A critical XSS vulnerability throws the door wide open for intruders.
GitLab released updates to its current product line that address a dangerous vulnerability that allows unauthorized attackers to hijack user accounts through XSS attacks.
"Today we are releasing versions 17.0.1, 16.11.3 and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE)," the company said. "These versions contain important bug and vulnerability fixes, and we strongly recommend that all GitLab users immediately upgrade their installations to one of these versions."
The main issue with a CVSS score of 8.0, registered as CVE-2024-4835, is an XSS vulnerability in the VS code editor (Web IDE). With its help, attackers can steal confidential information using specially created pages for this purpose. Although no authentication is required to exploit this vulnerability, user interaction is still necessary, which makes it somewhat more difficult to conduct an attack.
Along with the issue described above, the company also fixed six other medium-critical vulnerabilities (CVSS scores from 4.3 to 6.5), including CSRF via the Kubernetes Agent server ( CVE-2023-7045) and a denial-of-service vulnerability that allows intruders to disrupt the loading of GitLab web resources (CVE-2024-2874).
The full list of vulnerabilities and their detailed description can be found at this link.
GitLab is often targeted because it stores various types of sensitive data, including API keys and proprietary code. Hijacking accounts on the platform can have serious consequences, including attacks on the supply chain, if attackers manage to integrate malicious code into the CI / CD environment of an organization.
Earlier this month, the CISA warned that attackers are actively exploiting another vulnerability in GitLab that allows you to hijack accounts without user interaction.
Registered as CVE-2023-7028, this vulnerability has a maximum security level (CVSS 10.0) and allows unauthorized attackers to hijack GitLab accounts through password resets.
Although Shadowserver found more than 5,300 vulnerable GitLab instances available online in January, 2,084 of them are still at risk. CISA added CVE-2023-7028 to its catalog of known exploited vulnerabilities on May 1, requiring US federal agencies to protect their systems by May 22.
GitLab released updates to its current product line that address a dangerous vulnerability that allows unauthorized attackers to hijack user accounts through XSS attacks.
"Today we are releasing versions 17.0.1, 16.11.3 and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE)," the company said. "These versions contain important bug and vulnerability fixes, and we strongly recommend that all GitLab users immediately upgrade their installations to one of these versions."
The main issue with a CVSS score of 8.0, registered as CVE-2024-4835, is an XSS vulnerability in the VS code editor (Web IDE). With its help, attackers can steal confidential information using specially created pages for this purpose. Although no authentication is required to exploit this vulnerability, user interaction is still necessary, which makes it somewhat more difficult to conduct an attack.
Along with the issue described above, the company also fixed six other medium-critical vulnerabilities (CVSS scores from 4.3 to 6.5), including CSRF via the Kubernetes Agent server ( CVE-2023-7045) and a denial-of-service vulnerability that allows intruders to disrupt the loading of GitLab web resources (CVE-2024-2874).
The full list of vulnerabilities and their detailed description can be found at this link.
GitLab is often targeted because it stores various types of sensitive data, including API keys and proprietary code. Hijacking accounts on the platform can have serious consequences, including attacks on the supply chain, if attackers manage to integrate malicious code into the CI / CD environment of an organization.
Earlier this month, the CISA warned that attackers are actively exploiting another vulnerability in GitLab that allows you to hijack accounts without user interaction.
Registered as CVE-2023-7028, this vulnerability has a maximum security level (CVSS 10.0) and allows unauthorized attackers to hijack GitLab accounts through password resets.
Although Shadowserver found more than 5,300 vulnerable GitLab instances available online in January, 2,084 of them are still at risk. CISA added CVE-2023-7028 to its catalog of known exploited vulnerabilities on May 1, requiring US federal agencies to protect their systems by May 22.
