GitLab High-severity Flaw Let Attackers Takeover Account – Update Now

GitLab released security patches 16.11.1, 16.10.4, and 16.9.6 for both Community and Enterprise Editions, and upgrading to these versions is strongly recommended to address vulnerabilities. 

Scheduled patch releases occur twice a month, while ad-hoc critical patches are released for high-severity vulnerabilities. Details of the vulnerabilities will be made public 30 days after the corresponding patch release. 

If the described vulnerabilities affect the installation, upgrade right away. This applies to all deployment types (omnibus, source code, helm chart, etc.) unless a specific type is mentioned as exempt.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

It identified several vulnerabilities requiring immediate attention. Under specific circumstances, an attacker could potentially take over a GitLab account when using Bitbucket for OAuth authentication (High). 

Two vulnerabilities (High) expose GitLab to denial-of-service attacks (DoS) and allow unauthorized access to restricted files: path traversal and a Regular Expression Denial-of-Service (ReDoS) in FileFinder triggered by wildcard filters. 

GraphQL subscriptions might disregard personal access token limitations (Medium), and malicious actors could bypass domain-based restrictions using a specially crafted email address (Medium).

GitLab versions before 16.9.6, 16.10.4, and 16.11.1 are vulnerable to an account takeover attack when using Bitbucket as an OAuth provider, and an attacker with a Bitbucket account could potentially take control of a linked GitLab account under specific circumstances. 

The critical issue (CVE-2024-4024) has been patched in the latest GitLab releases and was identified internally by the GitLab security team. 

It is updating Bitbucket authentication. Before May 16th, 2024, sign in to GitLab with the Bitbucket credentials to relink the accounts. Otherwise, manual re-linking will be required. 

The change may affect users with mismatched email addresses between GitLab and Bitbucket. In such cases, use the GitLab username and password to log in and re-link Bitbucket.

The versions before 16.9.6, 16.10.4, and 16.11.1 are vulnerable to two high-severity attacks, and a path traversal flaw (CVE-2024-2434, CVSS: 8.5) allows unauthenticated attackers to potentially read restricted files and crash the application (DoS). 

A separate vulnerability (CVE-2024-2829, CVSS: 7.5) exists in project file search, where a specially crafted wildcard filter can trigger a denial-of-service attack. Upgrading to the latest GitLab version is essential to address these issues. 

Versions before 16.9.6 and some later versions contain two vulnerabilities. The first (CVE-2024-4006) is that GraphQL subscriptions didn’t properly enforce Personal Access Token scopes, potentially allowing users to access unauthorized data. 

In the second (CVE-2024-1347), a specially crafted email address could bypass domain-based restrictions on groups or instances, which have now been patched in the latest GitLab releases.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo