GitLab Product Security Update Advisory

Overview

An update has been released to address vulnerabilities in GitLab Products. Users of the affected versions are advised to update to the latest version.

 

Affected Products

CVE-2024-2800

  • GitLab EE/CE versions: 11.3 (inclusive) ~ 17.0.6 (excluded)
  • GitLab EE/CE versions: 17.1 (inclusive) ~ 17.1.4 (excluded)
  • GitLab EE/CE versions: 17.2 (inclusive) ~ 17.2.2 (excluded)

 

CVE-2024-6329

  • GitLab EE/CE versions: 8.16 (inclusive) ~ 17.0.6 (excluded)
  • GitLab EE/CE versions: 17.1 (inclusive) ~ 17.1.4 (excluded)
  • GitLab EE/CE versions: 17.2 (included) ~ 17.2.2 (excluded)

     

Resolved Vulnerabilities

 

Vulnerability in GitLab EE/CE that allows denial of service via regular expression backtracking (CVE-2024-2800)
Vulnerability in GitLab EE/CE that prevents the web interface from rendering diffs correctly when the path is encoded (CVE-2024-6329)

 

Vulnerability Patches

The following product-specific Vulnerability Patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2024-2800, CVE-2024-6329

  • GitLab EE/CE version: 17.0.6
  • GitLab EE/CE version: 17.1.4
  • GitLab EE/CE version: 17.2.2

 

 

References

[1] CVE-2024-2800 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-2800

[2] GitLab Patch Release: 17.2.2, 17.1.4, 17.0.6

https://about.gitlab.com/releases/2024/08/07/patch-release-gitlab-17-2-2-released/

[3] CVE-2024-6329 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-6329

Article Link: GitLab Product Security Update Advisory – ASEC