about.gitlab.com
Open in
urlscan Pro
2606:4700:4400::6812:2b86
Public Scan
URL:
https://about.gitlab.com/releases/2024/08/07/patch-release-gitlab-17-2-2-released/
Submission: On December 10 via api from BY — Scanned from DE
Submission: On December 10 via api from BY — Scanned from DE
Form analysis 3 forms found in the DOM
<form id="mktoForm_1077" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" __bizdiag="333469740" __biza="WJ__" data-styles-ready="true">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoOffset"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>WORK EMAIL ADDRESS
</label>
<div class="mktoGutter mktoHasWidth"></div><input id="Email" name="Email" placeholder="abc@xyz.com" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired"
aria-required="true"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoOffset"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Title" id="LblTitle" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>JOB TITLE
</label>
<div class="mktoGutter mktoHasWidth"></div><input id="Title" name="Title" maxlength="255" aria-labelledby="LblTitle InstructTitle" type="text" class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true"><span
id="InstructTitle" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoOffset"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Country" id="LblCountry" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>COUNTRY OR REGION
</label>
<div class="mktoGutter mktoHasWidth"></div><select id="Country" name="Country" aria-labelledby="LblCountry InstructCountry" class="mktoField mktoHasWidth mktoRequired" aria-required="true">
<option value="">Select...</option>
<option value="United States">United States</option>
<option value="United Kingdom">United Kingdom</option>
<option value="Canada">Canada</option>
<option value="France">France</option>
<option value="Germany">Germany</option>
<option value="Afghanistan">Afghanistan</option>
<option value="Aland Islands">Åland Islands</option>
<option value="Albania">Albania</option>
<option value="Algeria">Algeria</option>
<option value="Samoa">American Samoa</option>
<option value="Andorra">Andorra</option>
<option value="Angola">Angola</option>
<option value="Anguilla">Anguilla</option>
<option value="Antigua and Barbuda">Antigua and Barbuda</option>
<option value="Argentina">Argentina</option>
<option value="Armenia">Armenia</option>
<option value="Aruba">Aruba</option>
<option value="Australia">Australia</option>
<option value="Austria">Austria</option>
<option value="Azerbaijan">Azerbaijan</option>
<option value="Bahamas">Bahamas</option>
<option value="Bahrain">Bahrain</option>
<option value="Bangladesh">Bangladesh</option>
<option value="Barbados">Barbados</option>
<option value="Belarus">Belarus</option>
<option value="Belgium">Belgium</option>
<option value="Belize">Belize</option>
<option value="Benin">Benin</option>
<option value="Bermuda">Bermuda</option>
<option value="Bhutan">Bhutan</option>
<option value="Bolivia, Plurinational State of">Bolivia, Plurinational State of</option>
<option value="Bonaire, Sint Eustatius and Saba">Bonaire, Sint Eustatius and Saba</option>
<option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option>
<option value="Botswana">Botswana</option>
<option value="Bouvet Island">Bouvet Island</option>
<option value="Brazil">Brazil</option>
<option value="British Indian Ocean Territory">British Indian Ocean Territory</option>
<option value="Brunei Darussalam">Brunei Darussalam</option>
<option value="Bulgaria">Bulgaria</option>
<option value="Burkina Faso">Burkina Faso</option>
<option value="Burundi">Burundi</option>
<option value="Cambodia">Cambodia</option>
<option value="Cameroon">Cameroon</option>
<option value="Cape Verde">Cape Verde</option>
<option value="Cayman Islands">Cayman Islands</option>
<option value="Central African Republic">Central African Republic</option>
<option value="Chad">Chad</option>
<option value="Chile">Chile</option>
<option value="Christmas Island">Christmas Island</option>
<option value="Cocos (Keeling) Islands">Cocos (Keeling) Islands</option>
<option value="Colombia">Colombia</option>
<option value="Comoros">Comoros</option>
<option value="Congo, the Democratic Republic of the">Congo, the Democratic Republic of the</option>
<option value="Congo">Congo</option>
