Application security, DevSecOps, Patch/Configuration Management

Several GitLab vulnerabilities addressed

In this photo illustration, the GitLab logo seen displayed on a smartphone screen.

GitLab issued fixes for several security vulnerabilities through the latest versions of its Community Edition and Enterprise Edition software, BleepingComputer reports.

Most severe of the remediated flaws is a high-severity cross-site scripting bug within the Web IDE VS code editor, tracked as CVE-2024-4835, which could be leveraged to hijack user accounts and exfiltrate restricted information, according to GitLab.

GitLab also addressed a medium-severity denial-of-service flaw, tracked as CVE-2024-2874, and a medium-severity cross-site request forgery bug in the Kubernetes Agent Server, tracked as CVE-2023-7045, in addition to four other bugs of the same severity that could be exploited to facilitate unauthorized viewing of private projects' dependency lists, wiki render API/Page redos, and improper pipeline creation. Immediate implementation of the updated GitLab software versions has been urged amid the growing targeting of GitLab accounts, which could be used in supply chain attacks.

More than 2,000 of over 5,300 GitLab instances impacted by the maximum-severity zero-click account hijacking flaw, tracked as CVE-2023-7028, continue to be susceptible to attacks even after federal agencies had been ordered by the Cybersecurity and Infrastructure Security Agency to promptly address the bug.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.