Mitigate Severe Security Risks 1

GitLab has rolled out essential patch updates for both its Community Edition (CE) and Enterprise Edition (EE), targeting multiple security vulnerabilities and system bugs. These critical updates are crucial for addressing high-severity issues that could jeopardize the security and functionality of GitLab environments.  

The new releases—versions 17.3.2, 17.2.5, and 17.1.7—introduce a range of fixes and improvements designed to counteract various vulnerabilities. Users operating on the affected versions are urged to promptly upgrade their GitLab instances to protect against these vulnerabilities.  

Cyble’s latest security advisory provides an in-depth examination of recent critical patches released by various vendors, with a particular focus on vulnerabilities addressed in GitLab. As a comprehensive DevOps platform, GitLab integrates the entire software development lifecycle into a single application, streamlining collaboration, code management, and deployment.  

Detailed Vulnerability Analysis 

The vulnerabilities identified in GitLab vary widely in severity, with CVSS base scores ranging from 3.1 to 9.9. These vulnerabilities encompass a range of critical issues, from unauthorized access to sensitive information to potential system compromises. Understanding and addressing these vulnerabilities is crucial for maintaining the security and integrity of GitLab installations. The following sections detail each vulnerability, including its severity, affected versions, and recommended remediation steps. 

Pipeline Execution as Arbitrary User (CVE-2024-6678) 

CVE-2024-6678, which carries a CVSS score of 9.9, represents a critical vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE) versions from 8.14 up to, but not including, 17.1.7, 17.2 up to 17.2.5, and 17.3 up to 17.3.2. This flaw allows attackers to trigger a pipeline as an arbitrary user under specific conditions. The impact of this vulnerability is severe, as it can lead to unauthorized actions within the GitLab environment. Cyble ODIN’s investigation has uncovered 89,706 internet-exposed GitLab instances, with a significant number located in China, highlighting the urgency of addressing this issue. 

Command Injection (CVE-2024-8640) 

CVE-2024-8640 is a high-severity vulnerability with a CVSS score of 8.5, affecting GitLab EE versions from 16.11 up to 17.1.7, 17.2 up to 17.2.5, and 17.3 up to 17.3.2. This issue allows for command injection into a connected Cube server due to incomplete input filtering. The potential consequences include unauthorized command execution, which could compromise the integrity and security of the affected systems. 

Server-Side Request Forgery (CVE-2024-8635) 

CVE-2024-8635, with a CVSS score of 7.7, affects GitLab EE versions from 16.8 up to 17.1.7, 17.2 up to 17.2.5, and 17.3 up to 17.3.2. This vulnerability enables server-side request forgery, allowing attackers to make requests to internal resources using a custom Maven Dependency Proxy URL. This flaw could potentially lead to unauthorized access to internal systems, increasing the risk of data exposure or other security breaches. 

Denial of Service (CVE-2024-8124) 

CVE-2024-8124, rated 7.5 on the CVSS scale, impacts GitLab CE/EE versions from 16.4 to 17.1.7, 17.2 to 17.2.5, and 17.3 to 17.3.2. This vulnerability could open the door for a denial of service attack by sending a large ‘glm_source’ parameter without requiring user interaction. The result can be a disruption of service availability, affecting users’ ability to access or utilize GitLab functionalities effectively. 

Improper Session Handling (CVE-2024-8641) 

With a CVSS score of 6.7, CVE-2024-8641 affects GitLab CE/EE versions from 13.7 to 17.1.7, 17.2 to 17.2.5, and 17.3 to 17.3.2. This vulnerability involves improper session handling, allowing an attacker with access to a victim’s CI_JOB_TOKEN to obtain the victim’s GitLab session token. There’s a high chance that this could potentially lead to unauthorized access to sensitive areas within the GitLab environment. 

Security Bypass (CVE-2024-8311) 

CVE-2024-8311, with a CVSS score of 6.5, is present in GitLab EE versions from 17.2 up to 17.2.5 and 17.3 up to 17.3.2. This flaw allows authenticated users to bypass pipeline execution policies by including a CI/CD template, potentially leading to unauthorized modifications or access within the GitLab pipeline. 

Information Disclosure (CVE-2024-4660) 

CVE-2024-4660, also rated 6.5 on the CVSS scale, affects GitLab EE versions from 11.2 up to 17.1.7, 17.2 up to 17.2.5, and 17.3 up to 17.3.2. This vulnerability permits guests to read the source code of private projects through group templates, leading to unauthorized information disclosure and potential security risks. 

Several other vulnerabilities, including CVE-2024-4283 and CVE-2024-4612, present medium-severity risks, such as open redirects and improper input validation. If not promptly addressed, these issues can lead to account takeovers, exposure of sensitive data, or unauthorized access.  

Each of these vulnerabilities has been assigned a CVSS score reflecting its impact and severity, and organizations are urged to apply relevant patches and updates. 

Conclusion 

Given GitLab’s critical role in many organizations’ software development processes, the recent updates addressing multiple vulnerabilities are of paramount importance. These vulnerabilities, ranging from unauthorized access and sensitive data exposure to potential denial of service attacks, could significantly impact an organization’s security and operational integrity. Organizations must apply the latest patches and updates to reduce any potential impact of these risks being exploited and improve their overall security posture. 

Recommendations and Mitigations 

  • Organizations are strongly advised to immediately upgrade to the latest GitLab versions where these vulnerabilities have been addressed. 

  • Properly configuring permissions and access levels should be a priority for firms that want to safeguard sensitive information. 

  • Regular monitoring of logs and auditing access can help detect unusual activities and potential exploitation attempts. 

  • Training users to recognize phishing attempts and secure their accounts will further mitigate risks associated with social engineering attacks. 

  • Maintaining up-to-date backups and testing recovery procedures will ensure timely and rapid restoration in the aftermath of a security incident. 

  • It is recommended that a comprehensive patch management strategy be developed that includes inventory management, patch assessment, testing, deployment, and verification. 

  • Proper network segmentation to avoid exposure of critical assets over the Internet and maintaining an up-to-date inventory of all internal and external assets will further enhance organizational security. 

The post GitLab Community and Enterprise Editions Receive New Updates to Mitigate Severe Security Risks  appeared first on Cyble.