June 25, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple IBM Products Vulnerabilities
May 13, 2024
New TunnelVision Attack Enables DHCP Manipulation-Based VPN Traffic Hijacking
May 13, 2024
Multiple IBM Products Vulnerabilities
May 13, 2024
New TunnelVision Attack Enables DHCP Manipulation-Based VPN Traffic Hijacking
May 13, 2024
Severity
Medium
Analysis Summary
CVE-2023-6195 CVSS:2.6
GitLab Community Edition and Enterprise Edition are vulnerable to server-side request forgery, caused by a flaw in the Github importer feature. By using a specially crafted argument, an attacker could exploit this vulnerability to conduct SSRF attack.
CVE-2024-3976 CVSS:6.5
GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the export feature. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain information about confidential issues title and description of any public project, and use this information to launch further attacks against the affected system.
CVE-2024-1211 CVSS:6.4
GitLab Community Edition and Enterprise Edition are vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to use JWT as an OmniAuth provider. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2024-1539 CVSS:4.3
GitLab Enterprise Edition could allow a remote authenticated attacker to obtain sensitive information, caused by improper authorization validation by the API. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain information about updates to issues to a banned group member, and use this information to launch further attacks against the affected system.
CVE-2024-4597 CVSS:5.7
GitLab Enterprise Edition is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to force a user with an active SAML session to approve an MR. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2024-4539 CVSS:4.3
GitLab Community Edition and Enterprise Edition are vulnerable to a denial of service, caused by a flaw when filtering tags and branches. By sending a specially crafted request using the API, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-2454 CVSS:6.5
GitLab Community Edition and Enterprise Edition are vulnerable to a denial of service, caused by a flaw in Pin Menu. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2023-6688 CVSS:6.5
GitLab Community Edition and Enterprise Edition are vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in Google Chat Integration. By sending a specially crafted regex input, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2023-6682 CVSS:6.5
GitLab Community Edition and Enterprise Edition are vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in Discord integrations. By sending a specially crafted regex input, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-2651 CVSS:6.5
GitLab Community Edition and Enterprise Edition are vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in markdown render pipeline. By sending a specially crafted regex input, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-2878 CVSS:7.5
GitLab Community Edition and Enterprise Edition are vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in branch search when using wildcards. By sending a specially crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
Impact
- Gain Access
- Information Disclosure
- Denial of Service
Indicators of Compromise
CVE
- CVE-2023-6195
- CVE-2024-3976
- CVE-2024-1211
- CVE-2024-1539
- CVE-2024-4597
- CVE-2024-4539
- CVE-2024-2454
- CVE-2023-6688
- CVE-2023-6682
- CVE-2024-2651
- CVE-2024-2878
Affected Vendors
GitLab
Affected Products
- GitLab Enterprise Edition 16.11.1
- GitLab Community Edition 16.11.1
- GitLab Enterprise Edition 16.10.4
- GitLab Community Edition 16.10.4
- GitLab Enterprise Edition 16.9.6
- GitLab Community Edition 16.9.6
Remediation
Upgrade to the latest version of GitLab, available from the GitLab Website.