about.gitlab.com
Open in
urlscan Pro
2606:4700:4400::ac40:995c
Public Scan
URL:
https://about.gitlab.com/releases/2024/06/26/patch-release-gitlab-17-1-1-released/
Submission: On July 09 via api from IN — Scanned from DE
Submission: On July 09 via api from IN — Scanned from DE
Form analysis 3 forms found in the DOM
<form id="mktoForm_1077" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" __bizdiag="-708390074" __biza="WJ__" data-styles-ready="true">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoOffset"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>WORK EMAIL ADDRESS
</label>
<div class="mktoGutter mktoHasWidth"></div><input id="Email" name="Email" placeholder="abc@xyz.com" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired"
aria-required="true"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoOffset"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Country" id="LblCountry" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>COUNTRY
</label>
<div class="mktoGutter mktoHasWidth"></div><select id="Country" name="Country" aria-labelledby="LblCountry InstructCountry" class="mktoField mktoHasWidth mktoRequired" aria-required="true">
<option value="">Select...</option>
<option value="United States">United States</option>
<option value="United Kingdom">United Kingdom</option>
<option value="Canada">Canada</option>
<option value="France">France</option>
<option value="Germany">Germany</option>
<option value="Afghanistan">Afghanistan</option>
<option value="Aland Islands">Åland Islands</option>
<option value="Albania">Albania</option>
<option value="Algeria">Algeria</option>
<option value="Samoa">American Samoa</option>
<option value="Andorra">Andorra</option>
<option value="Angola">Angola</option>
<option value="Anguilla">Anguilla</option>
<option value="Antigua and Barbuda">Antigua and Barbuda</option>
<option value="Argentina">Argentina</option>
<option value="Armenia">Armenia</option>
<option value="Aruba">Aruba</option>
<option value="Australia">Australia</option>
<option value="Austria">Austria</option>
<option value="Azerbaijan">Azerbaijan</option>
<option value="Bahamas">Bahamas</option>
<option value="Bahrain">Bahrain</option>
<option value="Bangladesh">Bangladesh</option>
<option value="Barbados">Barbados</option>
<option value="Belarus">Belarus</option>
<option value="Belgium">Belgium</option>
<option value="Belize">Belize</option>
<option value="Benin">Benin</option>
<option value="Bermuda">Bermuda</option>
<option value="Bhutan">Bhutan</option>
<option value="Bolivia, Plurinational State of">Bolivia, Plurinational State of</option>
<option value="Bonaire, Sint Eustatius and Saba">Bonaire, Sint Eustatius and Saba</option>
<option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option>
<option value="Botswana">Botswana</option>
<option value="Bouvet Island">Bouvet Island</option>
<option value="Brazil">Brazil</option>
<option value="British Indian Ocean Territory">British Indian Ocean Territory</option>
<option value="Brunei Darussalam">Brunei Darussalam</option>
<option value="Bulgaria">Bulgaria</option>
<option value="Burkina Faso">Burkina Faso</option>
<option value="Burundi">Burundi</option>
<option value="Cambodia">Cambodia</option>
<option value="Cameroon">Cameroon</option>
<option value="Cape Verde">Cape Verde</option>
<option value="Cayman Islands">Cayman Islands</option>
<option value="Central African Republic">Central African Republic</option>
<option value="Chad">Chad</option>
<option value="Chile">Chile</option>
<option value="China">China</option>
<option value="Christmas Island">Christmas Island</option>
<option value="Cocos (Keeling) Islands">Cocos (Keeling) Islands</option>
<option value="Colombia">Colombia</option>
<option value="Comoros">Comoros</option>
<option value="Congo, the Democratic Republic of the">Congo, the Democratic Republic of the</option>
