GitLab Urges Immediate Upgrade to Thwart Account Takeover Vulnerability

GitLab Patches High-Severity XSS Vulnerability Allowing Account Takeover

GitLab, a popular web-based Git repository manager, has released updates to address a high-severity cross-site scripting (XSS) vulnerability that could allow unauthenticated attackers to hijack user accounts. The security flaw, identified as CVE-2024-4835, resides in the VS code editor (Web IDE) and enables threat actors to steal sensitive information using maliciously crafted pages.

While the vulnerability can be exploited without authentication, user interaction is still required, adding a layer of complexity to potential attacks. GitLab strongly recommends that all installations be upgraded to the newly released versions 17.0.1, 16.11.3, or 16.10.6 for both Community Edition (CE) and Enterprise Edition (EE) immediately.

In addition to the high-severity XSS vulnerability, GitLab also patched six other medium-severity security flaws on Wednesday. These include a Cross-Site Request Forgery (CSRF) vulnerability via the Kubernetes Agent Server (CVE-2023-7045) and a denial-of-service bug (CVE-2024-2874) that could allow attackers to disrupt the loading of GitLab web resources.

GitLab has become a prime target for cybercriminals due to the sensitive nature of the data it hosts, such as API keys and proprietary code. Compromised GitLab accounts can have severe consequences, potentially leading to supply chain attacks if malicious code is inserted into CI/CD (Continuous Integration/Continuous Deployment) environments, compromising an organization's repositories.

Earlier this month, the Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors are actively exploiting another zero-click account hijacking vulnerability (CVE-2023-7028) patched by GitLab in January. This maximum severity security flaw allows unauthenticated attackers to take over GitLab accounts via password resets. Although Shadowserver discovered over 5,300 vulnerable GitLab instances exposed online in January, only 2,084 remain reachable at present.

CISA added CVE-2023-7028 to its Known Exploited Vulnerabilities Catalog on May 1, mandating U.S. federal agencies to secure their systems by May 22, within a three-week timeframe.

As GitLab continues to be a valuable resource for developers and organizations worldwide, it is crucial for users to prioritize security updates and maintain vigilance against potential threats. By promptly applying the latest patches and following best practices for securing their GitLab instances, organizations can mitigate the risks associated with these vulnerabilities and protect their valuable data and assets.