Developer Tools

In GitLab CE/EE versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1 a high severity vulnerability CVE-2024-8312 was detected. This vulnerability allows attackers to inject HTML into the Global Search field on a diff view, leading to cross-site scripting (XSS) attacks. To fix this issue, users should update GitLab to versions 17.5.1, 17.4.3, and 17.3.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8312.

In OpenShift version 4 a medium severity vulnerability CVE-2024-50311 was detected. This vulnerability allows attackers to exploit the GraphQL batching functionality. The flaw arises when multiple queries can be sent within a single request, enabling an attacker to submit a request containing thousands of aliases in one query. This issue causes excessive resource consumption, leading to application unavailability for legitimate users. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-50311.

In Rancher versions >= 2.6.0, < 2.6.14, >= 2.7.0, < 2.7.10, >= 2.8.0, < 2.8.2 a high severity vulnerability CVE-2023-32194 was detected. This vulnerability allows users with a create or * global role for “namespaces” to access, create, update, or delete core namespaces, potentially compromising project security. To fix this problem, users should upgrade to the versions 2.6.14, 2.7.10, 2.8.2 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2023-32194.

In Rancher version < 0.0.0-20240207153957-4fd7d821d952 a high severity vulnerability CVE-2023-32192 was detected. This vulnerability allows attackers to exploit unauthenticated cross-site scripting (XSS) in the public API, enabling them to execute arbitrary JavaScript code in a victim’s browser. To fix this problem, users should upgrade to the version 0.0.0-20240207153957-4fd7d821d952. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2023-32192.

In Rancher versions 2.7.0 and prior, 2.8.0 and prior a medium severity vulnerability CVE-2024-21218 was detected. This vulnerability allows RKE1 clusters to repeatedly reconcile when secret encryption is enabled, exposing Kube API secret values in plaintext on the AppliedSpec. Cluster owners, members, and project members can access this data through the apiserver. To fix this issue, users are advised to upgrade to versions 2.7.14 and 2.8.5. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-22032.

In Rancher versions 2.7.0 to 2.7.14, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.1 a high severity vulnerability CVE-2024-22030 was detected. This vulnerability allows attackers to exploit a man-in-the-middle attack by controlling an expired domain or performing DNS spoofing/hijacking against the Rancher URL. To fix this issue, users must upgrade to versions 2.7.15, 2.8.8, or 2.9.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-22030.

In Rancher versions 2.7.0 to 2.7.13 and 2.8.0 to 2.8.4 a high severity vulnerability CVE-2023-32196 was detected. This vulnerability allows attackers to escalate privileges due to improper enforcement of privilege escalation checks for RoleTemplate objects when external=true. To fix this issue, users must upgrade to versions 2.7.14 or 2.8.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2023-32196.

In GitLab EE versions 12.5 prior to 17.2.9, 17.3 prior to 17.3.5, and 17.4 prior to 17.4.2 a critical severity vulnerability CVE-2024-9164 was detected. This vulnerability allows attackers to run pipelines on arbitrary branches. To fix this issue, users must upgrade to versions 17.2.9, 17.3.5, or 17.4.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-9164.

In GitLab CE/EE versions 11.6 prior to 17.2.9, 17.3 prior to 17.3.5, and 17.4 prior to 17.4.2 a high severity vulnerability CVE-2024-8970 was detected. This vulnerability allows attackers to trigger a pipeline as another user under certain circumstances. To fix this issue, users must upgrade to versions 17.2.9, 17.3.5, or 17.4.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8970.