<option value="Congo">Congo</option>
<option value="Cook Islands">Cook Islands</option>
<option value="Costa Rica">Costa Rica</option>
<option value="Cote d’Ivoire">Côte d’Ivoire</option>
<option value="Croatia">Croatia</option>
<option value="Curacao">Curaçao</option>
<option value="Cyprus">Cyprus</option>
<option value="Czech Republic">Czech Republic</option>
<option value="Denmark">Denmark</option>
<option value="Djibouti">Djibouti</option>
<option value="Dominica">Dominica</option>
<option value="Dominican Republic">Dominican Republic</option>
<option value="Ecuador">Ecuador</option>
<option value="Egypt">Egypt</option>
<option value="El Salvador">El Salvador</option>
<option value="Equatorial Guinea">Equatorial Guinea</option>
<option value="Eritrea">Eritrea</option>
<option value="Estonia">Estonia</option>
<option value="Ethiopia">Ethiopia</option>
<option value="Falkland Islands (Malvinas)">Falkland Islands (Malvinas)</option>
<option value="Faroe Islands">Faroe Islands</option>
<option value="Fiji">Fiji</option>
<option value="Finland">Finland</option>
<option value="French Guiana">French Guiana</option>
<option value="French Polynesia">French Polynesia</option>
<option value="French Southern Territories">French Southern Territories</option>
<option value="Gabon">Gabon</option>
<option value="Gambia">Gambia</option>
<option value="Georgia">Georgia</option>
<option value="Ghana">Ghana</option>
<option value="Gibraltar">Gibraltar</option>
<option value="Greece">Greece</option>
<option value="Greenland">Greenland</option>
<option value="Grenada">Grenada</option>
<option value="Guadeloupe">Guadeloupe</option>
<option value="Guam">Guam</option>
<option value="Guatemala">Guatemala</option>
<option value="Guernsey">Guernsey</option>
<option value="Guinea">Guinea</option>
<option value="Guinea-Bissau">Guinea-Bissau</option>
<option value="Guyana">Guyana</option>
<option value="Haiti">Haiti</option>
<option value="Heard Island and McDonald Islands">Heard Island and McDonald Islands</option>
<option value="Holy See (Vatican City State)">Holy See (Vatican City State)</option>
<option value="Honduras">Honduras</option>
<option value="Hong Kong">Hong Kong</option>
<option value="Hungary">Hungary</option>
<option value="Iceland">Iceland</option>
<option value="India">India</option>
<option value="Indonesia">Indonesia</option>
<option value="Iraq">Iraq</option>
<option value="Ireland">Ireland</option>
<option value="Isle of Man">Isle of Man</option>
<option value="Israel">Israel</option>
<option value="Italy">Italy</option>
<option value="Jamaica">Jamaica</option>
<option value="Japan">Japan</option>
<option value="Jersey">Jersey</option>
<option value="Jordan">Jordan</option>
<option value="Kazakhstan">Kazakhstan</option>
<option value="Kenya">Kenya</option>
<option value="Kiribati">Kiribati</option>
<option value="Korea, Republic of">Korea, Republic of</option>
<option value="Kuwait">Kuwait</option>
<option value="Kyrgyzstan">Kyrgyzstan</option>
<option value="Lao People’s Democratic Republic">Lao People’s Democratic Republic</option>
<option value="Latvia">Latvia</option>
<option value="Lebanon">Lebanon</option>
<option value="Lesotho">Lesotho</option>
<option value="Liberia">Liberia</option>
<option value="Libya">Libya</option>
<option value="Liechtenstein">Liechtenstein</option>
<option value="Lithuania">Lithuania</option>
<option value="Luxembourg">Luxembourg</option>
<option value="Macao">Macao</option>
<option value="Macedonia, the former Yugoslav Republic of">Macedonia, the former Yugoslav Republic of</option>
<option value="Madagascar">Madagascar</option>
<option value="Malawi">Malawi</option>
<option value="Malaysia">Malaysia</option>
<option value="Maldives">Maldives</option>
<option value="Mali">Mali</option>
<option value="Malta">Malta</option>
<option value="Marshall Islands">Marshall Islands</option>
