GitLab has released a critical security update for several versions of its platform, including versions 17.6.2, 17.5.4, and 17.4.6 for both Community and Enterprise Editions. This update fixes vulnerabilities that could result in account takeovers, denial of service attacks, and data leaks.
CVE-2024-11274 (CVSS 8.7) is a critical vulnerability that permits the injection of Network Error Logging (NEL) headers in Kubernetes proxy responses, risking user session data exfiltration. This could allow attackers to steal session data and access accounts without permission.
By infosecbulletin
/ Monday , June 23 2025
A hacking group reportedly linked to Russian government has been discovered using a new phishing method that bypasses two-factor authentication...
Read More
By infosecbulletin
/ Wednesday , June 18 2025
Russian cybersecurity experts discovered the first local data theft attacks using a modified version of legitimate near field communication (NFC)...
Read More
By infosecbulletin
/ Tuesday , June 17 2025
Cybersecurity researcher Jeremiah Fowler discovered an unsecured database with 170,360 records belonging to a real estate company. It contained personal...
Read More
By infosecbulletin
/ Tuesday , June 17 2025
GreyNoise found attempts to exploit CVE-2023-28771, a vulnerability in Zyxel's IKE affecting UDP port 500. The attack centers around CVE-2023-28771,...
Read More
By infosecbulletin
/ Tuesday , June 17 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included two high-risk vulnerabilities in its Known Exploited Vulnerabilities (KEV)...
Read More
By infosecbulletin
/ Monday , June 16 2025
SafetyDetectives’ Cybersecurity Team discovered a public post on a clear web forum in which a threat actor claimed to have...
Read More
By infosecbulletin
/ Sunday , June 15 2025
WestJet, Canada's second-largest airline, is looking into a cyberattack that has affected some internal systems during its response to the...
Read More
By infosecbulletin
/ Saturday , June 14 2025
Resecurity found 7.4 million records of Paraguayan citizens' personal information leaked on the dark web today. Last week, cybercriminals attempted...
Read More
By infosecbulletin
/ Friday , June 13 2025
HashiCorp has revealed a critical vulnerability in its Nomad tool that may let attackers gain higher privileges by misusing the...
Read More
By infosecbulletin
/ Friday , June 13 2025
SoftBank has disclosed that personal information of more than 137,000 mobile subscribers—covering names, addresses, and phone numbers—might have been leaked...
Read More
CVE-2024-8233 (CVSS 7.5) allows attackers to perform denial of service attacks by repeatedly sending unauthenticated requests for diff-files. All GitLab versions from 9.4 are affected, making it urgent for users to update.
The update also addresses several medium and low-severity vulnerabilities, including:
CI_JOB_TOKEN Exploitation:
Attackers could potentially use stolen CI_JOB_TOKENs to gain access to user sessions.
Open Redirects and Path Traversal:
These vulnerabilities can be used for phishing and data leaks.
Cross-Site Scripting (XSS) and HTML Injection:
Improper output encoding and other vulnerabilities can allow XSS attacks if Content Security Policy (CSP) is not enabled.
Information Leaks:
Unauthorized users could access sensitive information, like project names and incident details.
GitLab urges all users to update to the latest versions immediately to address security risks. The company thanks security researchers for reporting these vulnerabilities through its HackerOne bug bounty program.