | Medium |
| Useful resource exhaustion and denial of service with test_report API calls | Medium |
| Visitor person can view dependency lists of personal tasks via job artifacts | Medium |
Older account hijacking bug actively exploited in assaults
GitLab is a well-liked goal because it’s identified to host numerous sorts of delicate knowledge, together with API keys and proprietary code.
Therefore, hijacked GitLab accounts can have a big influence, together with provide chain assaults, if the attackers insert malicious code in CI/CD (Steady Integration/Steady Deployment) environments, compromising a corporation’s repositories.
As CISA warned earlier this month, risk actors at the moment are actively exploiting one other zero-click account hijacking vulnerability patched by GitLab in January.
Tracked as CVE-2023-7028, this most severity safety flaw permits unauthenticated attackers to take over GitLab accounts by way of password resets.
Although Shadowserver found over 5,300 weak GitLab cases uncovered on-line in January, lower than half (2,084) are nonetheless reachable in the meanwhile.
āCISA added CVE-2023-7028 to its Recognized Exploited Vulnerabilities Catalog on Might 1, ordering U.S. federal businesses to safe their programs inside three weeks by Might 22.