<option value="Martinique">Martinique</option>
<option value="Mauritania">Mauritania</option>
<option value="Mauritius">Mauritius</option>
<option value="Mayotte">Mayotte</option>
<option value="Mexico">Mexico</option>
<option value="Micronesia, Federated States of">Micronesia, Federated States of</option>
<option value="Moldova, Republic of">Moldova, Republic of</option>
<option value="Monaco">Monaco</option>
<option value="Mongolia">Mongolia</option>
<option value="Montenegro">Montenegro</option>
<option value="Montserrat">Montserrat</option>
<option value="Morocco">Morocco</option>
<option value="Mozambique">Mozambique</option>
<option value="Myanmar">Myanmar</option>
<option value="Namibia">Namibia</option>
<option value="Nauru">Nauru</option>
<option value="Nepal">Nepal</option>
<option value="Netherlands">Netherlands</option>
<option value="New Caledonia">New Caledonia</option>
<option value="New Zealand">New Zealand</option>
<option value="Nicaragua">Nicaragua</option>
<option value="Niger">Niger</option>
<option value="Nigeria">Nigeria</option>
<option value="Niue">Niue</option>
<option value="Norfolk Island">Norfolk Island</option>
<option value="Northern Mariana Islands">Northern Mariana Islands</option>
<option value="Norway">Norway</option>
<option value="Oman">Oman</option>
<option value="Pakistan">Pakistan</option>
<option value="Palau">Palau</option>
<option value="Palestinian Territory, Occupied">Palestinian Territory, Occupied</option>
<option value="Panama">Panama</option>
<option value="Papua New Guinea">Papua New Guinea</option>
<option value="Paraguay">Paraguay</option>
<option value="Peru">Peru</option>
<option value="Philippines">Philippines</option>
<option value="Pitcairn">Pitcairn</option>
<option value="Poland">Poland</option>
<option value="Portugal">Portugal</option>
<option value="Puerto Rico">Puerto Rico</option>
<option value="Qatar">Qatar</option>
<option value="Reunion">Réunion</option>
<option value="Romania">Romania</option>
<option value="Russian Federation">Russian Federation</option>
<option value="Rwanda">Rwanda</option>
<option value="Saint Barthelemy">Saint Barthélemy</option>
<option value="Saint Helena, Ascension and Tristan da Cunha">Saint Helena, Ascension and Tristan da Cunha</option>
<option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option>
<option value="Saint Lucia">Saint Lucia</option>
<option value="Saint Martin (French part)">Saint Martin (French part)</option>
<option value="Saint Pierre and Miquelon">Saint Pierre and Miquelon</option>
<option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option>
<option value="Samoa">Samoa</option>
<option value="San Marino">San Marino</option>
<option value="Sao Tome and Principe">Sao Tome and Principe</option>
<option value="Saudi Arabia">Saudi Arabia</option>
<option value="Senegal">Senegal</option>
<option value="Serbia">Serbia</option>
<option value="Seychelles">Seychelles</option>
<option value="Sierra Leone">Sierra Leone</option>
<option value="Singapore">Singapore</option>
<option value="Sint Maarten (Dutch part)">Sint Maarten (Dutch part)</option>
<option value="Slovakia">Slovakia</option>
<option value="Slovenia">Slovenia</option>
<option value="Solomon Islands">Solomon Islands</option>
<option value="Somalia">Somalia</option>
<option value="South Africa">South Africa</option>
<option value="South Georgia and the South Sandwich Islands">South Georgia and the South Sandwich Islands</option>
<option value="South Sudan">South Sudan</option>
<option value="Spain">Spain</option>
<option value="Sri Lanka">Sri Lanka</option>
<option value="Suriname">Suriname</option>
<option value="Svalbard and Jan Mayen">Svalbard and Jan Mayen</option>
<option value="Swaziland">Swaziland</option>
<option value="Sweden">Sweden</option>
<option value="Switzerland">Switzerland</option>
<option value="Taiwan">Taiwan</option>
<option value="Tajikistan">Tajikistan</option>
