The latest patch releases 18.1.2, 18.0.4, and 17.11.6 for both Community Edition (CE) and Enterprise Edition (EE) contain essential security fixes that require immediate attention from all self-managed GitLab administrators. These vulnerabilities allow authenticated users with invitation privileges and maintainers respectively to bypass group-level user invitation restrictions through crafted API requests and manipulation of group invitation functionality. This extensive version range indicates that the vulnerability has been present in GitLab systems for a considerable period, making immediate patching crucial. The patch releases also include rsync security updates to version 3.4.1, addressing additional vulnerabilities including CVE-2024-12084 and CVE-2024-12088. This high-severity vulnerability carries a CVSS score of 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating significant potential impact on confidentiality and integrity. However, the scope is changed, meaning the vulnerable component impacts resources beyond its security scope, potentially affecting high confidentiality and integrity. Authorization bypass flaws let authenticated users circumvent group-level restrictions through API manipulation. High-severity XSS vulnerability (CVE-2025-6948) allows attackers to execute actions via malicious content injection.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 10 Jul 2025 14:20:30 +0000