CVE-2024-0231: 
GitLab vulnerability analysis and mitigation

A resource misdirection vulnerability was identified in GitLab CE/EE affecting versions 12.0 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1. The vulnerability allows attackers to bypass tag check restrictions during project imports, specifically circumventing security measures that prevent tags from being named with SHA1 or SHA256 hash values (GitLab Issue).

The vulnerability stems from an implementation gap in GitLab's security controls where tag name validation checks can be bypassed during project imports. While GitLab normally prevents the creation of tags with names matching SHA1 or SHA256 hash patterns for security purposes, this restriction could be circumvented when importing projects through various import methods including Git importer, Gitea importer, and GitLab export functionality (GitLab Issue).

The vulnerability could potentially allow attackers to manipulate code references and execute arbitrary code. If an imported pipeline from the CI/CD catalog is pinned to a commit, this vulnerability could be exploited to replace the commit with a git tag of the same name containing different code. Additionally, local code by users that rely on specific commit checkouts could be manipulated (GitLab Issue).

Users should upgrade to GitLab versions 17.0.5, 17.1.3, or 17.2.1 or later, depending on their current version track. These releases include fixes for the tag name validation bypass during project imports (GitLab Issue).