Aug 7, 2024 - Costel Maxim    

GitLab Patch Release: 17.2.2, 17.1.4, 17.0.6

Learn more about GitLab Patch Release: 17.2.2, 17.1.4, 17.0.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today we are releasing versions 17.2.2, 17.1.4, 17.0.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.

GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.

Security fixes

Table of security fixes

Title Severity
Privilege Escalation via LFS Tokens Granting Unrestricted Repository Access Medium
Cross project access of Security policy bot Medium
Advanced search ReDOS in highlight for code results Medium
Denial of Service via banzai pipeline Medium
Denial of service using adoc files Medium
ReDoS in RefMatcher when matching branch names using wildcards Medium
Path encoding can cause the Web interface to not render diffs correctly. Medium
XSS while viewing raw XHTML files through API Medium
Ambiguous tag name exploitation Medium
Logs disclosings potentially sensitive data in query params Medium
Password bypass on approvals using policy projects Medium
ReDoS when parsing git push Medium
Webhook deletion audit log can preserve auth credentials Medium

Privilege Escalation via LFS Tokens Granting Unrestricted Repository Access

A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N, 6.8). It is now mitigated in the latest release and is assigned CVE-2024-3035.

Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.

Cross project access of Security policy bot

An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which allowed cross project access for Security policy bot. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N , 4.4). It is now mitigated in the latest release and is assigned CVE-2024-6356.

Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.

Advanced search ReDOS in highlight for code results

A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). We have requested a CVE ID and will update this blog post when it is assigned.

This vulnerability was discovered internally by GitLab team member Terri Chu.

Denial of Service via banzai pipeline

Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2 which allowed an attacker to cause resource exhaustion via banzai pipeline. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-5423.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

Denial of service using adoc files

A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 12.6 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause a denial of service using crafted adoc files. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-4210.

Thanks gudanggaramfilter for reporting this vulnerability through our HackerOne bug bounty program.

ReDoS in RefMatcher when matching branch names using wildcards

ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-2800.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

Path encoding can cause the Web interface to not render diffs correctly.

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which causes the web interface to fail to render the diff correctly when the path is encoded. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N, 5.7). It is now mitigated in the latest release and is assigned CVE-2024-6329.

Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program.

XSS while viewing raw XHTML files through API

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 prior 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N , 4.4). It is now mitigated in the latest release and is assigned CVE-2024-4207.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

Ambiguous tag name exploitation

An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2024-3958.

Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program.

Logs disclosings potentially sensitive data in query params

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was made in a specific manner. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.9). We have requested a CVE ID and will update this blog post when it is assigned.

This vulnerability was discovered internally by GitLab team member Dominic Couture.

Password bypass on approvals using policy projects

An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2 that allowed bypassing the password re-entry requirement to approve a policy. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N, 4.2). It is now mitigated in the latest release and is assigned CVE-2024-4784.

Thanks vexin for reporting this vulnerability through our HackerOne bug bounty program.

ReDoS when parsing git push

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-3114.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

Webhook deletion audit log can preserve auth credentials

An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, where webhook deletion audit log preserved auth credentials. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N, 4.1). It is now mitigated in the latest release and is assigned CVE-2024-7586.

This vulnerability was discovered internally by GitLab Team Anton Smith.

Bug fixes

17.2.2

17.1.4

17.0.6

16.11.8

Add require_personal_access_token_expiry application setting

This default enabled, optional setting added for admins of GitLab self-managed instances on versions 16.11 and above allow them to enable mandatory expiraton on all new personal, project and group access tokens. Expirations set for existing tokens are not affected by this setting. For usage information see Require expiration dates for new access tokens

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

We’re combining patch and security releases

This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.

Share your feedback

Take GitLab for a spin

See what your team could do with The DevSecOps Platform.

Get free trial

Have a question? We're here to help.

Talk to an expert
Edit this page View source