CVE-2024-1211

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 10.6 through 16.9.7 GitLab CE/EE versions 16.10 through 16.10.5 GitLab CE/EE versions 16.11 through 16.11.2

Description An issue has been discovered in GitLab CE/EE where cross-site request forgery may have been possible on GitLab instances configured to use JWT as an OmniAuth provider. This issue is related to a configuration vulnerability of the JWT OmniAuth provider, which could allow a remote attacker to conduct a cross-site scripting (XSS) attack.

Recommendations For versions 10.6 through 16.9.7, update to version 16.9.7 or later. For versions 16.10 through 16.10.5, update to version 16.10.5 or later. For versions 16.11 through 16.11.2, update to version 16.11.2 or later. As a temporary workaround, consider restricting the use of the JWT OmniAuth provider until a patch is available.