CVE-2024-11274

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 16.1 through 17.4.6 GitLab CE/EE versions 17.5 through 17.5.4 GitLab CE/EE versions 17.6 through 17.6.2

Description An issue was discovered in GitLab CE/EE where the injection of Network Error Logging (NEL) headers in the k8s proxy response could lead to session data exfiltration. This could potentially allow an attacker to gain unauthorized access to accounts. The issue is related to the disclosure of information during data transmission.

Recommendations For GitLab CE/EE versions 16.1 through 17.4.6, update to version 17.4.6 or later. For GitLab CE/EE versions 17.5 through 17.5.4, update to version 17.5.4 or later. For GitLab CE/EE versions 17.6 through 17.6.2, update to version 17.6.2 or later. As a temporary workaround, consider restricting access to the k8s proxy response to minimize the risk of exploitation.