Developer Tools

In GitLab CE/EE versions starting from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2 a medium severity vulnerability CVE-2024-8648 was detected. This vulnerability allows attackers to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL. To fix this issue, users should upgrade GitLab CE/EE to versions 17.5.2, 17.4.4, and 17.3.7. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-8648.

In GitLab CE/EE versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2 a medium severity vulnerability CVE-2024-7404 was detected. This vulnerability allows attackers to gain full API access as the victim via the Device OAuth flow. To fix this issue, users should upgrade GitLab CE/EE to versions 17.5.2, 17.4.4, and 17.3.7. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-7404.

In Harbor versions 1.0.0 and above, 1.10.12 and prior, 2.0.0 and above, 2.4.2 and prior, 2.5.0 and above, 2.5.1 and prior a high severity vulnerability CVE-2022-31671 was detected. This vulnerability allows malicious authenticated users to access or modify job execution logs in Harbor by sending requests with different job IDs, exposing all logs stored in the Harbor database due to improper permission validation. To fix this issue, users need to update Harbor to version 2.5.2 or above. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2022-31671.

In Mattermost versions 9.10.x ≤ 9.10.2, 9.11.x ≤ 9.11.1, and 9.5.x ≤ 9.5.9 a medium severity vulnerability CVE-2024-46872 was found. This vulnerability lets attackers bypass security by manipulating user inputs, leading to CSRF attacks in Playbooks. To fix this issue, users are advised to upgrade to version 8.0.0 or above, specifically the version released after 2024-09-26. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-46872.

In Sonatype Nexus Repository versions 3.0.0 through 3.72.0 a medium severity vulnerability CVE-2024-5764 was detected. This vulnerability allows attackers to exploit hard-coded encryption passphrases in the repository’s configuration database, compromising the security of stored secrets like SMTP, HTTP proxy credentials, and user tokens. Currently, there is no patch version for this vurnerability. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-5764.

In OneDev versions prior to 11.0.9 a high severity vulnerability CVE-2024-45309 was detected. This vulnerability allows attackers to read arbitrary files accessible by the OneDev server process, even without authentication. To fix this issue, users must upgrade to version 11.0.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-45309.

In OpenShift GraphQL introspection feature a medium severity vulnerability CVE-2024-50312 was detected. This vulnerability lets unauthorized users access introspection, exposing all available queries and mutations, which increases attack risk. To temporarily fix this, disable GraphQL introspection in OpenShift Console settings; this may limit some development tools. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-50312.

In GitLab versions from 11.2 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1 a medium severity vulnerability CVE-2024-6826 was detected. Attackers can exploit this vulnerability by importing a malicious XML file, potentially causing a denial of service (DoS). To fix this issue, users are advised to upgrade to versions 17.3.6 or above, 17.4.3 or above, 17.5.1 or above. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-6826.

In GitLab CE/EE all versions from 11.2 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1 a high severity vulnerability CVE-2024-6826 was detected. This vulnerability allows attackers to cause a denial of service (DoS) by importing a maliciously crafted XML manifest file into GitLab, potentially leading to service disruption. To fix this issue, users should update GitLab to versions 17.5.1, 17.4.3, and 17.3.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-6826.