GitLab has launched security updates for Group Version (CE) and Enterprise Version (EE) to deal with eight security flaws, together with a vital bug that would permit working Steady Integration and Steady Supply (CI/CD) pipelines on arbitrary branches.
Tracked as CVE-2024-9164, the vulnerability carries a CVSS rating of 9.6 out of 10.
“A problem was found in GitLab EE affecting all variations ranging from 12.5 previous to 17.2.9, ranging from 17.3, previous to 17.3.5, and ranging from 17.4 previous to 17.4.2, which permits working pipelines on arbitrary branches,” GitLab mentioned in an advisory.
Of the remaining seven points, 4 are rated excessive, two are rated medium, and one is rated low in severity –
- CVE-2024-8970 (CVSS rating: 8.2), which permits an attacker to set off a pipeline as one other person underneath sure circumstances
- CVE-2024-8977 (CVSS rating: 8.2), which permits SSRF assaults in GitLab EE cases with Product Analytics Dashboard configured and enabled
- CVE-2024-9631 (CVSS rating: 7.5), which causes slowness when viewing diffs of merge requests with conflicts
- CVE-2024-6530 (CVSS rating: 7.3), which ends up in HTML injection in OAuth web page when authorizing a brand new software as a consequence of a cross-site scripting subject
The advisory is the newest wrinkle of what seems to be a gentle stream of pipeline-related vulnerabilities which were disclosed by GitLab in current months.
Final month, the corporate addressed one other vital flaw (CVE-2024-6678, CVSS rating: 9.9) that would permit an attacker to run pipeline jobs as an arbitrary person.
Previous to that, it additionally patched three different related shortcomings – CVE-2023-5009 (CVSS rating: 9.6), CVE-2024-5655 (CVSS rating: 9.6), and CVE-2024-6385 (CVSS rating: 9.6).
Whereas there isn’t any proof of energetic exploitation of the vulnerability, customers are beneficial to replace their cases to the newest model to safeguard towards potential threats.
