GitLab has launched safety updates to deal with a number of flaws in Group Version (CE) and Enterprise Version (EE), together with a crucial arbitrary department pipeline execution flaw.
The vulnerability, which is tracked as CVE-2024-9164, permits unauthorized customers to set off Steady Integration/Steady Supply (CI/CD) pipelines on any department of a repository.
CI/CD pipelines are automated processes that carry out duties resembling constructing, testing, and deploying code, usually obtainable solely to customers with acceptable permissions.
An attacker able to bypassing department protections might doubtlessly carry out code execution or acquire entry to delicate data.
The difficulty, which has obtained a CVSS v3.1 ranking of 9.6, ranking it crucial, impacts all GitLab EE variations ranging from 12.5 and as much as 17.2.8, from 17.3 as much as 17.3.4, and from 17.4 as much as 17.4.1.
Patches have been made obtainable in variations 17.4.2, 17.3.5, and 17.2.9, that are the improve targets for GitLab customers.
“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” warns GitLab’s safety bulletin.
It’s clarified that GitLab Devoted prospects don’t must take any motion, as their cloud-hosted cases at all times run the most recent obtainable model.
Together with CVE-2024-9164, the most recent GitLab releases tackle the beneath safety points:
- CVE-2024-8970: Excessive severity arbitrary consumer impersonation flaw enabling attackers to set off pipelines as one other consumer.
- CVE-2024-8977: Excessive severity SSRF flaw within the Analytics Dashboard, making cases weak to SSRF assaults.
- CVE-2024-9631: Excessive severity flaw inflicting sluggish efficiency when viewing diffs of merge requests with conflicts.
- CVE-2024-6530: Excessive severity HTML injection vulnerability in OAuth web page permitting cross-site scripting throughout OAuth authorization.
- CVE-2024-9623, CVE-2024-5005, CVE-2024-9596: Low to medium severity flaws, together with deploying keys pushing to archived repositories, visitor customers disclosing undertaking templates by way of API, and GitLab occasion model disclosure to unauthorized customers.
GitLab pipelines have currently proved to be a relentless supply of safety vulnerabilities for the platform and its customers.
GitLab addressed arbitrary pipeline execution vulnerabilities a number of instances this 12 months, together with CVE-2024-6678 final month, CVE-2024-6385 in July, and CVE-2024-5655 in June, all rated crucial.
For directions, supply code, and packages, take a look at GitLab’s official obtain portal. The most recent GitLab Runner packages can be found right here.