<option value="Cook Islands">Cook Islands</option>
<option value="Costa Rica">Costa Rica</option>
<option value="Cote d’Ivoire">Côte d’Ivoire</option>
<option value="Croatia">Croatia</option>
<option value="Curacao">Curaçao</option>
<option value="Cyprus">Cyprus</option>
<option value="Czech Republic">Czech Republic</option>
<option value="Denmark">Denmark</option>
<option value="Djibouti">Djibouti</option>
<option value="Dominica">Dominica</option>
<option value="Dominican Republic">Dominican Republic</option>
<option value="Ecuador">Ecuador</option>
<option value="Egypt">Egypt</option>
<option value="El Salvador">El Salvador</option>
<option value="Equatorial Guinea">Equatorial Guinea</option>
<option value="Eritrea">Eritrea</option>
<option value="Estonia">Estonia</option>
<option value="Ethiopia">Ethiopia</option>
<option value="Falkland Islands (Malvinas)">Falkland Islands (Malvinas)</option>
<option value="Faroe Islands">Faroe Islands</option>
<option value="Fiji">Fiji</option>
<option value="Finland">Finland</option>
<option value="French Guiana">French Guiana</option>
<option value="French Polynesia">French Polynesia</option>
<option value="French Southern Territories">French Southern Territories</option>
<option value="Gabon">Gabon</option>
<option value="Gambia">Gambia</option>
<option value="Georgia">Georgia</option>
<option value="Ghana">Ghana</option>
<option value="Gibraltar">Gibraltar</option>
<option value="Greece">Greece</option>
<option value="Greenland">Greenland</option>
<option value="Grenada">Grenada</option>
<option value="Guadeloupe">Guadeloupe</option>
<option value="Guam">Guam</option>
<option value="Guatemala">Guatemala</option>
<option value="Guernsey">Guernsey</option>
<option value="Guinea">Guinea</option>
<option value="Guinea-Bissau">Guinea-Bissau</option>
<option value="Guyana">Guyana</option>
<option value="Haiti">Haiti</option>
<option value="Heard Island and McDonald Islands">Heard Island and McDonald Islands</option>
<option value="Holy See (Vatican City State)">Holy See (Vatican City State)</option>
<option value="Honduras">Honduras</option>
<option value="Hong Kong">Hong Kong</option>
<option value="Hungary">Hungary</option>
<option value="Iceland">Iceland</option>
<option value="India">India</option>
<option value="Indonesia">Indonesia</option>
<option value="Iraq">Iraq</option>
<option value="Ireland">Ireland</option>
<option value="Isle of Man">Isle of Man</option>
<option value="Israel">Israel</option>
<option value="Italy">Italy</option>
<option value="Jamaica">Jamaica</option>
<option value="Japan">Japan</option>
<option value="Jersey">Jersey</option>
<option value="Jordan">Jordan</option>
<option value="Kazakhstan">Kazakhstan</option>
<option value="Kenya">Kenya</option>
<option value="Kiribati">Kiribati</option>
<option value="Korea, Republic of">Korea, Republic of</option>
<option value="Kuwait">Kuwait</option>
<option value="Kyrgyzstan">Kyrgyzstan</option>
<option value="Lao People’s Democratic Republic">Lao People’s Democratic Republic</option>
<option value="Latvia">Latvia</option>
<option value="Lebanon">Lebanon</option>
<option value="Lesotho">Lesotho</option>
<option value="Liberia">Liberia</option>
<option value="Libya">Libya</option>
<option value="Liechtenstein">Liechtenstein</option>
<option value="Lithuania">Lithuania</option>
<option value="Luxembourg">Luxembourg</option>
<option value="Macao">Macao</option>
<option value="Macedonia, the former Yugoslav Republic of">Macedonia, the former Yugoslav Republic of</option>
<option value="Madagascar">Madagascar</option>
<option value="China">Mainland China</option>
<option value="Malawi">Malawi</option>
<option value="Malaysia">Malaysia</option>
<option value="Maldives">Maldives</option>
<option value="Mali">Mali</option>
<option value="Malta">Malta</option>
<option value="Marshall Islands">Marshall Islands</option>
<option value="Martinique">Martinique</option>
<option value="Mauritania">Mauritania</option>
<option value="Mauritius">Mauritius</option>
<option value="Mayotte">Mayotte</option>
<option value="Mexico">Mexico</option>
<option value="Micronesia, Federated States of">Micronesia, Federated States of</option>
<option value="Moldova, Republic of">Moldova, Republic of</option>
<option value="Monaco">Monaco</option>
<option value="Mongolia">Mongolia</option>
