GitLab issued fixes for several security vulnerabilities through the latest versions of its Community Edition and Enterprise Edition software, BleepingComputer reports.
Most severe of the remediated flaws is a high-severity cross-site scripting bug within the Web IDE VS code editor, tracked as CVE-2024-4835, which could be leveraged to hijack user accounts and exfiltrate restricted information, according to GitLab.
GitLab also addressed a medium-severity denial-of-service flaw, tracked as CVE-2024-2874, and a medium-severity cross-site request forgery bug in the Kubernetes Agent Server, tracked as CVE-2023-7045, in addition to four other bugs of the same severity that could be exploited to facilitate unauthorized viewing of private projects' dependency lists, wiki render API/Page redos, and improper pipeline creation. Immediate implementation of the updated GitLab software versions has been urged amid the growing targeting of GitLab accounts, which could be used in supply chain attacks.
More than 2,000 of over 5,300 GitLab instances impacted by the maximum-severity zero-click account hijacking flaw, tracked as CVE-2023-7028, continue to be susceptible to attacks even after federal agencies had been ordered by the Cybersecurity and Infrastructure Security Agency to promptly address the bug.
