Developer Tools

In GitLab EE versions starting from 17.3 before 17.3.7, starting from 17.4 before 17.4.4 and starting from 17.5 before 17.5.2 a medium severity vulnerability CVE-2024-10240 was detected. This vulnerability allows unauthenticated users to access details about merge requests (MR) in a private project under specific conditions. To fix this issue, users are advised to upgrade GitLab EE to versions 17.6.1, 17.5.3, or 17.4.5. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-10240.

In OpenShift version 4 a medium severity vulnerability CVE-2024-6538 was detected. A Server Side Request Forgery (SSRF) attack can occur if an attacker provides a URL for the server to query. This allows the attacker to perform arbitrary HTTP requests, potentially disclosing information or impacting other services within the cluster. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6538.

In Kubernetes versions prior to 1.28.11, and from 1.29.0 to 1.29.6 and 1.30.0 to 1.30.2 a high severity vulnerability CVE-2024-10220 was detected. This vulnerability allows attackers to execute arbitrary commands via specially crafted gitRepo volumes, potentially compromising the affected system. To fix this issue, users should upgrade Kubernetes to versions 1.28.12, 1.29.7, 1.30.3. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-10220.

In Harbor versions from and including 2.x up to and including 2.4.2, from and including 2.5 up to and including 2.5.1, from and including 2.0.0 before 2.4.3, and from and including 2.5.0 before 2.5.2 a medium severity vulnerability CVE-2022-31667 was found. This vulnerability lets attackers revoke robot account permissions in projects they can’t access by sending a crafted request. To fix this issue, users are advised to upgrade to versions 2.5.2 and later. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2022-31667.

In Gogs versions 0.12.7 and prior a critical severity vulnerability CVE-2022-1884 was found. This vulnerability allows attackers to execute arbitrary commands on the server by uploading a malicious config file. It affects all Windows installations with repository uploads enabled, risking unauthorized access and system compromise. To fix this issue, users are advised to upgrade to version 0.12.8 or the latest 0.13.0+dev. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2022-1884.

In Harbor versions before 2.5.2 a high severity vulnerability CVE-2022-31669 was detected. This vulnerability allows attackers to modify tag immutability policies in other projects by sending requests with an ID that belongs to a project the currently authenticated user doesn’t have access to. To fix this issue, users must upgrade to Harbor version 2.5.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2022-31669.

In Harbor versions prior to 2.7.0 a high severity vulnerability CVE-2022-31668 was detected. This vulnerability allows attackers to modify P2P preheat policies in projects they don’t have permission to access. To fix this issue, users should upgrade Harbor to version 2.7.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2022-31668.

In Harbor versions prior to 2.5.2 a high severity vulnerability CVE-2022-31670 was detected. This vulnerability allows an attacker to modify tag retention policies in projects they don’t have access to by sending a request with a policy ID from another project, due to Harbor’s failure to validate user permissions. To fix this issue, users need to update to version 2.5.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2022-31670.

In GitLab CE/EE versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2 a medium severity vulnerability CVE-2024-7404 was detected. This vulnerability allows attackers to gain full API access as the victim via the Device OAuth flow. To fix this issue, users should upgrade GitLab CE/EE to versions 17.5.2, 17.4.4, and 17.3.7. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-7404.