GitLab has launched vital updates to handle a number of vulnerabilities, essentially the most extreme of them (CVE-2024-6678) permitting an attacker to set off pipelines as arbitrary customers underneath sure situations.
The discharge is for variations 17.3.2, 17.2.5, and 17.1.7 for each GitLab Neighborhood Version (CE) and Enterprise Version (EE), and patches a complete of 18 safety points as a part of the bi-monthly (scheduled) safety updates.
With a vital severity rating of 9.9, the CVE-2024-6678 vulnerability might allow an attacker to execute setting cease actions because the proprietor of the cease motion job.
The severity of the flaw comes from its potential for distant exploitation, lack of consumer interplay, and the low privileges required for exploiting it.
GitLab warns that the problem impacts CE/EE variations from 8.14 as much as 17.1.7, variations from 17.2 previous to 17.2.5, and variations from 17.3 previous to 17.3.2.
We strongly advocate that every one installations operating a model affected by the problems described beneath are upgraded to the most recent model as quickly as attainable. – GitLab
GitLab pipelines are automated workflows used to construct, check, and deploy code, a part of GitLab’s CI/CD (Steady Integration/Steady Supply) system.
They’re designed to streamline the software program growth course of by automating repetitive duties and making certain that modifications to the codebase are examined and deployed constantly.
GitLab addressed arbitrary pipeline execution vulnerabilities a number of instances in current months, together with in July 2024, to repair CVE-2024-6385, in June 2024, to repair CVE-2024-5655, and in September 2023 to patch CVE-2023-5009, all rated vital.
The bulletin additionally lists 4 high-severity points with scores between 6.7 – 8.5, that might doubtlessly permit attackers to disrupt providers, execute unauthorized instructions, or compromise delicate sources. The problems are summarized as follows:
- CVE-2024-8640: As a result of improper enter filtering, attackers might inject instructions right into a linked Dice server by way of YAML configuration, doubtlessly compromising knowledge integrity. Impacts GitLab EE ranging from 16.11.
- CVE-2024-8635: Attackers might exploit a Server-Facet Request Forgery (SSRF) vulnerability by crafting a customized Maven Dependency Proxy URL to make requests to inside sources, compromising inside infrastructure. Impacts GitLab EE ranging from 16.8.
- CVE-2024-8124: Attackers might set off a DoS assault by sending a big ‘glm_source’ parameter, overwhelming the system and making it unavailable. Impacts GitLab CE/EE ranging from 16.4.
- CVE-2024-8641: Attackers might exploit a CI_JOB_TOKEN to realize entry to a sufferer’s GitLab session token, permitting them to hijack a session. Impacts GitLab CE/EE ranging from 13.7.
For replace directions, supply code, and packages, try GitLab’s official obtain portal. The most recent GitLab Runner packages are out there right here.
