CVE-2024-8977

Name of the Vulnerable Software and Affected Versions GitLab EE versions 15.10 through 17.2.8 GitLab EE versions 17.3 through 17.3.4 GitLab EE versions 17.4 through 17.4.1

Description An issue has been discovered in GitLab EE that could allow a remote attacker to perform a Server-Side Request Forgery (SSRF) attack. This issue is related to insufficient validation of incoming requests. Instances with the Product Analytics Dashboard configured and enabled are vulnerable to SSRF attacks.

Recommendations For GitLab EE versions 15.10 through 17.2.8, upgrade to version 17.2.9. For GitLab EE versions 17.3 through 17.3.4, upgrade to version 17.3.5. For GitLab EE versions 17.4 through 17.4.1, upgrade to version 17.4.2. As a temporary workaround, consider disabling the Product Analytics Dashboard until a patch is available. Restrict access to the Product Analytics Dashboard to minimize the risk of exploitation.