Ivanti Security Advisory EPM November 2024 for EPM 2024 and EPM 2022 SU6

2024-11-13T09:12:33 by Alexandre Dulaunoy

JSON

Ivanti has released updates for Ivanti Endpoint Manager which addresses high and critical severity vulnerabilities.

Ivanti is not aware of any customers being exploited by these vulnerabilities at the time of disclosure.

Security Advisory EPM November 2024 for EPM 2024 and EPM 2022 SU6

Primary Product

Endpoint Manager

Created Date

12 Nov 2024 15:00:14

Last Modified Date

12 Nov 2024 21:33:24

Summary

Ivanti has released updates for Ivanti Endpoint Manager which addresses high and critical severity vulnerabilities.

We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.

Vulnerability Details:

CVE Number

Description

CVSS Score (Severity)

CVSS Vector

CWE

CVE-2024-34787

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.

7.8 (High)

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-22

CVE-2024-50322

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.

7.8 (High)

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-22

CVE-2024-32839

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-32841

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-32844

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-32847

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-34780

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-37376

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-34781

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-34782

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-34784

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-50323

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.

7.8 (High)

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-50324

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-22

CVE-2024-50326

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-50327

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-50328

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-50329

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

8.8 (High)

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-22

CVE-2024-50330

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution.

9.8 (Critical)

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-89

Affected Versions

Product Name

Affected Version(s)

Resolved Version(s)

Patch Availability

Ivanti Endpoint Manager (EPM)

2024 September security update and prior,
2022 SU6 September security update and prior

2024 November Security Update, 2022 SU6 November Security Update

MoveIT vulnerabilities exploited

2024-11-12T17:22:11 by Alexandre Dulaunoy

JSON

Exploit Attempts Recorded Against New MOVEit Transfer Vulnerability - Patch ASAP! - June 2024 - CVE-2024-5806 and CVE-2024-5805
Third Flaw Uncovered in MOVEit Transfer App Amidst Cl0p Ransomware Mass Attack - Jun 16, 2023 - CVE-2023-35708
Amazon confirms employee data breach after vendor hack - November 11, 2024 - Most probably CVE-2023-35708

Related vulnerabilities: CVE-2024-5805 CVE-2024-5806 CVE-2023-35708

Android Security Bulletin November 2024

2024-11-07T17:04:54 by Alexandre Dulaunoy

JSON

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2024-11-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a high security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform. Android and Google service mitigations

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

Note: There are indications that the following may be under limited, targeted exploitation.

CVE-2024-43047
CVE-2024-43093

2024-11-01 security patch level vulnerability details

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2024-11-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates. Framework

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. CVE References Type Severity Updated AOSP versions CVE-2024-40660 A-347307756 [2] EoP High 14, 15 CVE-2024-43081 A-341256043 EoP High 12, 12L, 13, 14, 15 CVE-2024-43085 A-353712853 EoP High 12, 12L, 13, 14, 15 CVE-2024-43093 A-341680936 EoP High 12, 13, 14, 15 CVE-2024-43082 A-296915959 ID High 12, 12L CVE-2024-43084 A-281044385 ID High 12, 12L, 13, 14, 15 CVE-2024-43086 A-343440463 ID High 12, 12L, 13, 14, 15 System

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed. CVE References Type Severity Updated AOSP versions CVE-2024-43091 A-344620577 RCE High 12, 12L, 13, 14, 15 CVE-2024-29779 A-329701910 EoP High 14 CVE-2024-34719 A-242996380 EoP High 12, 12L, 13, 14 CVE-2024-40661 A-308138085 EoP High 12, 12L, 13, 14 CVE-2024-43080 A-330722900 EoP High 12, 12L, 13, 14, 15 CVE-2024-43087 A-353700779 EoP High 12, 12L, 13, 14, 15 CVE-2024-43088 A-326057017 EoP High 12, 12L, 13, 14, 15 CVE-2024-43089 A-304280682 EoP High 12, 12L, 13, 14, 15 CVE-2024-43090 A-331180422 ID High 12, 12L, 13, 14 CVE-2024-43083 A-348352288 DoS High 12, 12L, 13, 14, 15 Google Play system updates

