GitLab has launched security updates to handle a number of flaws in Neighborhood Version (CE) and Enterprise Version (EE), together with a vital arbitrary department pipeline execution flaw.
The vulnerability, which is tracked as CVE-2024-9164, permits unauthorized customers to set off Steady Integration/Steady Supply (CI/CD) pipelines on any department of a repository.
CI/CD pipelines are automated processes that carry out duties reminiscent of constructing, testing, and deploying code, usually out there solely to customers with acceptable permissions.
An attacker able to bypassing department protections might doubtlessly carry out code execution or achieve entry to delicate info.
The problem, which has obtained a CVSS v3.1 score of 9.6, score it vital, impacts all GitLab EE variations ranging from 12.5 and as much as 17.2.8, from 17.3 as much as 17.3.4, and from 17.4 as much as 17.4.1.
Patches have been made out there in variations 17.4.2, 17.3.5, and 17.2.9, that are the improve targets for GitLab customers.
“We strongly suggest that every one installations operating a model affected by the problems described beneath are upgraded to the newest model as quickly as attainable,” warns GitLab’s security bulletin.
It’s clarified that GitLab Devoted prospects don’t have to take any motion, as their cloud-hosted cases at all times run the newest out there model.
Together with CVE-2024-9164, the newest GitLab releases handle the beneath security points:
- CVE-2024-8970: Excessive severity arbitrary consumer impersonation flaw enabling attackers to set off pipelines as one other consumer.
- CVE-2024-8977: Excessive severity SSRF flaw within the Analytics Dashboard, making cases susceptible to SSRF assaults.
- CVE-2024-9631: Excessive severity flaw inflicting sluggish efficiency when viewing diffs of merge requests with conflicts.
- CVE-2024-6530: Excessive severity HTML injection vulnerability in OAuth web page permitting cross-site scripting throughout OAuth authorization.
- CVE-2024-9623, CVE-2024-5005, CVE-2024-9596: Low to medium severity flaws, together with deploying keys pushing to archived repositories, visitor customers disclosing venture templates by way of API, and GitLab occasion model disclosure to unauthorized customers.
GitLab pipelines have recently proved to be a relentless supply of security vulnerabilities for the platform and its customers.
GitLab addressed arbitrary pipeline execution vulnerabilities a number of occasions this 12 months, together with CVE-2024-6678 final month, CVE-2024-6385 in July, and CVE-2024-5655 in June, all rated vital.
For directions, supply code, and packages, try GitLab’s official obtain portal. The newest GitLab Runner packages can be found right here.
