GitLab has released patches to address a high-severity vulnerability that could grant unauthorized access to Kubernetes clusters.
The most serious vulnerability tracked as CVE-2024-9693 with a CVSS score of 8.5, allows unauthorized access to the Kubernetes agent within a cluster under specific configurations.
Advertisements
Other vulnerabilities include
- Device OAuth flow vulnerability tracked as CVE-2024-7404, This flaw could allow an attacker to gain full API access as the victim.
- Stored XSS vulnerability tracked as CVE-2024-8648, Attackers could inject malicious JavaScript code into Analytics Dashboards through a specially crafted URL.
- HTML injection vulnerability tracked as CVE-2024-8180, Improper output encoding could lead to cross-site scripting (XSS) attacks if Content Security Policy (CSP) is not enabled.
- Information disclosure vulnerability tracked as CVE-2024-10240, An unauthenticated user could potentially read information about merge requests in private projects under specific circumstances.
The patches applicable for versions 17.5.2, 17.4.4, and 17.3.7 of both the Community Edition (CE) and Enterprise Edition (EE) with a total of six security flaws, including the critical Kubernetes issue and several other medium-severity vulnerabilities.
GitLab urges all users to upgrade their self-managed installations to the latest versions immediately
Nice article 🌺🌺