Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN679
_____________________________________________________________________

DATE                : 09/10/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GitLab versions prior to 18.4.2,
                                        18.3.4, 18.2.8.

=====================================================================
https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/
_____________________________________________________________________

Oct 8, 2025 - Kat Wu    
GitLab Patch Release: 18.4.2, 18.3.4, 18.2.8

Learn more about GitLab Patch Release: 18.4.2, 18.3.4, 18.2.8 for
GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.4.2, 18.3.4, 18.2.8 for GitLab
Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we
strongly recommend that all self-managed GitLab installations be
upgraded to one of these versions immediately. GitLab.com is already
running the patched version. GitLab Dedicated customers do not need
to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are
two types of patch releases: scheduled releases and ad-hoc critical
patches for high-severity vulnerabilities. Scheduled releases are
released twice a month on the second and fourth Wednesdays. For more
information, please visit our releases handbook and security FAQ.
You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made
public on our issue tracker 30 days after the release in which they
were patched.

We are committed to ensuring that all aspects of GitLab that are
exposed to customers or that host customer data are held to the
highest security standards. To maintain good security hygiene, it
is highly recommended that all customers upgrade to the latest
patch release for their supported version. You can read more best
practices in securing your GitLab instance in our blog post.


Recommended Action

We strongly recommend that all installations running a version
affected by the issues described below are upgraded to the latest
version as soon as possible.

When no specific deployment type (omnibus, source code, helm
chart, etc.) of a product is mentioned, it means all types are
affected.


Security fixes

Table of security fixes
Title                            Severity
Incorrect authorization issue in GraphQL mutations impacts
GitLab EE 	High

Denial of Service issue in GraphQL blob type impacts GitLab
CE/EE 	High

Missing authorization issue in manual jobs impacts GitLab
CE/EE 	Medium

Denial of Service issue in webhook endpoints impacts GitLab
CE/EE 	Medium

CVE-2025-11340 - Incorrect authorization issue in GraphQL
mutations impacts GitLab EE


GitLab has remediated an issue that, under certain conditions,
could have allowed authenticated users with read-only API
tokens to perform unauthorized write operations on
vulnerability records by exploiting incorrectly scoped
GraphQL mutations.


Impacted Versions: GitLab EE: all versions from 18.3 to
18.3.4, 18.4 to 18.4.2
CVSS: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N)

This vulnerability has been discovered internally by GitLab
team member Brian Williams.


CVE-2025-10004 - Denial of Service issue in GraphQL blob
type impacts GitLab CE/EE

GitLab has remediated an issue that could make the GitLab
instance unresponsive or degraded by sending crafted GraphQL
queries requesting large repository blobs.
Impacted Versions: GitLab CE/EE: all versions from 13.12 to
18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Thanks pwnie for reporting this vulnerability through our
HackerOne bug bounty program.


CVE-2025-9825 - Missing authorization issue in manual jobs
impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed
authenticated users without project membership to view
sensitive manual CI/CD variables by querying the GraphQL
API.
Impacted Versions: GitLab CE/EE: all versions from 13.7
to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Thanks joaxcar for reporting this vulnerability through
our HackerOne bug bounty program.


CVE-2025-2934 - Denial of Service issue in webhook
endpoints impacts GitLab CE/EE

GitLab has remediated an issue impacting an upstream
Ruby Core library that could have allowed an
authenticated user to create a denial of service
condition by configuring malicious webhook endpoints
that send crafted HTTP responses. This issue was
reported to Ruby Core maintainers on July 17, 2025.
Impacted Versions: GitLab CE/EE: all versions from 5.2
prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior
to 18.4.2
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Thanks ppee for reporting this vulnerability through our
HackerOne bug bounty program.


Bug fixes

18.4.2

    Backport of 'Added safety chaining to pipeline
helper'
    Workhorse: Improve large HTTP handling for DWS
proxy
    Backport of 'Fix: no implicit conversion of String
into Array' in Geo::Event workers
    Backport: Fix agentic chat
    [18.4] Clear detached partitions before tests run
    Backport 'Fixes target projects endpoint 404 on compare revisions view'
    Transfer start and due dates data upon work item move or clone
    Backport of 'Fix reassignment dropdown in CE'
    Transfer health status data upon work item move or clone
    Backport of Revert "Merge branch 'ai-catalog-item-consumers-graphql' into 'master'"
    Backport of CI_MERGE_REQUEST_DIFF_BASE_SHA not updating on branch change
    Backport of "Use key-value structure in Release Environment MR label script"
    Backport of 'Fix Start free trial link for self-managed instances'
    Update dependency gitlab-fog-azure-rm to '~> 2.4.0'
    Backport of 'Remove non Saas instances from calling CDOT for trial duration'
    Backport of 'Remove check_f02a3f53bf not null constraint'
    18.4 backport of 'Remove unknown licenses from sbom dependency list export'
    [18.4] Fix json validation for elasticsearch_aws_role_arn
    Backport: Change the model selection FF used for self managed
    [18.4] Prevent session creation for sessionless users
    Add a gitlab::config alias for package::config recipe

18.3.4

    Workhorse: Improve large HTTP handling for DWS proxy
    [18.3] Clear detached partitions before tests run
    Backport 'Fixes target projects endpoint 404 on compare revisions view'
    Transfer start and due dates data upon work item move or clone
    Backport of 'Fix reassignment dropdown in CE'
    Transfer health status data upon work item move or clone
    Backport of "Use key-value structure in Release Environment MR label script"
    Update dependency gitlab-fog-azure-rm to '~> 2.4.0'
    Backport of 'Remove non Saas instances from calling CDOT for trial duration'
    18.3 backport of 'Remove unknown licenses from sbom dependency list export'
    Update docs hugo jobs' image to use latest image

18.2.8

    [18.2] Allow elastic client adapter to be set
    [18.2] Clear detached partitions before tests run
    Transfer start and due dates data upon work item move or clone
    Backport of 'Fix reassignment dropdown in CE'
    Transfer health status data upon work item move or clone
    Backport of "Use key-value structure in Release Environment MR label script"
    Update dependency gitlab-fog-azure-rm to '~> 2.4.0'
    [18.2] Fix json validation for elasticsearch_aws_role_arn
    18.2 backport of 'Remove unknown licenses from sbom dependency list export'
    Backport of 'Fix Start free trial link for self-managed instances'
    Update docs hugo jobs' image to use latest image


Important notes on upgrading

This patch includes database migrations that may impact
your upgrade process.
Impact on your installation:

    Single-node instances: This patch will cause downtime during
the upgrade as migrations must complete before GitLab can start.

    Multi-node instances: With proper zero-downtime upgrade
procedures, this patch can be applied without downtime.


Post-deploy migrations

The following versions include post-deploy migrations that can
run after the upgrade:

    18.4.2

To learn more about the impact of upgrades on your installation,
see:

    Zero-downtime upgrades for multi-node deployments
    Standard upgrades for single-node installations


Updating

To update GitLab, see the Update page. To update Gitlab Runner,
see the Updating the Runner page.
Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit
our contact us page. To receive release notifications via RSS,
subscribe to our patch release RSS feed or our RSS feed for all
releases.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================