<option value="Tanzania, United Republic of">Tanzania, United Republic of</option>
<option value="Thailand">Thailand</option>
<option value="Timor-Leste">Timor-Leste</option>
<option value="Togo">Togo</option>
<option value="Tokelau">Tokelau</option>
<option value="Tonga">Tonga</option>
<option value="Trinidad and Tobago">Trinidad and Tobago</option>
<option value="Tunisia">Tunisia</option>
<option value="Turkey">Turkey</option>
<option value="Turkmenistan">Turkmenistan</option>
<option value="Turks and Caicos Islands">Turks and Caicos Islands</option>
<option value="Tuvalu">Tuvalu</option>
<option value="Uganda">Uganda</option>
<option value="Ukraine">Ukraine</option>
<option value="United Arab Emirates">United Arab Emirates</option>
<option value="Uruguay">Uruguay</option>
<option value="Uzbekistan">Uzbekistan</option>
<option value="Vanuatu">Vanuatu</option>
<option value="Venezuela, Bolivarian Republic of">Venezuela, Bolivarian Republic of</option>
<option value="Viet Nam">Viet Nam</option>
<option value="Virgin Islands, British">Virgin Islands, British</option>
<option value="Wallis and Futuna">Wallis and Futuna</option>
<option value="Western Sahara">Western Sahara</option>
<option value="Yemen">Yemen</option>
<option value="Zambia">Zambia</option>
<option value="Zimbabwe">Zimbabwe</option>
</select><span id="InstructCountry" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoPlaceholder mktoPlaceholderCity"></div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFormCol">
<div class="mktoOffset mktoHasWidth"></div>
<div class="mktoFieldWrap">
<div class="mktoHtmlText mktoHasWidth">By subscribing to this newsletter, I consent to GitLab sending me monthly blog emails in accordance with <a href="https://about.gitlab.com/privacy/" target="_blank" id="">GitLab's Privacy Statement</a>.
I may opt-out at anytime by clicking "unsubscribe" in the email footer or by visiting our <a href="https://about.gitlab.com/company/preference-center/" target="_blank" id="">Communications Preference Center</a>.</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="gclid" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="GACLIENTID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="GATRACKID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="newsletterSegment__c_lead" class="mktoField mktoFieldDescriptor mktoFormCol" value="Yes">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1077"><input type="hidden"
name="munchkinId" class="mktoField mktoFieldDescriptor" value="194-VVC-221">
</form><form style="display: initial; font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft"
__bizdiag="-2025424517" __biza="WJ__"></form><form __bizdiag="0" __biza="WJ__">
<input class="st-default-search-input st-search-set-focus" type="text" value="" placeholder="Search this site" aria-label="Search this site" id="st-overlay-search-input" autocomplete="off" autocorrect="off" autocapitalize="off">
</form>Text Content
← Back to releases
Jun 26, 2024 - Nikhil George
GITLAB CRITICAL PATCH RELEASE: 17.1.1, 17.0.3, 16.11.5
Learn more about GitLab Critical Patch Release: 17.1.1, 17.0.3, 16.11.5 for
GitLab Community Edition (CE) and Enterprise Edition (EE).
Today we are releasing versions 17.1.1, 17.0.3, 16.11.5 for GitLab Community
Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly
recommend that all GitLab installations be upgraded to one of these versions
immediately. GitLab.com is already running the patched version.
GitLab releases fixes for vulnerabilities in dedicated patch releases. There are
two types of patch releases: scheduled releases, and ad-hoc critical patches for
high-severity vulnerabilities. Scheduled releases are released twice a month on
the second and fourth Wednesdays. For more information, you can visit our
releases handbook and security FAQ. You can see all of GitLab release blog posts
here.
