GitLab releases patches for several security vulnerabilities through the latest versions of its Community Edition and Enterprise Edition software.
The most severe bug from the list is a cross-site scripting bug within the Web IDE VS code editor, tracked as CVE-2024-4835, which could be leveraged to hijack user accounts and exfiltrate restricted information, according to GitLab.
The vulnerability impacts versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1.
The flaw was addressed with the release of versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
GitLab also addressed a medium-severity DoS flaw, tracked as CVE-2024-2874, and a medium-severity XSRF bug in the Kubernetes Agent Server, tracked as CVE-2023-7045.
Nearly 2,000 GitLab instances impacted by one another zero-click account hijacking flaw, tracked as CVE-2023-7028, continue to be susceptible to attacks even after federal agencies had been ordered by the CISA to promptly address the bug earlier during May 2024.
