GitLab has launched safety updates for Group Version (CE) and Enterprise Version (EE) to handle eight safety flaws, together with a essential bug that would permit operating Steady Integration and Steady Supply (CI/CD) pipelines on arbitrary branches.
Tracked as CVE-2024-9164, the vulnerability carries a CVSS rating of 9.6 out of 10.
“An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches,” GitLab stated in an advisory.
Of the remaining seven points, 4 are rated excessive, two are rated medium, and one is rated low in severity –
- CVE-2024-8970 (CVSS rating: 8.2), which permits an attacker to set off a pipeline as one other consumer below sure circumstances
- CVE-2024-8977 (CVSS rating: 8.2), which permits SSRF assaults in GitLab EE situations with Product Analytics Dashboard configured and enabled
- CVE-2024-9631 (CVSS rating: 7.5), which causes slowness when viewing diffs of merge requests with conflicts
- CVE-2024-6530 (CVSS rating: 7.3), which leads to HTML injection in OAuth web page when authorizing a brand new software as a consequence of a cross-site scripting subject
The advisory is the newest wrinkle of what seems to be a gradual stream of pipeline-related vulnerabilities which were disclosed by GitLab in latest months.
Final month, the corporate addressed one other essential flaw (CVE-2024-6678, CVSS rating: 9.9) that would permit an attacker to run pipeline jobs as an arbitrary consumer.
Previous to that, it additionally patched three different comparable shortcomings – CVE-2023-5009 (CVSS rating: 9.6), CVE-2024-5655 (CVSS rating: 9.6), and CVE-2024-6385 (CVSS rating: 9.6).
Whereas there isn’t any proof of lively exploitation of the vulnerability, customers are really useful to replace their situations to the newest model to safeguard in opposition to potential threats.
