=====================================================================

                              CERT-Renater

                    Note d'Information No. 2024/VULN462
_____________________________________________________________________

DATE                : 13/11/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GitLab versions prior to 17.5.2,
                                       17.4.4, 17.3.7.

=====================================================================
https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/
_____________________________________________________________________

  GitLab Patch Release: 17.5.2, 17.4.4, 17.3.7

Learn more about GitLab Patch Release: 17.5.2, 17.4.4, 17.3.7 for
GitLab Community Edition (CE) and Enterprise Edition (EE).

Today we are releasing versions 17.5.2, 17.4.4, 17.3.7 for GitLab
Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we
strongly recommend that all self-managed GitLab installations be
upgraded to one of these versions immediately. GitLab.com is
already running the patched version. GitLab Dedicated customers
do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There
are two types of patch releases: scheduled releases, and ad-hoc
critical patches for high-severity vulnerabilities. Scheduled releases
are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our releases handbook and
security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are
made public on our issue tracker 30 days after the release in
which they were patched.

We are committed to ensuring all aspects of GitLab that are exposed
to customers or that host customer data are held to the highest
security standards. As part of maintaining good security hygiene,
it is highly recommended that all customers upgrade to the latest
patch release for their supported version. You can read more best
practices in securing your GitLab instance in our blog post.


Recommended Action

We strongly recommend that all installations running a version
affected by the issues described below are upgraded to the latest
version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart,
etc.) of a product is mentioned, this means all types are affected.


Security fixes

Table of security fixes

Title 	Severity

Unauthorized access to Kubernetes cluster agent 	High
Device OAuth flow allows for cross window forgery 	Medium

Denial of Service by importing malicious crafted FogBugz import
payload 	Medium

Stored XSS through javascript URL in Analytics dashboards Medium

HTML injection in vulnerability Code flow could lead to XSS
on self hosted instances 	Medium

Information disclosure through an API endpoint 	Medium

Unauthorized access to Kubernetes cluster agent


An issue was discovered in GitLab CE/EE affecting all versions starting
from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and
starting from 17.5 prior to 17.5.2, which could have allowed
unauthorized access to the Kubernetes agent in a cluster under specific
configurations. This is a high severity issue
(CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H, 8.5). It is now mitigated
in the latest release and is assigned CVE-2024-9693.

This vulnerability was found internally by a GitLab team member Tiger
Watson.


Device OAuth flow allows for cross window forgery

An issue was discovered in GitLab CE/EE affecting all versions starting
from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting
from 17.5 prior to 17.5.2, which could have allowed an attacker gaining
full API access as the vict im via the Device OAuth flow. This is a medium
severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, 6.8). It is
now mitigated in the latest release and is assigned CVE-2024-7404.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug
bounty program.


Denial of Service by importing malicious crafted FogBugz import payload

A Denial of Service (DoS) issue has been discovered in GitLab CE/EE
affecting all versions starting from 7.14.1 prior to 17.3.7, 17.4
prior to 17.4.4, and 17.5 prior to 17.5.2. A denial of service could
occur upon importing maliciously crafted content using the Fogbugz
importer. This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). We have requested
a CVE ID and will update this blog post when it is assigned.

Thanks a92847865 for reporting this vulnerability through our HackerOne
bug bounty program.


Stored XSS through javascript URL in Analytics dashboards

An issue has been discovered in GitLab CE/EE affecting all versions from
16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The
vulnerability could allow an attacker to inject malicious JavaScript code
in Analytics Dashboards through a specially crafted URL. This is a medium
severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, 6.1). It
is now mitigated in the latest release and is assigned CVE-2024-8648.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug
bounty program.


HTML injection in vulnerability Code flow could lead to XSS on self
hosted instances

An issue has been discovered in GitLab CE/EE affecting all versions from
17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. Improper
output encoding could lead to XSS if CSP is not enabled. This is a medium
severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, 5.4). It is
now mitigated in the latest release and is assigned CVE-2024-8180.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug
bounty program.


Information disclosure through an API endpoint

An issue has been discovered in GitLab EE affecting all versions starting
from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4,
all versions starting from 17.5 before 17.5.2 in which an unauthenticated
user may be able to read some information about an MR in a private project,
under certain circumstances. This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated
in the latest release and is assigned CVE-2024-10240.

This vulnerability has been discovered internally by GitLab team member
Patrick Bajao.


Mattermost Security Updates October 28, 2024

Mattermost has been updated to versions 10.1.2, which contains several
patches and security fixes.


Bug fixes
17.5.2

     Security patch upgrade alert: Only expose to admins 17-5
     [backport] Add epic to the scope and fix the flaky spec
     [Backport] Fix indexing subgroup associations
     Skip creating tables as partitions if any partition exists
     Add knn index setting for workitem index for opensearch clusters
     [Backport]Fix new project group templates pagination
     Update pdf worker file path in pdf viewer
     [backport] Fix issue label facet can overwrite selected labels
     Fix workitem job in 17-5-stable-ee branch
     [Backport] Go-get: return 404 error code when personal token is invalid
     Add param filtering to avoid error while saving project settings
     Skip multi-version upgrade migration spec on default branches
     Fix group wiki activity events breaking the user feed
     Destroy merge train car after branch deletion
     Backport: Remove permissions JSONB column from the condition

17.4.4

     Backport fix for incorrect error classification to 17.4
     Backport 17-4: Update GoCloud to a version that supports 
s3ForcePathStyle
     Use dump from 17.3.5 since 17.3 is the previous required stop
     Security patch upgrade alert: Only expose to admins 17-4
     Fix workitem job in 17-4-stable-ee branch
     Don't run e2e:test-product-analytics
     Ensure auto_merge_enabled is set when validating merge trains
     Destroy merge train car after branch deletion
     Fix broken merge train merge when target branch deleted
     Backport: Remove permissions JSONB column from the condition
     Update pdf worker file path in pdf viewer

17.3.7

     Backport dragonboat's file permission error to 17.3
     Use dump from 16.11.8 since 16.11 is the previous required stop
     Fix workitem job in 17-3-stable-ee branch


Updating

To update GitLab, see the Update page. To update Gitlab Runner,
see the Updating the Runner page.


Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit
our contact us page. To receive release notifications via RSS,
subscribe to our patch release RSS feed or our RSS feed for all
releases.


We’re combining patch and security releases

This improvement in our release process matches the industry standard
and will help GitLab users get information about security and bug
fixes sooner, read the blog post here.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================