Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: MULTIPLE VULNERABILITIES PATCHED IN GITLAB CE/EE
Image
Published : 27/06/2024
Reference:
Advisory #2024-99
Version:
1.0
Affected software:
GitLab CE/EE
Type:
Different types e.g. Stored XSS, CSRF, Cross window forgery, DoS
CVE/CVSS:
CVE-2024-5655: CVSS 9.6(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N)
CVE-2024-4901: CVSS 8.7(CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
CVE-2024-4994: CVSS 8.1(CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
CVE-2024-6323: CVSS 7.5(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Sources
https://about.gitlab.com/releases/2024/06/26/patch-release-gitlab-17-1-1-released/
Risks
GitLab has released critical updates for their version management platform. The vulnerabilities addressed in versions 17.1.1, 17.0.3, and 16.11.5 impact both the Community Edition (CE) and the Enterprise Edition (EE).
A total of 14 vulnerabilities were patched. As of the time of writing, none of these vulnerabilities are being actively exploited.
Description
CVE-2024-5655 is a vulnerability that could allow an attacker to trigger a CI pipeline as another user under certain circumstances. This vulnerability is labeled as critical and received a score of 9.6.
CVE-2024-4901 is a stored XSS vulnerability that could be used to get code that is persistent on the target server, to be introduced into a project when imported via commit notes.
CVE-2024-4994 allows a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations.
CVE-2024-6323 allows an attacker leak content of a private repository in a public project.
Other vulnerabilities patched by GitLab:
- CVE-2024-2177 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, 6.8)
- CVE-2024-5430 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N, 6.8)
- CVE-2024-4025 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5)
- CVE-2024-3959 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, 6.5)
- CVE-2024-4557 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5)
- CVE-2024-1493 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5)
- CVE-2024-1816 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, 5.3)
- CVE-2024-2191 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3)
- CVE-2024-3115 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3)
- CVE-2024-4011 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1)
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.