Today we are releasing versions 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
Recommended Action
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
Security fixes
Table of security fixes
Execute environment stop actions as the owner of the stop action job
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.
This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, 9.9).
It is now mitigated in the latest release and is assigned CVE-2024-6678.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
Prevent code injection in Product Analytics funnels YAML
An issue has been discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. Due to incomplete input filtering, it was possible to inject commands into a connected Cube server.
This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 8.5).
It is now mitigated in the latest release and is assigned CVE-2024-8640.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
SSRF via Dependency Proxy
A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, 7.7).
It is now mitigated in the latest release and is assigned CVE-2024-8635.
This vulnerability was discovered internally by GitLab team member joernchen.
Denial of Service via sending a specific POST request
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service via sending a specific POST request.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5).
It is now mitigated in the latest release and is assigned CVE-2024-8124.
Thanks sim4n6 for reporting this vulnerability through our HackerOne bug bounty program.
CI_JOB_TOKEN can be used to obtain GitLab session token
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It may have been possible for an attacker with a victim's CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L, 6.7).
It is now mitigated in the latest release and is assigned CVE-2024-8641.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
Variables from settings are not overwritten by PEP if a template is included
An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 which allows authenticated users to bypass variable overwrite protection via inclusion of a CI/CD template.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-8311.
This vulnerability has been discovered internally by GitLab team member Andy Schoenen.
Guests can disclose the full source code of projects using custom group-level templates
An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-4660.
Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program.
IdentitiesController allows linking of arbitrary unclaimed provider identities
An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, 6.4).
We have requested a CVE ID and will update this blog post when it is assigned.
This vulnerability was discovered internally by GitLab team member Joern Schneeweisz.
Open redirect in repo/tree/:id endpoint can lead to account takeover through broken OAuth flow
An issue has been discovered in GitLab EE affecting all versions starting from 11.1 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, 6.4).
It is now mitigated in the latest release and is assigned CVE-2024-4283.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
Open redirect in release permanent links can lead to account takeover through broken OAuth flow
An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, 6.4).
It is now mitigated in the latest release and is assigned CVE-2024-4612.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
Guest user with Admin group member permission can edit custom role to gain other permissions
A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include other custom roles.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N, 5.5).
It is now mitigated in the latest release and is assigned CVE-2024-8631.
Thanks chotebabume for reporting this vulnerability through our HackerOne bug bounty program.
Exposure of protected and masked CI/CD variables by abusing on-demand DAST
An issue was discovered in GitLab EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variables.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, 5.3).
It is now mitigated in the latest release and is assigned CVE-2024-2743.
Thanks 0xn3va for reporting this vulnerability through our HackerOne bug bounty program.
Credentials disclosed when repository mirroring fails
An issue has been discovered discovered in GitLab CE/EE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N, 4.5).
It is now mitigated in the latest release and is assigned CVE-2024-5435.
Thanks gudanggaramfilter for reporting this vulnerability through our HackerOne bug bounty program.
Commit information visible through release atom endpoint for guest users
An issue was discovered in GitLab CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-6389.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.
Dependency Proxy Credentials are Logged in Plaintext in graphql Logs
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs.
This is a medium severity issue (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 4.0).
It is now mitigated in the latest release and is assigned CVE-2024-4472.
Thanks ac7n0w for reporting this vulnerability through our HackerOne bug bounty program.
User Application can spoof the redirect url
An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. A crafted URL could be used to trick a victim to trust an attacker controlled application.
This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N, 3.5).
It is now mitigated in the latest release and is assigned CVE-2024-6446.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
Group Developers can view group runners information
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, where group runners information was disclosed to unauthorised group members.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1).
It is now mitigated in the latest release and is assigned CVE-2024-6685.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.
Bug fixes
17.3.2
- UBI: Backport openssl gem pin to 17-3-stable
- Backport "Disable allow_failure for release-environments pipeline"
- Fix issue when resizing images in RTE
- Backport fix for listing projects via API
- Backport lock retries timeout for sliding list strategy to
17-3 - backport archived filter regression bugfix
- Ensure to update updated_at when updating access data
- Backport OpenSSL v3 callout to 17.3
- Quarantine pypi package registry spec
- Fix Sidekiq crashing when GITLAB_LOG_LEVEL set to debug
- [17.3 Backport] Bump OpenSSL to 3.2.0
- Backport 17.3 - Remove elasticsearch call on init
- Downgrade OpenSSL version to 1.1.1
- [17.3 Backport] Deprecate CentOS 7
17.2.5
- Backport "Disable allow_failure for release-environments pipeline"
- Always build assets image when tagging
- Update google-cloud-core and google-cloud-env gems
- Backport to 17.2: Fixes Geo Replication Details incorrectly empty
- Backport OpenSSL v3 callout to 17.2
- Backport to 17.2: Fix JobArtifactState query timeout
- CI: Add test basic package functionality before release (17.2 Backport)
- Use latest builder images for check-packages pipeline (17.2 Backport)
- [17.2 Backport] Deprecate CentOS 7
17.1.7
- Backport "Disable allow_failure for release-environments pipeline"
- Backport to 17.1: Fixes Geo Replication Details view
- Backport OpenSSL v3 callout to 17.1
- Backport to 17.1: Fix JobArtifactState query timeout
- CI: Add test basic package functionality before release (17.1 Backport)
- Use latest builder images for check-packages pipeline (17.1 Backport)
- [17.1 Backport] Deprecate CentOS 7
Updating
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
Receive Patch Notifications
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
We’re combining patch and security releases
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
We want to hear from you
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.
Share your feedback