The following issues are included in Project Mainline components. Subcomponent CVE Documents UI CVE-2024-43093 MediaProvider CVE-2024-43089 Permission Controller CVE-2024-40661 WiFi CVE-2024-43083 2024-11-05 security patch level vulnerability details

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2024-11-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Kernel

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. CVE References Type Severity Subcomponent CVE-2024-36978 A-349777785 Upstream kernel [2] EoP High Net CVE-2024-46740 A-352520660 Upstream kernel [2] [3] [4] [5] [6] [7] [8] EoP High Binder Kernel LTS

The following kernel versions have been updated. Kernel version updates are dependent on the version of Android OS at the time of device launch. References Android Launch Version Kernel Launch Version Minimum Update Version A-348473863 12 5.4 5.4.274 A-348681334 12 4.19 4.19.312 Imagination Technologies

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies. CVE References Severity Subcomponent CVE-2024-34747 A-346643520 * High PowerVR-GPU CVE-2024-40671 A-355477536 * High PowerVR-GPU Imagination Technologies

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies. CVE References Severity Subcomponent CVE-2023-35659 A-350006107 * High PowerVR-GPU CVE-2023-35686 A-350527097 * High PowerVR-GPU CVE-2024-23715 A-350530745 * High PowerVR-GPU CVE-2024-31337 A-337944529 * High PowerVR-GPU CVE-2024-34729 A-331437862 * High PowerVR-GPU MediaTek components

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek. CVE References Severity Subcomponent CVE-2024-20104 A-363850556 M-ALPS09073261 * High DA CVE-2024-20106 A-363849996 M-ALPS08960505 * High m4u Qualcomm components

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Severity Subcomponent CVE-2024-21455 A-357616450 QC-CR#3839449 [2] QC-CR#3875202 [2] High Kernel CVE-2024-38402 A-364017423 QC-CR#3890158 High Kernel CVE-2024-38405 A-357615761 QC-CR#3754687 High WLAN CVE-2024-38415 A-357616194 QC-CR#3775520 [2] High Camera CVE-2024-38421 A-357616018 QC-CR#3793941 High Display CVE-2024-38422 A-357616000 QC-CR#3794268 [2] [3] High Audio CVE-2024-38423 A-357615775 QC-CR#3799033 High Display CVE-2024-43047 A-364017103 QC-CR#3883647 High Kernel Qualcomm closed-source components

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Severity Subcomponent CVE-2024-38408 A-357615875 * Critical Closed-source component CVE-2024-23385 A-339043003 * High Closed-source component CVE-2024-38403 A-357615948 * High Closed-source component CVE-2024-38424 A-357616230 * High Closed-source component Common questions and answers

This section answers common questions that may occur after reading this bulletin.

How do I determine if my device is updated to address these issues?

To learn how to check a device's security patch level, see Check and update your Android version.

Security patch levels of 2024-11-01 or later address all issues associated with the 2024-11-01 security patch level.
Security patch levels of 2024-11-05 or later address all issues associated with the 2024-11-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

[ro.build.version.security_patch]:[2024-11-01]
[ro.build.version.security_patch]:[2024-11-05]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2024-11-01 security patch level. Please see this article for more details on how to install security updates.

Why does this bulletin have two security patch levels?

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

Devices that use the 2024-11-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
Devices that use the security patch level of 2024-11-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

What do the entries in the Type column mean?

Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability. Abbreviation Definition RCE Remote code execution EoP Elevation of privilege ID Information disclosure DoS Denial of service N/A Classification not available

What do the entries in the References column mean?

Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs. Prefix Reference A- Android bug ID QC- Qualcomm reference number M- MediaTek reference number N- NVIDIA reference number B- Broadcom reference number U- UNISOC reference number

What does an * next to the Android bug ID in the References column mean?

