Hello fellow GitLab users!

I stumbled upon some alarming news today and I wanted to share it with you all, especially those of you who are using GitLab CE/EE. A vulnerability, CVE-2024-7091, has been discovered in all GitLab CE/EE versions starting from 15.6 to the most recent versions. This vulnerability discloses limited information about your group or project exports to other users. But don't you worry folks as we’ll be providing the necessary patches and fixes for the same in this post!

Affected Versions:
- GitLab CE/EE 15.6 onwards before 17..5
- GitLab CE/EE 17.1 before 17.1.3
- GitLab CE/EE 17.2 before 17.2.1

Vulnerability Details

The problem stems from GitLab’s implementation in exporting groups and projects. When a user exports a group or a project, the exported content might contain sensitive data. Unfortunately, due to this flaw, another user in the same GitLab instance could obtain limited information about the exported item.

Exploit Details

Although an exploit has not been publicly disclosed, the attackers could potentially extract and misuse the sensitive information that they gain access to through this vulnerability. Hence, it is recommended that you apply the relevant patches that are listed below.

Patches and Fixes

Thankfully, GitLab was quick to take action in addressing this issue and has released the following patches:

- For GitLab CE/EE starting from 15.6 through to prior 17..5: Update to version 17..5
- For GitLab CE/EE starting from 17.1 and prior to 17.1.3: Update to version 17.1.3
- For GitLab CE/EE starting from 17.2 and prior to 17.2.1: Update to version 17.2.1

You can also refer to the official advisory by GitLab for more information on the addressed security issues.

To upgrade your GitLab instance to the latest version, you can simply follow these steps

sudo apt-get update            # For Ubuntu/Debian based distributions
sudo apt-get install gitlab-ee # For Ubuntu/Debian based distributions

or

sudo yum update                # For CentOS/RHEL based distributions
sudo yum install gitlab-ee     # For CentOS/RHEL based distributions

Remember to replace gitlab-ee with gitlab-ce if you are using the Community Edition of GitLab.

Wrap-up

So, if you're using any of the affected GitLab CE/EE versions, do not waste time and immediately update to the patched versions as mentioned above. Let's keep our collaborations and projects private and secure!

Feel free to share this information with your team and fellow GitLab users. Stay safe and happy coding!

Timeline

Published on: 07/24/2024 23:15:10 UTC
Last modified on: 07/25/2024 15:03:32 UTC