20240726003-GitLab-Releases-Security-Advisory (#901)

* 20240510001-F5-Security-Advisory-Addresses-Multiple-Vulnerabilities * Format markdown docs * 20240419003-PuTTY-vulnerability * Format markdown docs * 20240117006-Citrix-Critical-Security-Advisory * Format markdown docs * 20240117006-Citrix-Critical-Security-Advisory * Format markdown docs * 20240514002-Android-Security-Advisory-May-2024 * Format markdown docs * 20240515004-Adobe-Products-Arbitrary-Code-Execution-Multiple-Vulnerabilities * Format markdown docs * 20240515004-Adobe-Products-Arbitrary-Code-Execution-Multiple-Vulnerabilities * Format markdown docs * [May 2024 Security Updates](https://msrc.microsoft.com/update-guide/releaseNote/2024-May) * Format markdown docs * Next.js Vulnerabilities - 20240513002 * 20240517004-Google-Chrome-Arbitrary-Code-Execution-Vulnerabilities * Format markdown docs * 20240514001-Chromium-Visuals-update * Format markdown docs * Apple Security Updates for Multiple Products - 20240515001 * 20240517004-Google-Chrome-Arbitrary-Code-Execution-Vulnerabilities * Format markdown docs * 20240517004-Google-Chrome-Arbitrary-Code-Execution-Vulnerabilities * Format markdown docs * 20240524001-WinRAR-Text-Vulnerability * Format markdown docs * 20240527001-Google-Chrome-ZeroDay * Format markdown docs * 20240604005-SnowFlake-Cyber-Threat-Activity-Targeting-Customer-Accounts * Format markdown docs * 20240604004-SnowFlake-Cyber-Threat-Activity-Targeting-Customer-Accounts * 20240606001-Google-Cloud-Platform(GCP)-Privilege-Escalation-Vulnerability * Format markdown docs * 20240702001-OpenSSH-Critical-Advisory * Format markdown docs * 20240710003-CISA-Releases-APT40-Advisory * 20240710003-CISA-Releases-APT40-Advisory * 20240710003-CISA-Releases-APT40-Advisory * 20240710003-CISA-Releases-APT40-Advisory * Format markdown docs * 20240718005 - Atlassian July 2024 Security Advisory * Format markdown docs * 20240718005 - Atlassian July 2024 Security Advisory * Format markdown docs * Format markdown docs * 20240726003-GitLab-Releases-Security-Advisory * Format markdown docs * 20240726003-GitLab-Releases-Security-Advisory * Format markdown docs * 20240726003-GitLab-Releases-Security-Advisory * Format markdown docs * 20240726003-GitLab-Releases-Security-Advisory * Format markdown docs * 20240726003-GitLab-Releases-Security-Advisory * Format markdown docs --------- Co-authored-by: TWangmo <TWangmo@users.noreply.github.com> Co-authored-by: Joshua Hitchen (DGov) <86041569+DGovEnterprise@users.noreply.github.com> Co-authored-by: Adon Metcalfe <adon.metcalfe@dpc.wa.gov.au> Co-authored-by: adonm <adonm@users.noreply.github.com> Co-authored-by: DGovEnterprise <DGovEnterprise@users.noreply.github.com>
wagov · Jul 26, 2024 · 8354485 · 8354485
1 parent 2c9d515
commit 8354485
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/docs/advisories/20240726003-GitLab-Releases-Security-Advisory.md b/docs/advisories/20240726003-GitLab-Releases-Security-Advisory.md
@@ -0,0 +1,26 @@
+# GitLab Releases Security Advisory - 20240726003
+
+## Overview
+
+GitLab, the widely used code collaboration platform addresses vulnerabilities across multiple versions of its software. While none of the flaws are classified as "critical," at the time of writing one high-severity cross-site scripting (XSS) bug could have serious consequences if not patched promptly.
+
+## What is vulnerable?
+
+| Product(s) Affected                                         | Version(s)                                                                                                                                                           | CVE                                                             | CVSS | Severity   | Dated         |
+| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | ---- | ---------- | ------------- |
+| Enterprise Edition (EE)                                     | [- from 16.11 to 17.0.5 <br/> - from 17.1 to 17.1.3 <br/> - from 17.2 to 17.2.1](https://about.gitlab.com/releases/2024/07/24/patch-release-gitlab-17-2-1-released/) | [CVE-2024-5067](https://nvd.nist.gov/vuln/detail/CVE-2024-5067) | 4.4  | **Medium** | 24 July, 2024 |
+| GitLab Community Edition (CE) <br/> Enterprise Edition (EE) | [- from 16.7 to 17.0.5 <br/> - from 17.1 to 17.1.3 <br/> - from 17.2 to 17.2.1](https://about.gitlab.com/releases/2024/07/24/patch-release-gitlab-17-2-1-released/)  | [CVE-2024-7057](https://nvd.nist.gov/vuln/detail/CVE-2024-7057) | 4.3  | **Medium** | 24 July, 2024 |
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- [GitLab Patch Release](https://about.gitlab.com/releases/2024/07/24/patch-release-gitlab-17-2-1-released/)
+
+## Additional References
+
+- [Securityonline blog post](https://securityonline.info/gitlab-patches-six-security-flaws-urges-immediate-update/)