GitLab has launched crucial updates to deal with a number of vulnerabilities, essentially the most extreme of them (CVE-2024-6678) permitting an attacker to set off pipelines as arbitrary customers underneath sure circumstances.
The discharge is for variations 17.3.2, 17.2.5, and 17.1.7 for each GitLab Neighborhood Version (CE) and Enterprise Version (EE), and patches a complete of 18 security points as a part of the bi-monthly (scheduled) security updates.
With a crucial severity rating of 9.9, the CVE-2024-6678 vulnerability may allow an attacker to execute setting cease actions because the proprietor of the cease motion job.
The severity of the flaw comes from its potential for distant exploitation, lack of consumer interplay, and the low privileges required for exploiting it.
GitLab warns that the difficulty impacts CE/EE variations from 8.14 as much as 17.1.7, variations from 17.2 previous to 17.2.5, and variations from 17.3 previous to 17.3.2.
We strongly advocate that every one installations operating a model affected by the problems described beneath are upgraded to the most recent model as quickly as attainable. – GitLab
GitLab pipelines are automated workflows used to construct, check, and deploy code, a part of GitLab’s CI/CD (Steady Integration/Steady Supply) system.
They’re designed to streamline the software program growth course of by automating repetitive duties and guaranteeing that adjustments to the codebase are examined and deployed constantly.
GitLab addressed arbitrary pipeline execution vulnerabilities a number of occasions in current months, together with in July 2024, to repair CVE-2024-6385, in June 2024, to repair CVE-2024-5655, and in September 2023 to patch CVE-2023-5009, all rated crucial.
The bulletin additionally lists 4 high-severity points with scores between 6.7 – 8.5, that might probably enable attackers to disrupt providers, execute unauthorized instructions, or compromise delicate sources. The problems are summarized as follows:
- CVE-2024-8640: As a result of improper enter filtering, attackers may inject instructions right into a related Dice server through YAML configuration, probably compromising information integrity. Impacts GitLab EE ranging from 16.11.
- CVE-2024-8635: Attackers may exploit a Server-Facet Request Forgery (SSRF) vulnerability by crafting a customized Maven Dependency Proxy URL to make requests to inside sources, compromising inside infrastructure. Impacts GitLab EE ranging from 16.8.
- CVE-2024-8124: Attackers may set off a DoS assault by sending a big ‘glm_source’ parameter, overwhelming the system and making it unavailable. Impacts GitLab CE/EE ranging from 16.4.
- CVE-2024-8641: Attackers may exploit a CI_JOB_TOKEN to realize entry to a sufferer’s GitLab session token, permitting them to hijack a session. Impacts GitLab CE/EE ranging from 13.7.
For replace directions, supply code, and packages, take a look at GitLab’s official obtain portal. The most recent GitLab Runner packages can be found right here.
