Developer Tools

In GitLab versions starting from 13.3 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2 a medium severity vulnerability CVE-2024-2743 was detected. This vulnerability allows attackers to unauthorized modify on-demand DAST scans, potentially leading to the leakage of sensitive variables and compromising the security of the system. To fix this issue, users should upgrade GitLab to versions 17.1.7, 17.2.5, 17.3.2, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-2743.

In GitLab EE versions 11.2 to 17.1.6, 17.2 to 17.2.4, and 17.3 to 17.3.1 a high severity vulnerability CVE-2024-4660 was detected. This vulnerability allows attackers with guest access to read the source code of private projects using group templates. To fix this issue users should upgrade GitLab EE to version 17.1.7, 17.2.5, or 17.3.2, depending on the version currently in use. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-4660.

In GitLab EE versions 12.9 to 17.1.6, 17.2 to 17.2.4, and 17.3 to 17.3.1 a medium severity vulnerability CVE-2024-4612 was detected. This vulnerability allows attackers to perform an open redirect, which could potentially lead to an account takeover by disrupting the OAuth flow. To fix this issue users must upgrade to versions 17.1.7, 17.2.5, or 17.3.2. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-4612.

In GitLab versions starting from 16.5 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2 a medium severity vulnerability CVE-2024-4472 was detected. This vulnerability allows attackers to potentially access and view dependency proxy credentials by examining GraphQL logs, which could lead to unauthorized access to internal resources or further exploitation of the system. To fix this issue, users should upgrade GitLab to versions 17.1.7, 17.2.5, 17.3.2, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-4472.

In GitLab versions starting from 11.1 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2 a high severity vulnerability CVE-2024-4283 was detected. This vulnerability allows attackers to bypass the OAuth authorization process and gain access to user accounts. To fix this issue, users should upgrade GitLab to versions 17.1.7, 17.2.5, 17.3.2, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-4283.

In GitLab versions 17.1 to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2 a medium severity vulnerability CVE-2024-6446 was detected. This vulnerability allows attackers to create a fake link that could trick someone into trusting a harmful app controlled by the attacker. To fix this issue, users should upgrade GitLab to versions 17.2.5, 17.3.2, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-6446.

In GitLab CE/EE versions from 15.10 before 17.1.7, from 17.2 before 17.2.5, from 17.3 before 17.3.2 a medium severity vulnerability CVE-2024-5435 was detected. This vulnerability in GitLab EE/CE could expose user passwords from repository mirror configurations. To fix this problem, users should upgrade to version 17.3.2, 17.2.5, or 17.1.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-5435.

In GitLab CE/EE versions 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2, a medium severity vulnerability CVE-2024-6389 was detected. This vulnerability allows attackers with guest user access to view commit information through the release Atom endpoint, bypassing proper permission checks. To address this issue, it is recommended to update to versions 17.1.7, 17.2.5, or 17.3.2. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6389.

In GitLab EE versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 a medium severity vulnerability CVE-2024-8311 was detected. This vulnerability allows authenticated users to bypass variable overwrite protection in GitLab EE pipelines using a CI/CD template. To fix this problem, users should upgrade to version 17.2.5, 17.3.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8311.