GitLab Patches High-Severity Flaw Allowing Account Takeovers

May 23, 2024

GitLab has fixed a high-severity vulnerability that could be exploited by unauthenticated attackers to hijack user accounts through cross-site scripting (XSS) attacks. The flaw, identified as CVE-2024-4835, is an XSS vulnerability in the VS code editor (Web IDE) that enables threat actors to pilfer restricted data by using maliciously designed pages. Despite the fact that the vulnerability can be exploited in attacks that don't necessitate authentication, user interaction is still required, thereby adding a layer of complexity to the attacks.

GitLab stated, 'Today, we are releasing versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.'

In addition to this high-severity flaw, GitLab also addressed six other medium-severity security vulnerabilities on the same day. These include a Cross-Site Request Forgery (CSRF) via the Kubernetes Agent Server (CVE-2023-7045) and a denial-of-service bug that allows attackers to interrupt the loading of GitLab web resources (CVE-2024-2874).

Given that GitLab is known to host various types of sensitive data, including API keys and proprietary code, compromised GitLab accounts could have a significant impact. This includes the potential for supply chain attacks if the attackers manage to insert malicious code in CI/CD (Continuous Integration/Continuous Deployment) environments, thus jeopardizing an organization's repositories.

Earlier this month, CISA issued a warning about threat actors actively exploiting another zero-click account hijacking vulnerability that GitLab patched in January. Identified as CVE-2023-7028, this maximum severity security flaw allows unauthenticated attackers to seize GitLab accounts via password resets. Despite the fact that Shadowserver found over 5,300 vulnerable GitLab instances online in January, less than half (2,084) are still accessible at the moment.

CISA added CVE-2023-7028 to its Known Exploited Vulnerabilities Catalog on May 1, instructing U.S. federal agencies to secure their systems within three weeks by May 22.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.