GitLab released patches (17.5.1, 17.4.3, and 17.3.6) for both Community and Enterprise Editions, fixing a critical HTML injection vulnerability in the Global Search feature that could lead to XSS attacks, along with other security and bug fixes.
Vulnerabilities patched
GitLab patched a critical vulnerability (CVE-2024-8312) affecting all versions from 15.10 up to the newly released patches. This flaw allowed attackers to inject malicious HTML into the search field on a diff view, enabling cross-site scripting (XSS) attacks.
In an XSS attack, malicious scripts can be executed in users’ browsers, giving attackers the ability to steal sensitive information, such as login credentials, or take control of user accounts. Given the widespread use of GitLab for software development and collaboration, this vulnerability poses a serious risk, especially for organizations relying on GitLab for managing codebases and sensitive projects.
The vulnerability was given a CVSS score of 8.7, reflecting its significant potential impact and the relative ease with which it could be exploited. GitLab urges all users to update to the latest patch versions (17.5.1, 17.4.3, and 17.3.6) to mitigate the risk of exploitation.
GitLab credited security researcher joaxcar for identifying the flaw via their HackerOne bug bounty program. They urge all users to upgrade immediately to avoid potential risks. The patched versions are already live on GitLab.com, but self-managed installations must update manually.
Along with the HTML injection fix, the update also resolves a medium-severity DoS vulnerability (CVE-2024-6826) related to XML manifest file imports, which could allow attackers to disrupt services.
GitLab maintains a bi-monthly update cycle, with additional ad-hoc patches for critical vulnerabilities, demonstrating their commitment to robust security across all platforms.
Detailed information about each vulnerability is made public 30 days after the release, allowing users to better understand the scope and impact of each fix while ensuring immediate protection through timely patches.
GitLab encourages all users to update their installations to the latest supported versions regularly. They also recommend following best practices outlined in their security documentation to safeguard against potential threats, helping organizations and users stay protected in an evolving threat landscape.
Leave A Comment