GitLab has released patches for two vulnerabilities affecting multiple versions of its Community Edition (CE) and Enterprise Edition (EE) software. The vulnerabilities, identified as CVE-2024-8312 and CVE-2024-6826, could allow attackers to execute malicious code and disrupt service availability.
This first vulnerability, tracked as CVE-2024-8312 with a CVSS 3.1 score of 8.7, allows attackers to inject malicious HTML code into the Global Search field on a diff view. As GitLab explains in their advisory, “An attacker could inject HTML into the Global Search field on a diff view leading to XSS.” This could lead to Cross-Site Scripting (XSS) attacks, enabling attackers to steal user data, hijack sessions, or redirect users to malicious websites.
The second vulnerability, CVE-2024-6826, with a CVSS 3.1 score of 6.5, is a denial of service could occur via importing a malicious crafted XML manifest file. This flaw could allow attackers to overload the server and disrupt service for legitimate users.
All the GitLab versions are impacted by these vulnerabilities, including all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. GitLab has addressed these vulnerabilities in the latest versions: 17.5.1, 17.4.3, and 17.3.6. and recommends that all installations running a vulnerable version to be upgraded to the latest version as soon as possible.