Issues that are not publicly available have an * next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

HPE Aruba Networking Product Security Advisory - HPESBNW04722 - 05-Nov-2024

2024-11-06T16:21:22 by Alexandre Dulaunoy

JSON

HPE Aruba Networking has released software patches for Access Points running Instant AOS-8 and AOS-10 that address multiple security vulnerabilities.

Reference - https://csaf.arubanetworks.com/2024/hpe_aruba_networking_-_hpesbnw04722.txt

Security Vulnerabilities fixed in Firefox 132

2024-10-29T21:37:34 by Cédric Bonhomme

JSON

Mozilla Foundation Security Advisory 2024-55 Security Vulnerabilities fixed in Firefox 132

Security Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2024-55/

CVE-2024-10458: Permission leak via embed or object elements
CVE-2024-10459: Use-after-free in layout with accessibility
CVE-2024-10460: Confusing display of origin for external protocol handler prompt
CVE-2024-10461: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response
CVE-2024-10462: Origin of permission prompt could be spoofed by long URL
CVE-2024-10463: Cross origin video frame leak
CVE-2024-10468: Race conditions in IndexedDB
CVE-2024-10464: History interface could have been used to cause a Denial of Service condition in the browser
CVE-2024-10465: Clipboard "paste" button persisted across tabs
CVE-2024-10466: DOM push subscription message could hang Firefox
CVE-2024-10467: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4

NVIDIA GPU Display Driver

2024-10-26T08:59:46 by Cédric Bonhomme

JSON

NVIDIA has released a software security update for NVIDIA GPU Display Driver to address various issues.

CVE‑2024‑0126 - "NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability which could allow a privileged attacker to escalate permissions. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering."

Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA

2024-10-21T08:27:33 by Alexandre Dulaunoy

JSON

Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs

Reference: https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa

Affected Platforms: Ivanti Cloud Services Appliance version 4.6 and prior Impacted Users: Any organization Impact: Remote attackers gain control of the vulnerable systems Severity Level: Critical

Today FortiGuard Labs is releasing this blog post about a case where an advanced adversary was observed exploiting three vulnerabilities affecting the Ivanti Cloud Services Appliance (CSA). At the time of our investigation, two out of the three identified vulnerabilities were not publicly known. This incident is a prime example of how threat actors chain zero-day vulnerabilities to gain initial access to a victim’s network. Background

In a recent incident response engagement, FortiGuard Incident Response (FGIR) services were engaged by a customer to investigate malicious communication originating from their network. During the investigation, FGIR came across an adversary who had gained access to the customer’s network by exploiting the CVE-2024-8190 and two previously unknown vulnerabilities affecting the PHP front end of the Ivanti CSA appliance.

Related vulnerabilities: CVE-2024-29824 CVE-2024-9380 CVE-2024-8190 CVE-2024-8963

Update on SVR Cyber Operations and Vulnerability Exploitation

2024-10-14T15:50:35 by Alexandre Dulaunoy

JSON

The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) to highlight the tactics, techniques, and procedures (TTPs) employed by the Russian Federation’s Foreign Intelligence Service (SVR) in recent cyber operations and provide network defenders with information to help counter SVR cyber threats. Since at least 2021, Russian SVR cyber actors – also tracked as APT29, Midnight Blizzard (formerly Nobelium), Cozy Bear, and the Dukes– have consistently targeted US, European, and global entities in the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations, including in support of Russia’s ongoing invasion of Ukraine since February 2022. Their operations continue to pose a global threat to government and private sector organization

The authoring agencies are releasing this CSA to warn network defenders that SVR cyber actors are highly capable of and interested in exploiting software vulnerabilities for initial access [T1190] and escalation of privileges [T1068]. Organizations should prioritize rapid patch deployment and keep software up to date. The SVR continues using TTPs such as spearphishing [T1566], password spraying [T1078], abuse of supply chain [T1195] and trusted relationships [T1199], custom and bespoke malware, cloud exploitation, and living-off-the-land techniques to gain initial access, escalate privileges, move laterally, maintain persistence in victim networks and cloud environments, and exfiltrate information. SVR actors often use The Onion Router (TOR) network, leased and compromised infrastructure, and proxies to obfuscate activity.

