GitLab has released security patches 16.11.1, 16.10.4, and 16.9.6 for both Community and Enterprise Editions to address critical vulnerabilities. These patches are aimed at preventing account takeovers, denial-of-service attacks, and unauthorized access to restricted files.
The vulnerabilities identified include issues with Bitbucket OAuth authentication, GraphQL subscriptions, and domain-based restrictions bypass. Specifically, under certain circumstances, attackers could exploit vulnerabilities to take over GitLab accounts when using Bitbucket for OAuth authentication. Additionally, path traversal and Regular Expression Denial-of-Service (ReDoS) vulnerabilities in FileFinder could lead to denial-of-service attacks and unauthorized access to restricted files.
To mitigate these risks, users are strongly advised to upgrade to the latest GitLab versions before May 16th, 2024. It’s crucial to note that versions before 16.9.6, 16.10.4, and 16.11.1 are vulnerable to these attacks, emphasizing the importance of immediate action.
Furthermore, GitLab is updating Bitbucket authentication, requiring users to sign in with Bitbucket credentials before May 16th, 2024, to relink accounts. Failure to do so may necessitate manual re-linking. Users with mismatched email addresses between GitLab and Bitbucket should use their GitLab username and password for login and re-linking purposes.
