GitLab has released a crucial security update to address multiple vulnerabilities impacting various versions of its platform. This update, applicable to versions 17.6.2, 17.5.4, and 17.4.6 for both Community Edition (CE) and Enterprise Edition (EE), addresses significant security flaws that could lead to severe consequences such as account takeovers, denial of service (DoS) attacks, and unauthorized information disclosure.
The first vulnerability tracked as CVE-2024-11274 with a CVSS score of 8.7 allows for the injection of Network Error Logging (NEL) headers in Kubernetes proxy responses. This vulnerability can lead to session data exfiltration, potentially enabling attackers to steal user session data and gain unauthorized access to accounts.
The second vulnerability tracked as CVE-2024-8233 has a CVSS score of 7.5 allows attackers to launch denial of service (DoS) attacks by repeatedly sending unauthenticated requests for diff-files. This affects all GitLab versions starting from 9.4, underscoring the urgency for users to update their installations.
GitLab strongly urges all users and administrators to apply these updates promptly to mitigate the risks associated with these vulnerabilities. Regularly updating software with the latest security patches is vital for maintaining a secure environment and preventing unauthorized access.
By addressing these critical issues, GitLab aims to enhance the overall security of its platform and protect users from potential cyber threats. Ensuring timely updates and regular security reviews can significantly reduce the risks posed by such vulnerabilities.
For more information, refer to the advisory
