GitLab has recently rolled out critical security updates for its Community Edition (CE) and Enterprise Edition (EE) to address a high-severity HTML injection vulnerability that could potentially lead to cross-site scripting (XSS) attacks. The patched versions, 17.5.1, 17.4.3, and 17.3.6, are now available for immediate upgrade, ensuring the protection of users from this security risk.
The vulnerability, known as CVE-2024-8312, impacts all GitLab CE/EE versions ranging from 15.10 to the most recent releases preceding these patches. It was discovered that malicious actors could inject HTML into the Global Search field on a diff view, opening up the possibility of exploiting this flaw for XSS attacks, which could compromise the confidentiality and integrity of the system. With a CVSS score of 8.7, this issue is classified as high severity due to its potential impact.
GitLab has urged users with self-managed installations to promptly upgrade to the patched versions to mitigate the risk posed by this vulnerability. While GitLab.com users are already safeguarded with the updated version, GitLab Dedicated customers do not need to take any action as they are inherently protected.
In addition to addressing the XSS vulnerability, the latest updates also fix a medium-severity denial of service (DoS) vulnerability related to XML manifest file import, identified as CVE-2024-6826. This issue affected versions from 11.2 onwards and had the potential to disrupt services by allowing attackers to import a maliciously crafted XML file.
Both vulnerabilities were responsibly disclosed by security researchers boxcar and a92847865 through GitLab’s HackerOne bug bounty program. GitLab has demonstrated its commitment to security by regularly releasing critical patches for high-severity vulnerabilities, including both scheduled and ad-hoc updates. Scheduled releases are typically issued twice monthly on the second and fourth Wednesdays to address known security issues and ensure the protection of users.
Users are strongly encouraged to stay informed by visiting GitLab’s release blog and security FAQ for detailed information on how to maintain secure installations. The company also recommends following best practices outlined in their blog post on securing GitLab instances to enhance overall security measures.
For those utilizing GitLab’s helm charts, devkit, and analytics stack, updates have been implemented to remove support for dynamic funnels, alongside an update to the Ingress NGINX Controller image version 1.11.2 to bolster security measures.
In conclusion, GitLab’s swift response in releasing critical security updates underscores its ongoing dedication to prioritizing the safety and security of its users. By promptly addressing vulnerabilities and providing timely patches, GitLab continues to demonstrate its commitment to enhancing the overall security posture of its platform.