Developer Tools

In the GitLab versions starting from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2 a medium severity vulnerability CVE-2024-9367 was detected. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU resources while parsing templates to generate changelogs. To fix this issue, users should upgrade GitLab to versions 17.6.2, 17.5.4, 17.4.6. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-9367.

In GitLab CE/EE versions from 15.0 and before 17.4.6, from including 17.5 and before 17.5.4, and from including 17.6 and before 17.6.2 a medium severity vulnerability CVE-2024-8650 was detected. This vulnerability allows non-member users to view unresolved threads marked as internal notes in public projects’ merge requests. To address this issue, update GitLab CE/EE to versions 17.4.6, 17.5.4, or 17.6.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8650.

In GitLab CE/EE versions from 16.9 and before 17.4.6, from including 17.5 and before 17.5.4, and from including 17.6 and before 17.6.2 a medium severity vulnerability CVE-2024-8116 was detected. This vulnerability allows an unauthorized user, under specific conditions, to retrieve branch names by using a specific GraphQL query. To address this issue, update GitLab CE/EE to versions 17.4.6, 17.5.4, or 17.6.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8116.

In GitLab EE versions starting from 14.3 before 17.4.6, from 17.5 before 17.5.4, from 17.6 before 17.6.2 a low severity vulnerability CVE-2024-10043 was detected. This vulnerability allows attackers to access confidential incident titles through the Wiki History Diff feature, potentially exposing sensitive information. To address this issue, users should upgrade GitLab EE to versions 17.4.6, 17.5.4, or 17.6.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10043.

In GitLab CE/EE versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2 a medium severity vulnerability CVE-2024-9387 was detected. This vulnerability allows attackers to perform an open redirect via a specific releases API endpoint. To address this issue, users should upgrade GitLab CE/EE to versions 17.4.6, 17.5.4, or 17.6.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-9387.

In GitLab CE/EE versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2 a high severity vulnerability CVE-2024-11274 was detected. This vulnerability allows attackers to inject NEL (Network Error Logging) headers in the Kubernetes (k8s) proxy response, which could lead to session data exfiltration. To address this issue, users must upgrade to versions 17.4.6, 17.5.4, or 17.6.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11274.

In GitLab CE/EE versions starting from 11.0 prior to 17.4.6, starting from 17.5 prior to 17.5.4 and starting from 17.6 prior to 17.6.2 a medium severity vulnerability CVE-2024-12292 was detected. This vulnerability allows attackers to access sensitive information retained in GraphQL logs. To address this issue, users should upgrade to versions 17.4.6, 17.5.4, or 17.6.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12292.

In GitLab CE/EE versions starting from 13.7 prior to 17.4.6, from 17.5 prior to 17.5.4, and from 17.6 prior to 17.6.2 a medium severity vulnerability CVE-2024-12570 was detected. This vulnerability lets attackers use a victim’s CI_JOB_TOKEN to steal their GitLab session token. To address this issue, users should upgrade to versions 17.4.6, 17.5.4, or 17.6.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12570.

In Jenkins Simple Queue Plugin versions 1.4.4 and prior a high severity vulnerability CVE-2024-54003 was detected. This vulnerability allows attackers with View/Create permissions to exploit stored XSS due to improper handling of the view name. To address this issue, users must upgrade to version 1.4.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-54003.