For security fixes, the issues detailing each vulnerability are made public on
our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers
or that host customer data are held to the highest security standards. As part
of maintaining good security hygiene, it is highly recommended that all
customers upgrade to the latest patch release for their supported version. You
can read more best practices in securing your GitLab instance in our blog post.
RECOMMENDED ACTION
We strongly recommend that all installations running a version affected by the
issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a
product is mentioned, this means all types are affected.
SECURITY FIXES
TABLE OF SECURITY FIXES
Title Severity Run pipelines as any user Critical Stored XSS injected in
imported project's commit notes High CSRF on GraphQL API IntrospectionQuery High
Remove search results from public projects with unauthorized repos High Cross
window forgery in user application OAuth flow Medium Project maintainers can
bypass group's merge request approval policy Medium ReDoS via custom built
markdown page medium Private job artifacts can be accessed by any user Medium
Security fixes for banzai pipeline Medium ReDoS in dependency linker Medium
Denial of service using a crafted OpenAPI file Medium Merge request title
disclosure Medium Access issues and epics without having an SSO session Medium
Non project member can promote key results to objectives Low
RUN PIPELINES AS ANY USER
An issue was discovered in GitLab CE/EE affecting all versions starting from
15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from
17.1 prior to 17.1.1, which could allow an attacker to trigger a pipeline as
another user under certain circumstances. This is a critical severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6). It is now resolved in the
latest release and is assigned CVE-2024-5655.
Thanks to ahacker1 for reporting this vulnerability through our HackerOne bug
bounty program.
Breaking changes:
1. This fix changes the MR re-targeting workflow so that a pipeline will not
automatically run when a merge request is automatically re-targeted due to
its previous target branch being merged. Users will need to manually start a
pipeline to have CI execute for their changes.
2. GraphQL authentication using CI_JOB_TOKEN is disabled by default from
17.0.0, and back ported to 17.0.3, 16.11.5 in the current patch release. If
access to the GraphQL API is required, please configure one of the several
supported token types for authentication.
At this time, we have not found evidence of abuse of this vulnerability on the
platforms managed by GitLab, including GitLab.com and GitLab Dedicated
instances.
STORED XSS INJECTED IN IMPORTED PROJECT'S COMMIT NOTES
An issue was discovered in GitLab CE/EE affecting all versions starting from
16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from
17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a
project with malicious commit notes. This is a high severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now mitigated in the
latest release and is assigned CVE-2024-4901.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty
program.
CSRF ON GRAPHQL API INTROSPECTIONQUERY
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0
before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions
starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's
GraphQL API leading to the execution of arbitrary GraphQL mutations. This is a
high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, 8.1). It is
now mitigated in the latest release and is assigned CVE-2024-4994.
Thanks ahacker1 for reporting this vulnerability through our HackerOne bug
bounty program
REMOVE SEARCH RESULTS FROM PUBLIC PROJECTS WITH UNAUTHORIZED REPOS
Improper authorization in global search in GitLab EE affecting all versions from
16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows
an attacker leak content of a private repository in a public project. This is a
high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, 7.5). It is
now mitigated in the latest release and is assigned CVE-2024-6323.
Thanks to GitLab Team Member, @joernchen for reporting this issue.
CROSS WINDOW FORGERY IN USER APPLICATION OAUTH FLOW
A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all
versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to
17.1.1. This condition allows for an attacker to abuse the OAuth authentication
flow via a crafted payload. This is a medium severity issue
(CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, 6.8). It is now mitigated in the
latest release and is assigned CVE-2024-2177.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty
program.
PROJECT MAINTAINERS CAN BYPASS GROUP'S MERGE REQUEST APPROVAL POLICY
An issue was discovered in GitLab CE/EE affecting all versions starting from
16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from
17.1 prior to 17.1.1, which allows a project maintainer can delete the merge
request approval policy via graphQL. This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N, 6.8). It is now mitigated in the
latest release and is assigned CVE-2024-5430.
Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty
program.
REDOS VIA CUSTOM BUILT MARKDOWN PAGE
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE
affecting all versions from 7.10 prior before 16.11.5, version 17.0 before
17.0.3, and 17.1 before 17.1.1. It is possible for an attacker to cause a denial
of service using a crafted markdown page. This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the
latest release and is assigned CVE-2024-4025.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty
program.
PRIVATE JOB ARTIFACTS CAN BE ACCESSED BY ANY USER
An issue was discovered in GitLab CE/EE affecting all versions starting from
16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from
17.1 prior to 17.1.1, which allows private job artifacts can be accessed by any
user. This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, 6.5). It is now mitigated in the
latest release and is assigned CVE-2024-3959.
Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty
program.
SECURITY FIXES FOR BANZAI PIPELINE
Multiple Denial of Service (DoS) issues has been discovered in GitLab CE/EE
affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0
prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an
attacker to cause resource exhaustion via banzai pipeline. This is a medium
severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now
mitigated in the latest release and is assigned CVE-2024-4557.
Thanks joaxcar and setiawan_ for reporting these vulnerability through our
HackerOne bug bounty program
REDOS IN DEPENDENCY LINKER
An issue was discovered in GitLab CE/EE affecting all versions starting from 9.2
prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1
prior to 17.1.1, with the processing logic for generating link in dependency
files can lead to a regular expression DoS attack on the server. This is a
medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is
now mitigated in the latest release and is assigned CVE-2024-1493.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty
program.
DENIAL OF SERVICE USING A CRAFTED OPENAPI FILE
An issue was discovered in GitLab CE/EE affecting all versions starting from
12.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from
17.1 prior to 17.1.1, which allows for an attacker to cause a denial of service
using a crafted OpenAPI file. This is a medium severity issue
(CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, 5.3). It is now mitigated in the
latest release and is assigned CVE-2024-1816.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty
program.
MERGE REQUEST TITLE DISCLOSURE
An issue was discovered in GitLab CE/EE affecting all versions starting from
16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from
17.1 prior to 17.1.1, which allows merge request title to be visible publicly
despite being set as project members only. This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the
latest release and is assigned CVE-2024-2191.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne
bug bounty program.
ACCESS ISSUES AND EPICS WITHOUT HAVING AN SSO SESSION
An issue was discovered in GitLab EE affecting all versions starting from 16.0
prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1
prior to 17.1.1, which allows an attacker to access issues and epics without
having an SSO session using Duo Chat. This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the
latest release and is assigned CVE-2024-3115.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty
program.
NON PROJECT MEMBER CAN PROMOTE KEY RESULTS TO OBJECTIVES
An issue was discovered in GitLab CE/EE affecting all versions starting from
16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from
17.1 prior to 17.1.1, which allows non-project member to promote key results to
objectives. This is a low severity issue
(CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1). It is now mitigated in the
latest release and is assigned CVE-2024-4011.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne
bug bounty program.
BUG FIXES
17.1.1
* Prevent cng e2e test from running in security fork
* Only enumerate commits in pre-receive check if push came from Web
* Revert "Allow admin_runner ability to change shared runners setting"
17.0.3
* Fix missing filename when downloading generic package in release page
* Update an expired test certificate
* Prevent starting multiple Capybara proxy servers
* Backport 3 commits for Merge Train pipelines support in 17-0-stable-ee
* Fix error when calling GQL ciConfig endpoint with include:component
* Only allow documented token types for GraphQL authentication
* Add a banner informing about token expiration
* Only enumerate commits in pre-receive check if push came from Web
* Backport QA test fixes for stable branches
* Merge branch 'sh-patch-inspec-gem' into 'master'
16.11.5
* Prevent starting multiple Capybara proxy servers
* Update an expired test certificate
* Enable invert_emails_disabled_to_emails_enabled by default
* Only allow documented token types for GraphQL authentication
* Add a banner informing about token expiration
* Backport QA test fixes for stable branches
16.10.8
* Add a banner informing about token expiration
16.9.9
* Add a banner informing about token expiration
16.8.8
* Add a banner informing about token expiration
16.7.8
* Add a banner informing about token expiration
16.6.8
* Add a banner informing about token expiration
UPDATING
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating
the Runner page.
RECEIVE PATCH NOTIFICATIONS
To receive patch blog notifications delivered to your inbox, visit our contact
us page. To receive release notifications via RSS, subscribe to our patch
release RSS feed or our RSS feed for all releases.
WE’RE COMBINING PATCH AND SECURITY RELEASES
This improvement in our release process matches the industry standard and will
help GitLab users get information about security and bug fixes sooner, read the
blog post here.
GitLab Critical Patch Release: 17.1.1, 17.0.3, 16.11.5 via @gitlab Click to
tweet!
* security
Share on Facebook Share on Twitter Share on LinkedIn Share on Hacker News
* Previous Post: GitLab 17.1 released with Model registry available in ...
Sign up for GitLab's monthly newsletter
*
WORK EMAIL ADDRESS
*
COUNTRY
Select...United StatesUnited KingdomCanadaFranceGermanyAfghanistanÅland
IslandsAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntigua and
BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBolivia,
Plurinational State ofBonaire, Sint Eustatius and SabaBosnia and
HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei
DarussalamBulgariaBurkina FasoBurundiCambodiaCameroonCape VerdeCayman
IslandsCentral African RepublicChadChileChinaChristmas IslandCocos (Keeling)
IslandsColombiaComorosCongo, the Democratic Republic of theCongoCook
IslandsCosta RicaCôte d’IvoireCroatiaCuraçaoCyprusCzech
RepublicDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl
SalvadorEquatorial GuineaEritreaEstoniaEthiopiaFalkland Islands (Malvinas)Faroe
IslandsFijiFinlandFrench GuianaFrench PolynesiaFrench Southern
TerritoriesGabonGambiaGeorgiaGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard
Island and McDonald IslandsHoly See (Vatican City State)HondurasHong
KongHungaryIcelandIndiaIndonesiaIraqIrelandIsle of
ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKorea, Republic
ofKuwaitKyrgyzstanLao People’s Democratic
RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacaoMacedonia,
the former Yugoslav Republic ofMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall
IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesia, Federated States
ofMoldova, Republic
ofMonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew
CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorthern Mariana
IslandsNorwayOmanPakistanPalauPalestinian Territory, OccupiedPanamaPapua New
GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto
RicoQatarRéunionRomaniaRussian FederationRwandaSaint BarthélemySaint Helena,
Ascension and Tristan da CunhaSaint Kitts and NevisSaint LuciaSaint Martin
(French part)Saint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan
MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra
LeoneSingaporeSint Maarten (Dutch part)SlovakiaSloveniaSolomon
IslandsSomaliaSouth AfricaSouth Georgia and the South Sandwich IslandsSouth
SudanSpainSri LankaSurinameSvalbard and Jan
MayenSwazilandSwedenSwitzerlandTaiwanTajikistanTanzania, United Republic
ofThailandTimor-LesteTogoTokelauTongaTrinidad and
TobagoTunisiaTurkeyTurkmenistanTurks and Caicos IslandsTuvaluUgandaUkraineUnited
Arab EmiratesUruguayUzbekistanVanuatuVenezuela, Bolivarian Republic ofViet
NamVirgin Islands, BritishWallis and FutunaWestern SaharaYemenZambiaZimbabwe
By subscribing to this newsletter, I consent to GitLab sending me monthly blog
emails in accordance with GitLab's Privacy Statement. I may opt-out at anytime
by clicking "unsubscribe" in the email footer or by visiting our Communications
Preference Center.
