GitLab Releases Patch to Fix Critical and High-Severity Vulnerabilities
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities.
Summary
| OEM | Gitlab |
| Severity | High |
| CVEs | CVE-2024-5655, CVE-2024-6385, CVE-2024-6678, CVE-2024-8970, CVE-2025-0194, CVE-2024-6324, CVE-2024-12431, CVE-2024-13041 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
The vulnerabilities could potentially impact unauthorized access, data manipulation, and service disruption. These have been disclosed through GitLab’s HackerOne bug bounty program. Latest Versions 17.7.1, 17.6.3, and 17.5.5 are now available for immediate download and upgrade to address these issues.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Import Functionality Vulnerabilities | CVE-2024-6385 | GitLab CE/EE | Critical |
| Import Functionality Vulnerabilities | CVE-2024-5655 | GitLab CE/EE | High |
| Import Functionality Vulnerabilities | CVE-2024-6678 | GitLab CE/EE | High |
| Import Functionality Vulnerabilities | CVE-2024-8970 | GitLab CE/EE | High |
| Access Token Exposure in Logs | CVE-2025-0194 | GitLab CE/EE | Medium |
| Cyclic Reference of Epics Leading to DoS | CVE-2024-6324 | GitLab CE/EE | Medium |
| Unauthorized Manipulation of Issue Status | CVE-2024-12431 | GitLab CE/EE | Medium |
| Instance SAML Bypass | CVE-2024-13041 | GitLab CE/EE | Medium |
Technical Summary
This update addresses several significant vulnerabilities identified in GitLab CE/EE:
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-6385 | GitLab CE/EE | Vulnerability in import functionality allowing potential exploitation | Allows attackers to exploit the system. |
| CVE-2024-5655 | |||
| CVE-2024-6678 | |||
| CVE-2024-8970 | |||
| CVE-2025-0194 | GitLab CE/EE | Possible exposure of access tokens in logs under certain conditions. | Potential unauthorized access to sensitive resources. |
| CVE-2024-6324 | GitLab CE/EE | Cyclic references between epics could lead to resource exhaustion, causing a Denial of Service (DoS). | Service disruption due to resource exhaustion. |
| CVE-2024-12431 | GitLab CE/EE | Unauthorized users could manipulate issue statuses in public projects, potentially disrupting workflows. | Workflow disruption and compromised data integrity. |
| CVE-2024-13041 | GitLab CE/EE | Flaw in instance SAML configuration allowing bypass of external provider settings. | Unauthorized access to internal projects or groups. |
Key Changes to Import Functionality:
- Post-import mapping: This new feature allows administrators to assign imported contributions and memberships to users after the import process is complete, enhancing control and security.
- Email-independent mapping: The updated mapping process no longer relies on email addresses, providing greater flexibility and security when importing from instances with different email domains.
- User control: Users on the destination instance now have the power to accept or reject assigned contributions, adding another layer of security and preventing unauthorized access.
Remediation:
- Upgrade GitLab Instances: All users are strongly advised to upgrade to versions 17.7.1, 17.6.3, or 17.5.5 immediately to mitigate these vulnerabilities.
- Disable Importers Temporarily: Until upgrades are complete, disable importers to avoid exploitation. If import functionality is essential, enable it only during the import process and disable it afterward.
- Adopt Updated Features: Leverage the new post-import mapping, email-independent mapping, and user control enhancements for increased security.
Conclusion:
The vulnerabilities addressed in this patch release highlight the importance of timely updates and proactive security measures. GitLab’s redesign of its import functionality and the prompt patch release demonstrate a commitment to user security. Upgrading to the latest patched versions and adhering to the recommended actions is critical to maintaining a secure environment.
References:
Image