<option value="Montenegro">Montenegro</option>
<option value="Montserrat">Montserrat</option>
<option value="Morocco">Morocco</option>
<option value="Mozambique">Mozambique</option>
<option value="Myanmar">Myanmar</option>
<option value="Namibia">Namibia</option>
<option value="Nauru">Nauru</option>
<option value="Nepal">Nepal</option>
<option value="Netherlands">Netherlands</option>
<option value="New Caledonia">New Caledonia</option>
<option value="New Zealand">New Zealand</option>
<option value="Nicaragua">Nicaragua</option>
<option value="Niger">Niger</option>
<option value="Nigeria">Nigeria</option>
<option value="Niue">Niue</option>
<option value="Norfolk Island">Norfolk Island</option>
<option value="Northern Mariana Islands">Northern Mariana Islands</option>
<option value="Norway">Norway</option>
<option value="Oman">Oman</option>
<option value="Pakistan">Pakistan</option>
<option value="Palau">Palau</option>
<option value="Palestinian Territory, Occupied">Palestinian Territory, Occupied</option>
<option value="Panama">Panama</option>
<option value="Papua New Guinea">Papua New Guinea</option>
<option value="Paraguay">Paraguay</option>
<option value="Peru">Peru</option>
<option value="Philippines">Philippines</option>
<option value="Pitcairn">Pitcairn</option>
<option value="Poland">Poland</option>
<option value="Portugal">Portugal</option>
<option value="Puerto Rico">Puerto Rico</option>
<option value="Qatar">Qatar</option>
<option value="Reunion">Réunion</option>
<option value="Romania">Romania</option>
<option value="Russian Federation">Russian Federation</option>
<option value="Rwanda">Rwanda</option>
<option value="Saint Barthelemy">Saint Barthélemy</option>
<option value="Saint Helena, Ascension and Tristan da Cunha">Saint Helena, Ascension and Tristan da Cunha</option>
<option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option>
<option value="Saint Lucia">Saint Lucia</option>
<option value="Saint Martin (French part)">Saint Martin (French part)</option>
<option value="Saint Pierre and Miquelon">Saint Pierre and Miquelon</option>
<option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option>
<option value="Samoa">Samoa</option>
<option value="San Marino">San Marino</option>
<option value="Sao Tome and Principe">Sao Tome and Principe</option>
<option value="Saudi Arabia">Saudi Arabia</option>
<option value="Senegal">Senegal</option>
<option value="Serbia">Serbia</option>
<option value="Seychelles">Seychelles</option>
<option value="Sierra Leone">Sierra Leone</option>
<option value="Singapore">Singapore</option>
<option value="Sint Maarten (Dutch part)">Sint Maarten (Dutch part)</option>
<option value="Slovakia">Slovakia</option>
<option value="Slovenia">Slovenia</option>
<option value="Solomon Islands">Solomon Islands</option>
<option value="Somalia">Somalia</option>
<option value="South Africa">South Africa</option>
<option value="South Georgia and the South Sandwich Islands">South Georgia and the South Sandwich Islands</option>
<option value="South Sudan">South Sudan</option>
<option value="Spain">Spain</option>
<option value="Sri Lanka">Sri Lanka</option>
<option value="Suriname">Suriname</option>
<option value="Svalbard and Jan Mayen">Svalbard and Jan Mayen</option>
<option value="Swaziland">Swaziland</option>
<option value="Sweden">Sweden</option>
<option value="Switzerland">Switzerland</option>
<option value="Taiwan">Taiwan</option>
<option value="Tajikistan">Tajikistan</option>
<option value="Tanzania, United Republic of">Tanzania, United Republic of</option>
<option value="Thailand">Thailand</option>
<option value="Timor-Leste">Timor-Leste</option>
<option value="Togo">Togo</option>
<option value="Tokelau">Tokelau</option>
<option value="Tonga">Tonga</option>
<option value="Trinidad and Tobago">Trinidad and Tobago</option>
<option value="Tunisia">Tunisia</option>
<option value="Turkey">Turkey</option>
<option value="Turkmenistan">Turkmenistan</option>
<option value="Turks and Caicos Islands">Turks and Caicos Islands</option>
<option value="Tuvalu">Tuvalu</option>
<option value="Uganda">Uganda</option>
<option value="Ukraine">Ukraine</option>
<option value="United Arab Emirates">United Arab Emirates</option>
<option value="Uruguay">Uruguay</option>
<option value="Uzbekistan">Uzbekistan</option>
<option value="Vanuatu">Vanuatu</option>
<option value="Venezuela, Bolivarian Republic of">Venezuela, Bolivarian Republic of</option>
<option value="Viet Nam">Viet Nam</option>
<option value="Virgin Islands, British">Virgin Islands, British</option>
<option value="Wallis and Futuna">Wallis and Futuna</option>
<option value="Western Sahara">Western Sahara</option>
<option value="Yemen">Yemen</option>
<option value="Zambia">Zambia</option>
<option value="Zimbabwe">Zimbabwe</option>
</select><span id="InstructCountry" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoPlaceholder mktoPlaceholderCity"></div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFormCol">
<div class="mktoOffset mktoHasWidth"></div>
<div class="mktoFieldWrap">
<div class="mktoHtmlText mktoHasWidth">By subscribing to this newsletter, I consent to GitLab sending me Newsletter emails in accordance with
<a href="https://about.gitlab.com/privacy/" target="_blank" id="">GitLab's Privacy Statement</a>. I may opt-out at anytime by clicking "unsubscribe" in the email footer or by visiting our
<a href="https://about.gitlab.com/company/preference-center/" target="_blank" id="">Communications Preference Center</a>.</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="gclid" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="GACLIENTID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="GATRACKID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="last_utm_medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="last_utm_source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="last_utm_content__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="last_utm_campaign__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="last_utm_term__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1077"><input type="hidden"
name="munchkinId" class="mktoField mktoFieldDescriptor" value="194-VVC-221">
</form><form style="display: initial; font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft"
__bizdiag="876458622" __biza="WJ__"></form><form __bizdiag="0" __biza="WJ__">
<input class="st-default-search-input st-search-set-focus" type="text" value="" placeholder="Search this site" aria-label="Search this site" id="st-overlay-search-input" autocomplete="off" autocorrect="off" autocapitalize="off">
</form>Text Content
← Back to releases Aug 7, 2024 - Costel Maxim GITLAB PATCH RELEASE: 17.2.2, 17.1.4, 17.0.6 Learn more about GitLab Patch Release: 17.2.2, 17.1.4, 17.0.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). Today we are releasing versions 17.2.2, 17.1.4, 17.0.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here. For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. RECOMMENDED ACTION We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. SECURITY FIXES TABLE OF SECURITY FIXES Title Severity Privilege Escalation via LFS Tokens Granting Unrestricted Repository Access Medium Cross project access of Security policy bot Medium Advanced search ReDOS in highlight for code results Medium Denial of Service via banzai pipeline Medium Denial of service using adoc files Medium ReDoS in RefMatcher when matching branch names using wildcards Medium Path encoding can cause the Web interface to not render diffs correctly. Medium XSS while viewing raw XHTML files through API Medium Ambiguous tag name exploitation Medium Logs disclosings potentially sensitive data in query params Medium Password bypass on approvals using policy projects Medium ReDoS when parsing git push Medium Webhook deletion audit log can preserve auth credentials Medium PRIVILEGE ESCALATION VIA LFS TOKENS GRANTING UNRESTRICTED REPOSITORY ACCESS A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N, 6.8). It is now mitigated in the latest release and is assigned CVE-2024-3035. Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program. CROSS PROJECT ACCESS OF SECURITY POLICY BOT An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which allowed cross project access for Security policy bot. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N , 4.4). It is now mitigated in the latest release and is assigned CVE-2024-6356. Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program. ADVANCED SEARCH REDOS IN HIGHLIGHT FOR CODE RESULTS A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). We have requested a CVE ID and will update this blog post when it is assigned. This vulnerability was discovered internally by GitLab team member Terri Chu. DENIAL OF SERVICE VIA BANZAI PIPELINE Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2 which allowed an attacker to cause resource exhaustion via banzai pipeline. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-5423. Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. DENIAL OF SERVICE USING ADOC FILES A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 12.6 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause a denial of service using crafted adoc files. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-4210. Thanks gudanggaramfilter for reporting this vulnerability through our HackerOne bug bounty program. REDOS IN REFMATCHER WHEN MATCHING BRANCH NAMES USING WILDCARDS ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-2800. Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. PATH ENCODING CAN CAUSE THE WEB INTERFACE TO NOT RENDER DIFFS CORRECTLY. An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which causes the web interface to fail to render the diff correctly when the path is encoded. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N, 5.7). It is now mitigated in the latest release and is assigned CVE-2024-6329. Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program. XSS WHILE VIEWING RAW XHTML FILES THROUGH API A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 prior 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N , 4.4). It is now mitigated in the latest release and is assigned CVE-2024-4207. Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. AMBIGUOUS TAG NAME EXPLOITATION An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2024-3958. Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program. LOGS DISCLOSINGS POTENTIALLY SENSITIVE DATA IN QUERY PARAMS An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was made in a specific manner. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.9). We have requested a CVE ID and will update this blog post when it is assigned. This vulnerability was discovered internally by GitLab team member Dominic Couture. PASSWORD BYPASS ON APPROVALS USING POLICY PROJECTS An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2 that allowed bypassing the password re-entry requirement to approve a policy. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N, 4.2). It is now mitigated in the latest release and is assigned CVE-2024-4784. Thanks vexin for reporting this vulnerability through our HackerOne bug bounty program. REDOS WHEN PARSING GIT PUSH An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-3114. Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. WEBHOOK DELETION AUDIT LOG CAN PRESERVE AUTH CREDENTIALS An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, where webhook deletion audit log preserved auth credentials. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N, 4.1). It is now mitigated in the latest release and is assigned CVE-2024-7586. This vulnerability was discovered internally by GitLab Team Anton Smith. BUG FIXES 17.2.2 * Backups: Fix parsing of existing backups in Azure storage (Backport 17.2) * Do not consider pool repos dangling on restore * Never return nil when search for CC service * Fix issue in RTE related to adding text before a mention * Backport 'Check if params data cannot be JSONified' into 17.2 * Document Rake task to show/edit token expirations * Backport 17.2 - Introduce lock-free rescheduling for duplicate job * Ignore unknown sequences in sequence fix migration * Fix squished badges rendering in 17.2 * Optimize CustomAbility specs to reduce build times * Backport Do not index associated issues that are epic work item type * bug: Fix template error due to divided by zero * Put groups_direct field in CI JWT tokens behind feature flag * Backport 'Fix cluster check metrics' into 17.2 * Backport Beyond Identity bug fixes to 17.2 * Enable project_daily_statistic_counter_attribute_fetch FF by default * Backport 17.2: Release Environments - pipeline level resource group * Add require_personal_access_token_expiry application setting * Backport 17.2: Mark Cookie SameSite as default over HTTP * Pin QA CI tests to stable gitlab-org/gitlab branches 17.1.4 * Backups: Fix parsing of existing backups in Azure storage (Backport 