Security Advisory: Multiple Vulnerabilities in GitLab

The French Computer Emergency Response Team (CERT-FR) has issued a security advisory regarding multiple vulnerabilities in GitLab, a widely used web-based Git repository manager.

Document Management:

  • Reference: CERTFR-2013-AVI-0905
  • Title: Multiple Vulnerabilities in GitLab
  • First Version Date: November 2, 2023
  • Last Version Date: November 2, 2023
  • Source: GitLab Security Bulletin – October 31, 2023
  • Attachments: None

Risks: The identified vulnerabilities pose the following risks:

  1. Remote Denial of Service
  2. Security Policy Bypass
  3. Confidentiality Breach

Affected Systems: The vulnerabilities impact the following GitLab editions:

  • Community Edition (CE) and Enterprise Edition (EE) versions 16.5.x prior to 16.5.1
  • Community Edition (CE) and Enterprise Edition (EE) versions 16.4.x prior to 16.4.2
  • Community Edition (CE) and Enterprise Edition (EE) versions prior to 16.3.6

Summary: Multiple vulnerabilities have been discovered in GitLab, enabling attackers to remotely trigger denial of service, bypass security policies, and compromise data confidentiality.

Solution: Users are advised to follow the security recommendations provided by GitLab for securing their instances. Detailed information can be obtained directly from GitLab’s official security channels.

Users and administrators are strongly encouraged to apply the necessary measures promptly to mitigate the identified vulnerabilities and enhance the security of their GitLab instances.