SB20240613107 - Multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2024-4201)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when viewing raw XHTML files on iOS devices. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Incorrect Regular Expression (CVE-ID: CVE-2024-1495)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions in gomod dependency linker. A remote user can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

3) Incorrect Regular Expression (CVE-ID: CVE-2024-1736)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions in CI interpolation. A remote user can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

4) Incorrect Regular Expression (CVE-ID: CVE-2024-1963)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions in Asana integration issue mapping when webhook is called. A remote user can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

5) Input validation error (CVE-ID: CVE-2024-5469)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to missing agentk request validation. A remote user can send specially crafted gRPC requests and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://gitlab.com/gitlab-org/gitlab/-/issues/458229
• https://hackerone.com/reports/2473886
• https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#xss-and-content-injection-when-viewing-raw-xhtml-files-on-ios-devices
• https://gitlab.com/gitlab-org/gitlab/-/issues/441807
• https://hackerone.com/reports/2359528
• https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-gomod-dependency-linker
• https://gitlab.com/gitlab-org/gitlab/-/issues/442695
• https://hackerone.com/reports/2358689
• https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-ci-interpolation-fix-bypass
• https://gitlab.com/gitlab-org/gitlab/-/issues/443577
• https://hackerone.com/reports/2376482
• https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-asana-integration-issue-mapping-when-webhook-is-called
• https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/