17.1) * Backport 17.1 - Introduce lock-free rescheduling for duplicate job * Table driven spec needs shorter spec titles backport * Optimize CustomAbility specs to reduce build times * Put groups_direct field in CI JWT tokens behind feature flag * Increase SQL query threashold on work_items test * Backport 'Check if params data cannot be JSONified' into 17.1 * Backport Beyond Identity bug fixes to 17.1 * Backport gitlab-qa shm fix to 17.1 stable branch * Add require_personal_access_token_expiry application setting 17.0.6 * Backups: Fix parsing of existing backups in Azure storage (Backport 17.0) * Backport 17.0 - Introduce lock-free rescheduling for duplicate job * Table driven spec needs shorter spec titles backport * Put groups_direct field in CI JWT tokens behind feature flag * Add require_personal_access_token_expiry application setting 16.11.8 * Add require_personal_access_token_expiry application setting ADD REQUIRE_PERSONAL_ACCESS_TOKEN_EXPIRY APPLICATION SETTING This default enabled, optional setting added for admins of GitLab self-managed instances on versions 16.11 and above allow them to enable mandatory expiraton on all new personal, project and group access tokens. Expirations set for existing tokens are not affected by this setting. For usage information see Require expiration dates for new access tokens UPDATING To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. RECEIVE PATCH NOTIFICATIONS To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases. WE’RE COMBINING PATCH AND SECURITY RELEASES This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here. GitLab Patch Release: 17.2.2, 17.1.4, 17.0.6 via @gitlab Click to tweet! * security Share on Facebook Share on Twitter Share on LinkedIn Share on Hacker News * Previous Post: GitLab Patch Release: 17.2.1, 17.1.3, 17.0.5 * Next Post: GitLab 17.3 released with GitLab Duo Root Cause ... Sign up for GitLab's monthly newsletter * WORK EMAIL ADDRESS * JOB TITLE * COUNTRY OR REGION Select...United StatesUnited KingdomCanadaFranceGermanyAfghanistanÅland IslandsAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBolivia, Plurinational State ofBonaire, Sint Eustatius and SabaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei DarussalamBulgariaBurkina FasoBurundiCambodiaCameroonCape VerdeCayman IslandsCentral African RepublicChadChileChristmas IslandCocos (Keeling) IslandsColombiaComorosCongo, the Democratic Republic of theCongoCook IslandsCosta RicaCôte d’IvoireCroatiaCuraçaoCyprusCzech RepublicDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEthiopiaFalkland Islands (Malvinas)Faroe IslandsFijiFinlandFrench GuianaFrench PolynesiaFrench Southern TerritoriesGabonGambiaGeorgiaGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard Island and McDonald IslandsHoly See (Vatican City State)HondurasHong KongHungaryIcelandIndiaIndonesiaIraqIrelandIsle of ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKorea, Republic ofKuwaitKyrgyzstanLao People’s Democratic RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacaoMacedonia, the former Yugoslav Republic ofMadagascarMainland ChinaMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesia, Federated States ofMoldova, Republic ofMonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorthern Mariana IslandsNorwayOmanPakistanPalauPalestinian Territory, OccupiedPanamaPapua New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto RicoQatarRéunionRomaniaRussian FederationRwandaSaint BarthélemySaint Helena, Ascension and Tristan da CunhaSaint Kitts and NevisSaint LuciaSaint Martin (French part)Saint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint Maarten (Dutch part)SlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia and the South Sandwich IslandsSouth SudanSpainSri LankaSurinameSvalbard and Jan MayenSwazilandSwedenSwitzerlandTaiwanTajikistanTanzania, United Republic ofThailandTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTurkeyTurkmenistanTurks and Caicos IslandsTuvaluUgandaUkraineUnited Arab EmiratesUruguayUzbekistanVanuatuVenezuela, Bolivarian Republic ofViet NamVirgin Islands, BritishWallis and FutunaWestern SaharaYemenZambiaZimbabwe By subscribing to this newsletter, I consent to GitLab sending me Newsletter emails in accordance with GitLab's Privacy Statement. I may opt-out at anytime by clicking "unsubscribe" in