Critical GitLab Flaw Allows Account Takeovers

2 Mins Read

PureVPNNewsCritical GitLab Flaw Allows Account Takeovers

GitLab, the well-known software development platform, has recently addressed a critical security issue that could potentially allow hackers to gain control of user accounts through an unauthenticated attack. 

The security vulnerability, identified as CVE-2024-4835, stems from a cross-site scripting (XSS) flaw within the platform’s VS Code editor (Web IDE). Attackers could leverage this vulnerability by directing users to malicious web pages designed to steal sensitive information.

GitLab Rolls Out Security Updates

In response, GitLab has rapidly deployed fixes. “Today, we are releasing versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE),” stated GitLab. “These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.”

In addition to the XSS vulnerability, GitLab addressed six other security issues on Wednesday, including a CSRF vulnerability via the Kubernetes Agent Server (CVE-2023-7045) and a denial-of-service issue (CVE-2024-2874) that could disrupt the loading of web resources.

Security issues fixed in GitLab’s latest update (Source: GitLab)

Increased Risk from Account Hijacking

GitLab remains a high-value target due to the nature of the data it hosts. The consequences of hijacked GitLab accounts are far-reaching, potentially enabling attackers to orchestrate supply chain attacks by inserting malicious code into continuous integration/continuous deployment (CI/CD) pipelines, thus endangering entire software repositories.

Adding to the urgency, the Cybersecurity and Infrastructure Security Agency (CISA) has highlighted that threat actors are actively exploiting another severe vulnerability, which was patched by GitLab in January. This particular flaw, CVE-2023-7028, allows hackers to take over GitLab accounts through password resets without any user interaction.

Notably, Shadowserver revealed that out of over 5,300 GitLab instances that were exposed online in January, 2,084 remain accessible. CISA has escalated the issue by including CVE-2023-7028 in its Known Exploited Vulnerabilities Catalog, mandating US federal agencies to fortify their systems by May 22.

Final Word

Staying ahead of security threats is crucial. With the latest patches, GitLab is keeping your data safe. Make sure to update now and keep your projects secure before it is too late!

author

Anas Hasan

date

May 24, 2024

time

1 year ago

Anas Hassan is a tech geek and cybersecurity enthusiast. He has a vast experience in the field of digital transformation industry. When Anas isn’t blogging, he watches the football games.

Related Stories

Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect

Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect
Posted on October 8, 2025
A Single Password Breach Shut Down a 158 Year Old Business

A Single Password Breach Shut Down a 158 Year Old Business
Posted on October 7, 2025
Nepal Social Media Ban: How to Access Facebook, Instagram, and YouTube Safely

Nepal Social Media Ban: How to Access Facebook, Instagram, and YouTube Safely
Posted on September 5, 2025

Have Your Say!!