Today we are releasing versions 17.2.2, 17.1.4, 17.0.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
Recommended Action
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
Security fixes
Table of security fixes
Privilege Escalation via LFS Tokens Granting Unrestricted Repository Access
A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
, 6.8).
It is now mitigated in the latest release and is assigned CVE-2024-3035.
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
Cross project access of Security policy bot
An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which allowed cross project access for Security policy bot.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
, 4.4).
It is now mitigated in the latest release and is assigned CVE-2024-6356.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
Advanced search ReDOS in highlight for code results
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
, 4.3).
We have requested a CVE ID and will update this blog post when it is assigned.
This vulnerability was discovered internally by GitLab team member Terri Chu.
Denial of Service via banzai pipeline
Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2 which allowed an attacker to cause resource exhaustion via banzai pipeline.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-5423.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
Denial of service using adoc files
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 12.6 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause a denial of service using crafted adoc files.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-4210.
Thanks gudanggaramfilter for reporting this vulnerability through our HackerOne bug bounty program.
ReDoS in RefMatcher when matching branch names using wildcards
ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-2800.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
Path encoding can cause the Web interface to not render diffs correctly.
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which causes the web interface to fail to render the diff correctly when the path is encoded.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
, 5.7).
It is now mitigated in the latest release and is assigned CVE-2024-6329.
Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program.
XSS while viewing raw XHTML files through API
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 prior 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
, 4.4).
It is now mitigated in the latest release and is assigned CVE-2024-4207.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
Ambiguous tag name exploitation
An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
, 5.3).
It is now mitigated in the latest release and is assigned CVE-2024-3958.
Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program.
Logs disclosings potentially sensitive data in query params
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was made in a specific manner.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
, 4.9).
We have requested a CVE ID and will update this blog post when it is assigned.
This vulnerability was discovered internally by GitLab team member Dominic Couture.
Password bypass on approvals using policy projects
An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2 that allowed bypassing the password re-entry requirement to approve a policy.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
, 4.2).
It is now mitigated in the latest release and is assigned CVE-2024-4784.
Thanks vexin for reporting this vulnerability through our HackerOne bug bounty program.
ReDoS when parsing git push
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-3114.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
Webhook deletion audit log can preserve auth credentials
An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, where webhook deletion audit log preserved auth credentials.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
, 4.1).
It is now mitigated in the latest release and is assigned CVE-2024-7586.
This vulnerability was discovered internally by GitLab Team Anton Smith.
Bug fixes
17.2.2
- Backups: Fix parsing of existing backups in Azure storage (Backport 17.2)
- Do not consider pool repos dangling on restore
- Never return nil when search for CC service
- Fix issue in RTE related to adding text before a mention
- Backport 'Check if params data cannot be JSONified' into 17.2
- Document Rake task to show/edit token expirations
- Backport 17.2 - Introduce lock-free rescheduling for duplicate job
- Ignore unknown sequences in sequence fix migration
- Fix squished badges rendering in 17.2
- Optimize CustomAbility specs to reduce build times
- Backport Do not index associated issues that are epic work item type
- bug: Fix template error due to divided by zero
- Put groups_direct field in CI JWT tokens behind feature flag
- Backport 'Fix cluster check metrics' into 17.2
- Backport Beyond Identity bug fixes to 17.2
- Enable
project_daily_statistic_counter_attribute_fetch
FF by default - Backport 17.2: Release Environments - pipeline level resource group
- Add require_personal_access_token_expiry application setting
- Backport 17.2: Mark Cookie SameSite as default over HTTP
- Pin QA CI tests to stable gitlab-org/gitlab branches
17.1.4
- Backups: Fix parsing of existing backups in Azure storage (Backport 17.1)
- Backport 17.1 - Introduce lock-free rescheduling for duplicate job
- Table driven spec needs shorter spec titles backport
- Optimize CustomAbility specs to reduce build times
- Put groups_direct field in CI JWT tokens behind feature flag
- Increase SQL query threashold on work_items test
- Backport 'Check if params data cannot be JSONified' into 17.1
- Backport Beyond Identity bug fixes to 17.1
- Backport gitlab-qa shm fix to 17.1 stable branch
- Add require_personal_access_token_expiry application setting
17.0.6
- Backups: Fix parsing of existing backups in Azure storage (Backport 17.0)
- Backport 17.0 - Introduce lock-free rescheduling for duplicate job
- Table driven spec needs shorter spec titles backport
- Put groups_direct field in CI JWT tokens behind feature flag
- Add require_personal_access_token_expiry application setting
16.11.8
Add require_personal_access_token_expiry application setting
This default enabled, optional setting added for admins of GitLab self-managed instances on versions 16.11 and above allow them to enable mandatory expiraton on all new personal, project and group access tokens. Expirations set for existing tokens are not affected by this setting. For usage information see Require expiration dates for new access tokens
Updating
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
Receive Patch Notifications
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
We’re combining patch and security releases
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
We want to hear from you
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.
Share your feedback