Cybersecurirty

GitLab Releases Patch to Fix Critical and High-Severity Vulnerabilities

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities.

Summary

OEM	Gitlab
Severity	High
CVEs	CVE-2024-5655, CVE-2024-6385, CVE-2024-6678, CVE-2024-8970, CVE-2025-0194, CVE-2024-6324, CVE-2024-12431, CVE-2024-13041
Exploited in Wild	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

The vulnerabilities could potentially impact unauthorized access, data manipulation, and service disruption. These have been disclosed through GitLab’s HackerOne bug bounty program. Latest Versions 17.7.1, 17.6.3, and 17.5.5 are now available for immediate download and upgrade to address these issues.

Vulnerability Name	CVE ID	Product Affected	Severity
Import Functionality Vulnerabilities	CVE-2024-6385	GitLab CE/EE	Critical
Import Functionality Vulnerabilities	CVE-2024-5655	GitLab CE/EE	High
Import Functionality Vulnerabilities	CVE-2024-6678	GitLab CE/EE	High
Import Functionality Vulnerabilities	CVE-2024-8970	GitLab CE/EE	High
Access Token Exposure in Logs	CVE-2025-0194	GitLab CE/EE	Medium
Cyclic Reference of Epics Leading to DoS	CVE-2024-6324	GitLab CE/EE	Medium
Unauthorized Manipulation of Issue Status	CVE-2024-12431	GitLab CE/EE	Medium
Instance SAML Bypass	CVE-2024-13041	GitLab CE/EE	Medium

Technical Summary

This update addresses several significant vulnerabilities identified in GitLab CE/EE:

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-6385	GitLab CE/EE	Vulnerability in import functionality allowing potential exploitation	Allows attackers to exploit the system.
CVE-2024-5655
CVE-2024-6678
CVE-2024-8970
CVE-2025-0194	GitLab CE/EE	Possible exposure of access tokens in logs under certain conditions.	Potential unauthorized access to sensitive resources.
CVE-2024-6324	GitLab CE/EE	Cyclic references between epics could lead to resource exhaustion, causing a Denial of Service (DoS).	Service disruption due to resource exhaustion.
CVE-2024-12431	GitLab CE/EE	Unauthorized users could manipulate issue statuses in public projects, potentially disrupting workflows.	Workflow disruption and compromised data integrity.
CVE-2024-13041	GitLab CE/EE	Flaw in instance SAML configuration allowing bypass of external provider settings.	Unauthorized access to internal projects or groups.

Key Changes to Import Functionality:

Post-import mapping: This new feature allows administrators to assign imported contributions and memberships to users after the import process is complete, enhancing control and security.

Email-independent mapping: The updated mapping process no longer relies on email addresses, providing greater flexibility and security when importing from instances with different email domains.

User control: Users on the destination instance now have the power to accept or reject assigned contributions, adding another layer of security and preventing unauthorized access.

Remediation:

Upgrade GitLab Instances: All users are strongly advised to upgrade to versions 17.7.1, 17.6.3, or 17.5.5 immediately to mitigate these vulnerabilities.

Disable Importers Temporarily: Until upgrades are complete, disable importers to avoid exploitation. If import functionality is essential, enable it only during the import process and disable it afterward.

Adopt Updated Features: Leverage the new post-import mapping, email-independent mapping, and user control enhancements for increased security.

Conclusion:

The vulnerabilities addressed in this patch release highlight the importance of timely updates and proactive security measures. GitLab’s redesign of its import functionality and the prompt patch release demonstrate a commitment to user security. Upgrading to the latest patched versions and adhering to the recommended actions is critical to maintaining a secure environment.

References: