CVE-2024-4099: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab Enterprise Edition (EE) affecting all versions starting from 16.0 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. An AI feature was found to read unsanitized content in a way that could have allowed an attacker to hide prompt injection (GitLab Release, NVD).

The vulnerability stems from GitLab's AI features reading unsanitized content when handling descriptions and comments. This creates a discrepancy between what the AI sees and what the user sees in the UI, as content removed by DOMPurify in the Banzai filters for Markdown remains in the comments' raw data which the AI reads. The vulnerability has been assigned a CVSS v3.1 Base Score of 3.1 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N (GitLab Release).

The vulnerability allows attackers to inject hidden prompts to the AI services that will not show up in the UI but will impact what messages the AI presents to the user. This gives attackers control over AI answers without the victim being able to verify the data in the UI. The attack can be executed through various entry points, including Service Desk, making it accessible to unauthenticated users (GitLab Issue).

The vulnerability has been patched in GitLab versions 17.2.8, 17.3.4, and 17.4.1. Users are strongly recommended to upgrade to these versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).