Ref: PDF - Update on SVR Cyber Operations and Vulnerability Exploitation

GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9

2024-10-11T12:24:01 by Alexandre Dulaunoy

JSON

GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9 Nikhil George 8–10 minutes

Learn more about GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today we are releasing versions 17.4.2, 17.3.5, 17.2.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Security fixes Table of security fixes Title Severity Run pipelines on arbitrary branches Critical An attacker can impersonate arbitrary user High SSRF in Analytics Dashboard High Viewing diffs of MR with conflicts can be slow High HTMLi in OAuth page High Deploy Keys can push changes to an archived repository Medium Guests can disclose project templates Medium GitLab instance version disclosed to unauthorized users Low Run pipelines on arbitrary branches

An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6). It is now mitigated in the latest release and is assigned CVE-2024-9164.

Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program. An attacker can impersonate arbitrary user

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N, 8.2). It is now mitigated in the latest release and is assigned CVE-2024-8970.

Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program. SSRF in Analytics Dashboard

An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N, 8.2). It is now mitigated in the latest release and is assigned CVE-2024-8977.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Viewing diffs of MR with conflicts can be slow

An issue was discovered in GitLab CE/EE affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, were viewing diffs of MR with conflicts can be slow. This is a high severity issue (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5). It is now mitigated in the latest release and is assigned CVE-2024-9631.

Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program. HTMLi in OAuth page

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When authorising a new application, it can be made to render as HTML under specific circumstances. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, 7.3). It is now mitigated in the latest release and is assigned CVE-2024-6530.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Deploy Keys can push changes to an archived repository

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N, 4.9). It is now mitigated in the latest release and is assigned CVE-2024-9623.

Thanks stevenorman for reporting this vulnerability. Guests can disclose project templates

An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the API. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-5005.

Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program. GitLab instance version disclosed to unauthorized users

An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, 3.7). It is now mitigated in the latest release and is assigned CVE-2024-9596.

This issue was discovered internally by GitLab team member Paul Gascou-Vaillancourt. Bug fixes 17.4.2

Backport: fix: Specify an absolute directory for SCHEMA_VERSIONS_DIR to 17-4-stable
Backport grpc-go v1.67.1 upgrade to 17.4
Update expected vulnerability in enable_advanced_sast_spec.rb
Skip multi-version upgrade job for stable branch MRs
Backport 17.4 Fix label filter by name for search
Restrict duo pro assignment email to duo pro for sm
Drop project_id not null constraint ci_deleted_objects
[Backport] Go-get: fix 401 error for unauthenticated requests

17.3.5

Backport: fix: Specify an absolute directory for SCHEMA_VERSIONS_DIR to 17-3-stable
Backport: fix: Allow non-root user to run the bundle-certificates script 17.3
Skip multi-version upgrade job for stable branch MRs
Ensure restricted visibility levels is an array - 17.3 backport

17.2.9

Skip multi-version upgrade job for stable branch MRs
Ensure restricted visibility levels is an array - 17.2 backport

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases. We’re combining patch and security releases

This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.

Security Vulnerability fixed in Firefox 131.0.2, Firefox ESR 128.3.1, Firefox ESR 115.16.1

2024-10-10T10:02:19 by Cédric Bonhomme

JSON

The vulnerability, tracked as CVE-2024-9680, and discovered by ESET researcher Damien Schaeffer, is a use-after-free in Animation timelines.

"An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild."

A patch has been made available on Tue, 08 Oct 2024 16:25:12 +0000.

Related vulnerabilities: CVE-2024-9680

Recent bundles

Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs