GitLab has launched safety updates to handle a number of flaws in Neighborhood Version (CE) and Enterprise Version (EE), together with a vital arbitrary department pipeline execution flaw.
The vulnerability, which is tracked as CVE-2024-9164, permits unauthorized customers to set off Steady Integration/Steady Supply (CI/CD) pipelines on any department of a repository.
CI/CD pipelines are automated processes that carry out duties equivalent to constructing, testing, and deploying code, usually accessible solely to customers with applicable permissions.
An attacker able to bypassing department protections may doubtlessly carry out code execution or achieve entry to delicate data.
The difficulty, which has obtained a CVSS v3.1 ranking of 9.6, ranking it vital, impacts all GitLab EE variations ranging from 12.5 and as much as 17.2.8, from 17.3 as much as 17.3.4, and from 17.4 as much as 17.4.1.
Patches have been made accessible in variations 17.4.2, 17.3.5, and 17.2.9, that are the improve targets for GitLab customers.
“We strongly advocate that every one installations working a model affected by the problems described under are upgraded to the newest model as quickly as potential,” warns GitLab’s safety bulletin.
It’s clarified that GitLab Devoted clients don’t must take any motion, as their cloud-hosted situations all the time run the newest accessible model.
Together with CVE-2024-9164, the newest GitLab releases handle the under safety points:
- CVE-2024-8970: Excessive severity arbitrary person impersonation flaw enabling attackers to set off pipelines as one other person.
- CVE-2024-8977: Excessive severity SSRF flaw within the Analytics Dashboard, making situations weak to SSRF assaults.
- CVE-2024-9631: Excessive severity flaw inflicting gradual efficiency when viewing diffs of merge requests with conflicts.
- CVE-2024-6530: Excessive severity HTML injection vulnerability in OAuth web page permitting cross-site scripting throughout OAuth authorization.
- CVE-2024-9623, CVE-2024-5005, CVE-2024-9596: Low to medium severity flaws, together with deploying keys pushing to archived repositories, visitor customers disclosing venture templates by way of API, and GitLab occasion model disclosure to unauthorized customers.
GitLab pipelines have currently proved to be a relentless supply of safety vulnerabilities for the platform and its customers.
GitLab addressed arbitrary pipeline execution vulnerabilities a number of occasions this yr, together with CVE-2024-6678 final month, CVE-2024-6385 in July, and CVE-2024-5655 in June, all rated vital.
For directions, supply code, and packages, try GitLab’s official obtain portal. The newest GitLab Runner packages can be found right here.