Security
sysops

Today we are releasing versions 17.2.2, 17.1.4, 17.0.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our releases handbook and security FAQ.
You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our
issue tracker
30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
best practices in securing your GitLab instance in our blog post.
Recommended Action
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
Security fixes
Table of security fixes

Title
Severity

Privilege Escalation via LFS Tokens Granting Unrestricted Repository Access
Medium

Cross project access of Security policy bot
Medium

Advanced search ReDOS in highlight for code results
Medium

Denial of Service via banzai pipeline
Medium

Denial of service using adoc files
Medium

ReDoS in RefMatcher when matching branch names using wildcards
Medium

Path encoding can cause the Web interface to not render diffs correctly.
Medium

XSS while viewing raw XHTML files through API
Medium

Ambiguous tag name exploitation
Medium

Logs disclosings potentially sensitive data in query params
Medium

Password bypass on approvals using policy projects
Medium

ReDoS when parsing git push
Medium

Webhook deletion audit log can preserve auth credentials
Medium

Privilege Escalation via LFS Tokens Granting Unrestricted Repository Access
A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N, 6.8).
It is now mitigated in the latest release and is assigned CVE-2024-3035.
Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.
Cross project access of Security policy bot
An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which allowed cross project access for Security policy bot.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N , 4.4).
It is now mitigated in the latest release and is assigned CVE-2024-6356.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
Advanced search ReDOS in highlight for code results
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
We have requested a CVE ID and will update this blog post when it is assigned.
This vulnerability was discovered internally by GitLab team member Terri Chu.
Denial of Service via banzai pipeline
Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2 which allowed an attacker to cause resource exhaustion via banzai pipeline.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-5423.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
Denial of service using adoc files
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 12.6 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause a denial of service using crafted adoc files.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-4210.
Thanks gudanggaramfilter for reporting this vulnerability through our HackerOne bug bounty program.
ReDoS in RefMatcher when matching branch names using wildcards
ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5).
It is now mitigated in the latest release and is assigned CVE-2024-2800.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
Path encoding can cause the Web interface to not render diffs correctly.
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which causes the web interface to fail to render the diff correctly when the path is encoded.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N, 5.7).
It is now mitigated in the latest release and is assigned CVE-2024-6329.
Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program.
XSS while viewing raw XHTML files through API
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 prior 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N , 4.4).
It is now mitigated in the latest release and is assigned CVE-2024-4207.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
Ambiguous tag name exploitation
An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, 5.3).
It is now mitigated in the latest release and is assigned CVE-2024-3958.
Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program.
Logs disclosings potentially sensitive data in query params
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was made in a specific manner.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.9).
We have requested a CVE ID and will update this blog post when it is assigned.
This vulnerability was discovered internally by GitLab team member Dominic Couture.
Password bypass on approvals using policy projects
An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2 that allowed bypassing the password re-entry requirement to approve a policy.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N, 4.2).
It is now mitigated in the latest release and is assigned CVE-2024-4784.
Thanks vexin for reporting this vulnerability through our HackerOne bug bounty program.
ReDoS when parsing git push
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
It is now mitigated in the latest release and is assigned CVE-2024-3114.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
Webhook deletion audit log can preserve auth credentials
An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, where webhook deletion audit log preserved auth credentials.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N, 4.1).
It is now mitigated in the latest release and is assigned CVE-2024-7586.
This vulnerability was discovered internally by GitLab Team Anton Smith.
Bug fixes
17.2.2

Backups: Fix parsing of existing backups in Azure storage (Backport 17.2)
Do not consider pool repos dangling on restore
Never return nil when search for CC service
Fix issue in RTE related to adding text before a mention
Backport ‘Check if params data cannot be JSONified’ into 17.2
Document Rake task to show/edit token expirations
Backport 17.2 – Introduce lock-free rescheduling for duplicate job
Ignore unknown sequences in sequence fix migration
Fix squished badges rendering in 17.2
Optimize CustomAbility specs to reduce build times
Backport Do not index associated issues that are epic work item type
bug: Fix template error due to divided by zero
Put groups_direct field in CI JWT tokens behind feature flag
Backport ‘Fix cluster check metrics’ into 17.2
Backport Beyond Identity bug fixes to 17.2
Enable project_daily_statistic_counter_attribute_fetch FF by default
Backport 17.2: Release Environments – pipeline level resource group
Add require_personal_access_token_expiry application setting
Backport 17.2: Mark Cookie SameSite as default over HTTP
Pin QA CI tests to stable gitlab-org/gitlab branches

17.1.4

Backups: Fix parsing of existing backups in Azure storage (Backport 17.1)
Backport 17.1 – Introduce lock-free rescheduling for duplicate job
Table driven spec needs shorter spec titles backport
Optimize CustomAbility specs to reduce build times
Put groups_direct field in CI JWT tokens behind feature flag
Increase SQL query threashold on work_items test
Backport ‘Check if params data cannot be JSONified’ into 17.1
Backport Beyond Identity bug fixes to 17.1
Backport gitlab-qa shm fix to 17.1 stable branch
Add require_personal_access_token_expiry application setting

17.0.6

Backups: Fix parsing of existing backups in Azure storage (Backport 17.0)
Backport 17.0 – Introduce lock-free rescheduling for duplicate job
Table driven spec needs shorter spec titles backport
Put groups_direct field in CI JWT tokens behind feature flag
Add require_personal_access_token_expiry application setting

16.11.8

Add require_personal_access_token_expiry application setting

Add require_personal_access_token_expiry application setting
This default enabled, optional setting added for admins of GitLab self-managed instances on versions 16.11 and above allow them to enable mandatory expiraton on all new personal, project and group access tokens. Expirations set for existing tokens are not affected by this setting. For usage information see Require expiration dates for new access tokens
Updating
To update GitLab, see the Update page.
To update Gitlab Runner, see the Updating the Runner page.
Receive Patch Notifications
To receive patch blog notifications delivered to your inbox, visit our contact us page.
To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
We’re combining patch and security releases
This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, read the blog post here.

GitLab Patch Release: 17.2.2, 17.1.4, 17.0.6
via @gitlab

Click to tweet!

Related Posts

For businesses that handle sensitive customer information, achieving SOC 2 (System and Organization Controls 2) compliance is not just a…

Organizations are feeling an increased sense of urgency to ensure the security of their built applications by putting in place…

Today we are releasing versions 17.6.1, 17.5.3, 17.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain…