Sep 11, 2024 - Ottilia Westerlund    

GitLab Critical Patch Release: 17.3.2, 17.2.5, 17.1.7

Learn more about GitLab Critical Patch Release: 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today we are releasing versions 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.

Security fixes

Table of security fixes

Title Severity
Execute environment stop actions as the owner of the stop action job Critical
Prevent code injection in Product Analytics funnels YAML High
SSRF via Dependency Proxy High
Denial of Service via sending a a specific POST request High
CI_JOB_TOKEN can be used to obtain GitLab session token Medium
Variables from settings are not overwritten by PEP if a template is included Medium
Guests can disclose the full source code of projects using custom group-level templates Medium
IdentitiesController allows linking of arbitrary unclaimed provider identities Medium
Open redirect in repo/tree/:id endpoint can lead to account takeover through broken OAuth flow Medium
Open redirect in release permanent links can lead to account takeover through broken OAuth flow Medium
Guest user with Admin group member permission can edit custom role to gain other permissions Medium
Exposure of protected and masked CI/CD variables by abusing on-demand DAST Medium
Credentials disclosed when repository mirroring fails Medium
Commit information visible through release atom endpoint for guest users Medium
Dependency Proxy Credentials are Logged in Plaintext in graphql Logs Medium
User Application can spoof the redirect url Low
Group Developers can view group runners information Low

Execute environment stop actions as the owner of the stop action job

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, 9.9). It is now mitigated in the latest release and is assigned CVE-2024-6678.

Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.

Prevent code injection in Product Analytics funnels YAML

An issue has been discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. Due to incomplete input filtering, it was possible to inject commands into a connected Cube server. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 8.5). It is now mitigated in the latest release and is assigned CVE-2024-8640.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

SSRF via Dependency Proxy

A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, 7.7). It is now mitigated in the latest release and is assigned CVE-2024-8635.

This vulnerability was discovered internally by GitLab team member joernchen.

Denial of Service via sending a specific POST request

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service via sending a specific POST request. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5). It is now mitigated in the latest release and is assigned CVE-2024-8124.

Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program.

CI_JOB_TOKEN can be used to obtain GitLab session token

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It may have been possible for an attacker with a victim's CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L, 6.7). It is now mitigated in the latest release and is assigned CVE-2024-8641.

Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.

Variables from settings are not overwritten by PEP if a template is included

An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 which allows authenticated users to bypass variable overwrite protection via inclusion of a CI/CD template. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-8311.

This vulnerability has been discovered internally by GitLab team member Andy Schoenen.

Guests can disclose the full source code of projects using custom group-level templates

An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-4660.

Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program.

IdentitiesController allows linking of arbitrary unclaimed provider identities

An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, 6.4). We have requested a CVE ID and will update this blog post when it is assigned.

This vulnerability was discovered internally by GitLab team member Joern Schneeweisz.

Open redirect in repo/tree/:id endpoint can lead to account takeover through broken OAuth flow

An issue has been discovered in GitLab EE affecting all versions starting from 11.1 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, 6.4). It is now mitigated in the latest release and is assigned CVE-2024-4283.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, 6.4). It is now mitigated in the latest release and is assigned CVE-2024-4612.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

Guest user with Admin group member permission can edit custom role to gain other permissions

A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include other custom roles. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N, 5.5). It is now mitigated in the latest release and is assigned CVE-2024-8631.

Thanks chotebabume for reporting this vulnerability through our HackerOne bug bounty program.

Exposure of protected and masked CI/CD variables by abusing on-demand DAST

An issue was discovered in GitLab EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variables. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2024-2743.

Thanks 0xn3va for reporting this vulnerability through our HackerOne bug bounty program.

Credentials disclosed when repository mirroring fails

An issue has been discovered discovered in GitLab CE/EE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N, 4.5). It is now mitigated in the latest release and is assigned CVE-2024-5435.

Thanks gudanggaramfilter for reporting this vulnerability through our HackerOne bug bounty program.

Commit information visible through release atom endpoint for guest users

An issue was discovered in GitLab CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-6389.

Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.

Dependency Proxy Credentials are Logged in Plaintext in graphql Logs

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs. This is a medium severity issue (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 4.0). It is now mitigated in the latest release and is assigned CVE-2024-4472.

Thanks ac7n0w for reporting this vulnerability through our HackerOne bug bounty program.

User Application can spoof the redirect url

An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. A crafted URL could be used to trick a victim to trust an attacker controlled application. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N, 3.5). It is now mitigated in the latest release and is assigned CVE-2024-6446.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

Group Developers can view group runners information

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, where group runners information was disclosed to unauthorised group members. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2024-6685.

Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.

Bug fixes

17.3.2

17.2.5

17.1.7

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

We’re combining patch and security releases

This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.

Share your feedback

Take GitLab for a spin

See what your team could do with The DevSecOps Platform.

Get free trial

Have a question? We're here to help.

Talk to an expert
Edit this page View source