Developer Tools

In GitLab CE/EE versions 11.4 prior to 17.2.9, 17.3 prior to 17.3.5, and 17.4 prior to 17.4.2 a medium severity vulnerability CVE-2024-5005 was detected. This vulnerability allows guest users to disclose project templates using the API. To fix this issue, users must upgrade to versions 17.2.9, 17.3.5, or 17.4.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-5005.

In GitLab versions starting from 15.10 before 17.2.9, from 17.3 before 17.3.5, and from 17.4 before 17.4.2 a high severity vulnerability CVE-2024-8977 was detected. This vulnerability could allow attackers to exploit the Product Analytics Dashboard, leading to Server-Side Request Forgery attacks. To fix this issue, upgrading to GitLab version 17.2.9, 17.3.5, or 17.4.2 is recommended. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-8977.

In GitLab versions starting from 16.6 before 17.2.9, from 17.3 before 17.3.5, and from 17.4 before 17.4.2 a low severity vulnerability CVE-2024-9596 was discovered. This vulnerability allows an unauthenticated attacker to determine the GitLab version number of a GitLab instance. To mitigate this issue, upgrading to GitLab version 17.2.9, 17.3.5, or 17.4.2 is recommended. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-9596.

In GitLab CE/EE versions 8.16 to 17.2.8, 17.3.0 to 17.3.4, and 17.4.0 to 17.4.1 a medium severity vulnerability CVE-2024-9623 was detected. This vulnerability allows attackers to use deploy keys to push to an archived repository. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-9623.

In SonarQube versions before 9.9.5 LTA and 10.x before 10.5 a high severity vulnerability CVE-2024-47910 was detected. A SonarQube user with Administrator privileges can modify a GitHub integration configuration to exfiltrate a pre-signed JWT, posing a security risk. To fix this problem, users should upgrade to version 9.9.5 LTA or later and 10.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47910.

In OpenShift versions using Buildah a medium severity vulnerability CVE-2024-9675 was detected. This vulnerability lets attackers choose paths outside the cache directory, allowing a `RUN` instruction in a Container file to mount any accessible directory from the host (with read/write permissions) into the container. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-9675.

In GitLab versions starting from 8.16 up to 17.2.8, versions 17.3 prior to 17.3.5, and versions 17.4 prior to 17.4.2 a medium severity vulnerability related to deploy keys CVE-2024-9623 was detected. This vulnerability allows attackers to push code to an archived repository, potentially leading to unauthorized changes or data breaches. To fix this issue, users should upgrade GitLab to versions 17.2.9, 17.3.5, or 17.4.2. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-9623.

In Portainer versions prior to 2.20.2 a critical severity vulnerability CVE-2024-33662 was detected. Portainer uses an improper encryption algorithm in the AesEncrypt function, which could allow attackers to exploit vulnerabilities. To fix this problem, users should upgrade to version 2.20.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-33662.

In Jenkins versions < 2.462.3 and >= 2.466, < 2.479 a medium severity vulnerability CVE-2024-47804 was detected. This vulnerability allows attackers to bypass item creation restrictions by saving an item to persist it, even if the creation is prohibited by access control checks. To address this issue, users must upgrade to version 2.462.3 or 2.479. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47804.