GitLab Patch Release: 17.5.2, 17.4.4, 17.3.7

Today we are releasing versions 17.5.2, 17.4.4, 17.3.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.

Security fixes

Table of security fixes

Title	Severity
Unauthorized access to Kubernetes cluster agent	High
Device OAuth flow allows for cross window forgery	Medium
Denial of Service by importing malicious crafted FogBugz import payload	Medium
Stored XSS through javascript URL in Analytics dashboards	Medium
HTML injection in vulnerability Code flow could lead to XSS on self hosted instances	Medium
Information disclosure through an API endpoint	Medium

Unauthorized access to Kubernetes cluster agent

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H, 8.5). It is now mitigated in the latest release and is assigned CVE-2024-9693.

This vulnerability was found internally by a GitLab team member Tiger Watson.

Device OAuth flow allows for cross window forgery

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, 6.8). It is now mitigated in the latest release and is assigned CVE-2024-7404.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

Denial of Service by importing malicious crafted FogBugz import payload

A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14.1 prior to 17.3.7, 17.4 prior to 17.4.4, and 17.5 prior to 17.5.2. A denial of service could occur upon importing maliciously crafted content using the Fogbugz importer. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). We have requested a CVE ID and will update this blog post when it is assigned.

Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.

Stored XSS through javascript URL in Analytics dashboards

An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, 6.1). It is now mitigated in the latest release and is assigned CVE-2024-8648.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

HTML injection in vulnerability Code flow could lead to XSS on self hosted instances

An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. Improper output encoding could lead to XSS if CSP is not enabled. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, 5.4). It is now mitigated in the latest release and is assigned CVE-2024-8180.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

Information disclosure through an API endpoint

An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2024-10240.

This vulnerability has been discovered internally by GitLab team member Patrick Bajao.

Mattermost Security Updates October 28, 2024

Mattermost has been updated to versions 10.1.2, which contains several patches and security fixes.

Bug fixes

17.5.2

• Security patch upgrade alert: Only expose to admins 17-5
• [backport] Add epic to the scope and fix the flaky spec
• [Backport] Fix indexing subgroup associations
• Skip creating tables as partitions if any partition exists
• Add knn index setting for workitem index for opensearch clusters
• [Backport]Fix new project group templates pagination
• Update pdf worker file path in pdf viewer
• [backport] Fix issue label facet can overwrite selected labels
• Fix workitem job in 17-5-stable-ee branch
• [Backport] Go-get: return 404 error code when personal token is invalid
• Add param filtering to avoid error while saving project settings
• Skip multi-version upgrade migration spec on default branches
• Fix group wiki activity events breaking the user feed
• Destroy merge train car after branch deletion
• Backport: Remove permissions JSONB column from the condition

17.4.4

• Backport fix for incorrect error classification to 17.4
• Backport 17-4: Update GoCloud to a version that supports s3ForcePathStyle
• Use dump from 17.3.5 since 17.3 is the previous required stop
• Security patch upgrade alert: Only expose to admins 17-4
• Fix workitem job in 17-4-stable-ee branch
• Don't run e2e:test-product-analytics
• Ensure auto_merge_enabled is set when validating merge trains
• Destroy merge train car after branch deletion
• Fix broken merge train merge when target branch deleted
• Backport: Remove permissions JSONB column from the condition
• Update pdf worker file path in pdf viewer

17.3.7

• Backport dragonboat's file permission error to 17.3
• Use dump from 16.11.8 since 16.11 is the previous required stop
• Fix workitem job in 17-3-stable-ee branch

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.

We’re combining patch and security releases

This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.