GitLab has released patches for seven vulnerabilities, including a high severity flaw that allowed threat actors to take over people's accounts.
The highlight of the security advisory is an XSS weakness in the VS code editor (Web IDE), which threat actors can exploit via malicious pages. Although attackers can abuse the flaw without authentication, the bug still requires interaction from the victim, making abusing the bug somewhat more complex.
The bug is tracked as CVE-2024-4835 and is currently awaiting a severity score.
Aimed at GitLab users
“Today, we released versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE),” GitLab said. “These releases contain important bug and security fixes, and we strongly recommend that all GitLab installations upgrade to one of these releases immediately.”
Stealing people's GitLab accounts could have major ramifications, BleepingComputer reports. For example, threat actors could use the accounts to inject malware into CI/CD (Continuous Integration/Continuous Deployment) environments, thereby compromising the victim organization's repositories.
As a result, GitLab accounts are generally considered a popular target among hackers. Earlier this month, CISA warned of a major flaw in no-click account hijacking, which hackers are abusing in the wild. This flaw is tracked as CVE-2023-7028 and was fixed in January of this year.
When CISA adds vulnerabilities to its catalog of known exploited vulnerabilities (KEV), that generally means threat actors can use them to attack federal agencies. At the time of writing, around 2,000 endpoints were still vulnerable to hackers.
In addition to the denial of service. which can be abused by threat actors to prevent users from loading GitLab web resources. This vulnerability is tracked as CVE-2024-2874.