the email footer or by visiting our Communications Preference Center. Subscribe Having trouble viewing or submitting this form? You may need to update your Cookie Preferences to allow all cookies. You might also need to allow us on your adblocker, firewall, or browser privacy settings. Thanks for subscribing! WE WANT TO HEAR FROM YOU Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback TAKE GITLAB FOR A SPIN See what your team could do with The DevSecOps Platform. Get free trial Have a question? We're here to help. Talk to an expert Edit this page View source ® PLATFORM * DevSecOps platform PRICING * View plans * Why Premium? * Why Ultimate? SOLUTIONS * Digital transformation * Security & Compliance * Automated software delivery * Agile development * Cloud transformation * SCM * CI/CD * Value stream management * GitOps * Enterprise * Small business * Public sector * Education * Financial services RESOURCES * Install * Quick setup checklists * Learn * Docs * Blog * The Source * Customer success stories * Remote * TeamOps * Community * Forum * Events * Partners COMPANY * About * Jobs * Leadership * Team * Handbook * Investor relations * Environmental, social and governance (ESG) * Diversity, inclusion and belonging (DIB) * Trust Center * Newsletter * Press CONTACT US * Contact an expert * Get help * Customer portal * Status * Terms of use * Privacy statement * Cookie Preferences * * * * Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license View page source — Edit this page — please contribute. © 2024 GitLab B.V. THIS WEBSITE USES COOKIES We use cookies to make our websites and services operate correctly, to understand how visitors engage with us and to improve our product and marketing efforts. See our cookie policy for more information.Cookie Policy Cookies Settings Accept All Cookies PRIVACY PREFERENCE CENTER * YOUR PRIVACY * STRICTLY NECESSARY COOKIES * FUNCTIONALITY COOKIES * PERFORMANCE AND ANALYTICS COOKIES * TARGETING AND ADVERTISING COOKIES YOUR PRIVACY When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. Cookie Policy User ID: 818fc860-3602-4a04-8911-ea96145a815b This User ID will be used as a unique identifier while storing and accessing your preferences for future. Timestamp: -- STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, enabling you to securely log into the site, filling in forms, or using the customer checkout. GitLab processes any personal data collected through these cookies on the basis of our legitimate interest. Cookies Details FUNCTIONALITY COOKIES Functionality Cookies These cookies enable helpful but non-essential website functions that improve your website experience. By recognizing you when you return to our website, they may, for example, allow us to personalize our content for you or remember your preferences. If you do not allow these cookies then some or all of these services may not function properly. GitLab processes any personal data collected through these cookies on the basis of your consent Cookies Details PERFORMANCE AND ANALYTICS COOKIES Performance and Analytics Cookies These cookies allow us and our third-party service providers to recognize and count the number of visitors on our websites and to see how visitors move around our websites when they are using it. This helps us improve our products and ensures that users can easily find what they need on our websites. These cookies usually generate aggregate statistics that are not associated with an individual. To the extent any personal data is collected through these cookies, GitLab processes that data on the basis of your consent. Cookies Details TARGETING AND ADVERTISING COOKIES Targeting and Advertising Cookies These cookies enable different advertising related functions. They may allow us to record information about your visit to our websites, such as pages visited, links followed, and videos viewed so we can make our websites and the advertising displayed on it more relevant to your interests. They may be set through our website by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements on other websites. GitLab processes any personal data collected through these cookies on the basis of your consent. Cookies Details Back Button COOKIE LIST Filter Button Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Allow All Close suggested results