Subscribe
Having trouble viewing or submitting this form? You may need to update your
Cookie Preferences to allow all cookies. You might also need to allow us on your
adblocker, firewall, or browser privacy settings.
Thanks for subscribing!
WE WANT TO HEAR FROM YOU
Enjoyed reading this blog post or have questions or feedback? Share your
thoughts by creating a new topic in the GitLab community forum.
Share your feedback
TAKE GITLAB FOR A SPIN
See what your team could do with The DevSecOps Platform.
Get free trial
Have a question? We're here to help.
Talk to an expert
Edit this page View source
®
PLATFORM
* DevSecOps platform
PRICING
* View plans
* Why Premium?
* Why Ultimate?
SOLUTIONS
* Digital transformation
* Security & Compliance
* Automated software delivery
* Agile development
* Cloud transformation
* SCM
* CI/CD
* Value stream management
* GitOps
* Enterprise
* Small business
* Public sector
* Education
* Financial services
RESOURCES
* Install
* Quick setup checklists
* Learn
* Docs
* Blog
* Customer success stories
* Remote
* TeamOps
* Community
* Forum
* Events
* Partners
COMPANY
* About
* Jobs
* Leadership
* Team
* Handbook
* Investor relations
* Environmental, social and governance (ESG)
* Diversity, inclusion and belonging (DIB)
* Trust Center
* Newsletter
* Press
CONTACT US
* Contact an expert
* Get help
* Customer portal
* Status
* Terms of use
* Privacy statement
* Cookie Preferences
*
*
*
*
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is
under license
View page source — Edit this page — please contribute.
© 2024 GitLab B.V.
THIS WEBSITE USES COOKIES
We use cookies to make our websites and services operate correctly, to
understand how visitors engage with us and to improve our product and marketing
efforts. See our cookie policy for more information.Cookie Policy
Cookies Settings Accept All Cookies
PRIVACY PREFERENCE CENTER
* YOUR PRIVACY
* STRICTLY NECESSARY COOKIES
* FUNCTIONALITY COOKIES
* PERFORMANCE AND ANALYTICS COOKIES
* TARGETING AND ADVERTISING COOKIES
YOUR PRIVACY
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Cookie Policy
User ID: 3272c717-bd63-4948-abc3-480371c8cfa0
This User ID will be used as a unique identifier while storing and accessing
your preferences for future.
Timestamp: --
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, enabling you to securely log into the site, filling in forms, or
using the customer checkout. GitLab processes any personal data collected
through these cookies on the basis of our legitimate interest.
Cookies Details
FUNCTIONALITY COOKIES
Functionality Cookies
These cookies enable helpful but non-essential website functions that improve
your website experience. By recognizing you when you return to our website, they
may, for example, allow us to personalize our content for you or remember your
preferences. If you do not allow these cookies then some or all of these
services may not function properly. GitLab processes any personal data collected
through these cookies on the basis of your consent
Cookies Details
PERFORMANCE AND ANALYTICS COOKIES
Performance and Analytics Cookies
These cookies allow us and our third-party service providers to recognize and
count the number of visitors on our websites and to see how visitors move around
our websites when they are using it. This helps us improve our products and
ensures that users can easily find what they need on our websites. These cookies
usually generate aggregate statistics that are not associated with an
individual. To the extent any personal data is collected through these cookies,
GitLab processes that data on the basis of your consent.
Cookies Details
TARGETING AND ADVERTISING COOKIES
Targeting and Advertising Cookies
These cookies enable different advertising related functions. They may allow us
to record information about your visit to our websites, such as pages visited,
links followed, and videos viewed so we can make our websites and the
advertising displayed on it more relevant to your interests. They may be set
through our website by our advertising partners. They may be used by those
companies to build a profile of your interests and show you relevant
advertisements on other websites. GitLab processes any personal data collected
through these cookies on the basis of your consent.
Cookies Details
Back Button
COOKIE LIST
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All
Close
suggested results