CVE-2024-8754

Name of the Vulnerable Software and Affected Versions: GitLab EE/CE versions 16.9.7 through 17.1.7 GitLab EE/CE versions 17.2 through 17.2.5 GitLab EE/CE versions 17.3 through 17.3.2

Description: An issue has been discovered in GitLab EE/CE, allowing an attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured. This is due to an improper input validation error.

Recommendations: For GitLab EE/CE versions 16.9.7 through 17.1.7, update to version 17.1.7 or later. For GitLab EE/CE versions 17.2 through 17.2.5, update to version 17.2.5 or later. For GitLab EE/CE versions 17.3 through 17.3.2, update to version 17.3.2 or later. As a temporary workaround, consider disabling JWT authentication until a patch is available. Restrict access to account linking features to minimize the risk of exploitation.