Severity
High
Analysis Summary
CVE-2024-8312 CVSS:8.7
GitLab is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability using the Global Search to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVE-2024-8233 CVSS:7.5
GitLab is vulnerable to a denial of service. By repeatedly sending unauthenticated requests for diff-files, a remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-11274 CVSS:7.5
GitLab is vulnerable to a denial of service, caused by the injection of Network Error Logging (NEL) headers in kubernetes proxy response. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-8114 CVSS:8.2
GitLab CE and EE could allow a remote authenticated attacker to gain elevated privileges on the system, caused by missing authorization. By sending a specially crafted request, an attacker could exploit this vulnerability to escalate privileges.
Impact
- Denial of Service
- Privilege Escalation
- Cross-site Scripting
Indicators of Compromise
CVE
CVE-2024-8312
CVE-2024-8233
CVE-2024-11274
CVE-2024-8114
Affected Vendors
- GitLab
Affected Products
- GitLab - 17.5
- GitLab - 17.6
- GitLab - 17.4.2
- GitLab - 17.3.5
- GitLab - 8.12
Remediation
Upgrade to the latest version of GitLab, available from the GitLab Website.