Our news and updates

In GitLab CE/EE versions starting from 16.3 before 17.3.7, from 17.4 before 17.4.4, and from 17.5 before 17.5.2 a low severity vulnerability CVE-2024-9633 was detected. This vulnerability allows attackers to create a group with a name matching an existing unique Pages domain, potentially leading to domain confusion attacks. Currently, there is no fixed version available for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-9633.

In GitLab CE/EE versions starting from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2 a medium severity vulnerability CVE-2024-8648 was detected. This vulnerability allows attackers to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL. To fix this issue, users should upgrade GitLab CE/EE to versions 17.5.2, 17.4.4, and 17.3.7. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-8648.

In GitLab CE/EE versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2 a medium severity vulnerability CVE-2024-7404 was detected. This vulnerability allows attackers to gain full API access as the victim via the Device OAuth flow. To fix this issue, users should upgrade GitLab CE/EE to versions 17.5.2, 17.4.4, and 17.3.7. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-7404.

In Grafana OSS and Grafana Enterprise version 11.2.0 a medium severity vulnerability CVE-2024-9476 was detected. This vulnerability allows users to access other organization’s resources via the Cloud Migration Assistant. It affects instances using the Organizations feature for resource isolation. To address this issue, users are advised to upgrade to versions 11.2.3+security-01 or 11.3.0+security-01. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-9476.

In Harbor versions 1.0.0 and above, 1.10.12 and prior, 2.0.0 and above, 2.4.2 and prior, 2.5.0 and above, 2.5.1 and prior a high severity vulnerability CVE-2022-31671 was detected. This vulnerability allows malicious authenticated users to access or modify job execution logs in Harbor by sending requests with different job IDs, exposing all logs stored in the Harbor database due to improper permission validation. To fix this issue, users need to update Harbor to version 2.5.2 or above. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2022-31671.

In Ansible versions 2, including Ansible-Core a medium severity vulnerability CVE-2024-11079 was found. This issue allows attackers to bypass protections and execute unsafe content using the hostvars object. If playbooks improperly handle remote data or module outputs, it could lead to arbitrary code execution. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-11079.

In iTop versions before 3.2.0 a high severity Cross-Site Request Forgery (CSRF) vulnerability CVE-2024-52002 was detected. This vulnerability allows attackers to exploit certain URL endpoints to carry out unauthorized actions. To address this issue, users are advised to upgrade to version 3.2.0. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52002.

In iTop versions before 3.2.0 a medium severity vulnerability CVE-2024-52001 was detected. It allows portal users to access restricted service information. This issue has been addressed in version 3.2.0, and all users are advised to upgrade. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52001.

In iTop versions before 3.2.0 a high severity vulnerability CVE-2024-52000 was detected. It allows attackers to run malicious JavaScript by modifying request payloads. This issue is fixed in version 3.2.0 through improved error message handling. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52000.