SB2025032702 - Multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)
Published: March 27, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2025-2255)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within merge-request error messages. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Cross-site scripting (CVE-ID: CVE-2025-0811)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to improper rendering of certain file types. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Improper access control (CVE-ID: CVE-2025-2242)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to admin privileges persists after role is revoked. A remote user can continue to maintain elevated privileges to groups and projects.
4) Improper access control (CVE-ID: CVE-2024-12619)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote administrator can gain unauthorized access to internal projects.
5) Resource exhaustion (CVE-ID: CVE-2024-10307)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can use a specially crafted terraform file in merge request, trigger resource exhaustion and perform a denial of service (DoS) attack.
6) Stored cross-site scripting (CVE-ID: CVE-2024-9773)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the Harbor registry integration. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
7) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the prompt injection in the GitLab Duo with Amazon Q. A remote user can provide a specially crafted input to manipulate AI-assisted development features and expose sensitive project data.
Remediation
Install update from vendor's website.