Our news and updates

In GitLab CE/EE versions 11.4 prior to 17.2.9, 17.3 prior to 17.3.5, and 17.4 prior to 17.4.2 a medium severity vulnerability CVE-2024-5005 was detected. This vulnerability allows guest users to disclose project templates using the API. To fix this issue, users must upgrade to versions 17.2.9, 17.3.5, or 17.4.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-5005.

In GitLab versions starting from 15.10 before 17.2.9, from 17.3 before 17.3.5, and from 17.4 before 17.4.2 a high severity vulnerability CVE-2024-8977 was detected. This vulnerability could allow attackers to exploit the Product Analytics Dashboard, leading to Server-Side Request Forgery attacks. To fix this issue, upgrading to GitLab version 17.2.9, 17.3.5, or 17.4.2 is recommended. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-8977.

In GitLab versions starting from 16.6 before 17.2.9, from 17.3 before 17.3.5, and from 17.4 before 17.4.2 a low severity vulnerability CVE-2024-9596 was discovered. This vulnerability allows an unauthenticated attacker to determine the GitLab version number of a GitLab instance. To mitigate this issue, upgrading to GitLab version 17.2.9, 17.3.5, or 17.4.2 is recommended. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-9596.

In GitLab CE/EE versions 8.16 to 17.2.8, 17.3.0 to 17.3.4, and 17.4.0 to 17.4.1 a medium severity vulnerability CVE-2024-9623 was detected. This vulnerability allows attackers to use deploy keys to push to an archived repository. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-9623.

In Keycloak version before 24.0.5 a high severity vulnerability CVE-2024-3656 was detected. This vulnerability allows low-privilege users to access administrative functionalities via certain endpoints in the admin REST API, potentially leading to data breaches or system compromise. To fix this issue, users should upgrade Keycloak to versions 24.0.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-3656.

In SonarQube versions before 9.9.5 LTA and 10.x before 10.5 a high severity vulnerability CVE-2024-47910 was detected. A SonarQube user with Administrator privileges can modify a GitHub integration configuration to exfiltrate a pre-signed JWT, posing a security risk. To fix this problem, users should upgrade to version 9.9.5 LTA or later and 10.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47910.

In OpenShift versions using Buildah a medium severity vulnerability CVE-2024-9675 was detected. This vulnerability lets attackers choose paths outside the cache directory, allowing a `RUN` instruction in a Container file to mount any accessible directory from the host (with read/write permissions) into the container. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-9675.

In PHP versions 8.1 to 8.1.30, 8.2 to 8.2.24, and 8.3 to 8.3.12 a high severity vulnerability related to command injection CVE-2024-8926 was detected. This vulnerability allows attackers to exploit certain non-standard configurations of Windows codepages, potentially enabling them to pass options to the PHP binary being executed. This may result in revealing the source code of scripts or running arbitrary PHP code on the server. To fix this issue, users must upgrade to 8.1.30, 8.2.24, or 8.3.12 versions. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-8926.

In Discourse version stable < 3.3.2, tests-passed < 3.4.0.beta2 a high severity vulnerability CVE-2024-47773 was detected. This vulnerability allows attackers to poison the cache with empty responses through repeated XHR requests, affecting anonymous visitors. It has been patched, and users should upgrade or disable the anonymous cache by setting DISCOURSE_DISABLE_ANON_CACHE. To fix this problem, users should upgrade to version stable >= 3.3.2, tests-passed >= 3.4.0.beta2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47773.