Developer Tools

In GitLab CE/EE versions 16.4 to 17.3.2 a high severity vulnerability CVE-2024-8124 was detected. This vulnerability in GitLab CE/EE could cause a Denial of Service through a specific POST request. To fix this problem, users should upgrade to version 17.3.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8124.

In GitLab CE/EE versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2 a low severity vulnerability CVE-2024-6685 was detected. This vulnerability allows unauthorized attackers to gain access to sensitive group runner information. To fix this problem, users should upgrade GitLab to version 17.1.7, 17.2.5, 17.3.2, or later. For additional details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-6685.

In GitLab CE/EE versions from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2 a medium severity vulnerability CVE-2024-8641 was detected. This vulnerability allows attackers with a victim’s CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim. To fix this issue users should upgrade GitLab CE/EE to version 17.1.7, 17.2.5, or 17.3.2 For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-8641.

In GitLab versions from 16.9.7 to before 17.1.7, 17.2 to before 17.2.5, and 17.3 to before 17.3.2 a medium severity vulnerability CVE-2024-8754 was detected. This vulnerability allows attackers to squat on accounts by linking arbitrary unclaimed provider identities when JWT authentication is configured. To address this issue, update to GitLab version 17.1.7 or later, 17.2.5 or later, or 17.3.2 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-8754.

In GitLab versions from 16.11 to before 17.1.7, from 17.2 to before 17.2.5, and from 17.3 to before 17.3.2 a high severity vulnerability CVE-2024-8640 was detected. This vulnerability allows attackers to inject commands into a connected Cube server due to incomplete input filtering. To address this issue, update to GitLab version 17.1.7, 17.2.5, or 17.3.2 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-8640.

In GitLab versions from 16.8 before 17.1.7, from 17.2 before 17.2.5, and from 17.3 before 17.3.2 a high severity vulnerability CVE-2024-8635 was detected. This vulnerability allows attackers to make unauthorized requests to internal resources using a custom Maven Dependency Proxy URL. To address this issue, upgrade to GitLab version 17.1.7 or later, 17.2.5 or later, or 17.3.2 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-8635.

In GitLab EE versions 16.6 to 17.1.7, 17.2 to 17.2.5, and 17.3 to 17.3.2 a high severity vulnerability CVE-2024-8631 was detected. This vulnerability allows users with the Admin Group Member custom role to escalate their privileges to include other custom roles. To address this issue, users should upgrade to GitLab EE to version 17.1.7, 17.2.5, or 17.3.2. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-8631.

In GitLab versions 15.6 to 17.0.5, 17.1 to 17.1.3, and 17.2 to 17.2.1 a medium severity vulnerability CVE-2024-7091 was detected. This vulnerability allows attackers to disclose limited information of an exported group or project to another user. To address this issue, upgrading to the latest version of GitLab is recommended. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-7091.

In OpenShift environments using Aardvark-dns versions 1.12.0 and 1.12.1 a high severity vulnerability CVE-2024-8418 was detected. This vulnerability allows attackers to exploit serial processing of TCP DNS queries, causing a denial of service. Malicious clients can keep a TCP connection open indefinitely, leading to timeouts for other DNS queries and disrupting service for all containers using Aardvark-dns. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8418.