GitLab has launched safety updates for Neighborhood Version (CE) and Enterprise Version (EE) to handle eight safety flaws, together with a essential bug that might permit operating Steady Integration and Steady Supply (CI/CD) pipelines on arbitrary branches.
Tracked as CVE-2024-9164, the vulnerability carries a CVSS rating of 9.6 out of 10.
“A problem was found in GitLab EE affecting all variations ranging from 12.5 previous to 17.2.9, ranging from 17.3, previous to 17.3.5, and ranging from 17.4 previous to 17.4.2, which permits operating pipelines on arbitrary branches,” GitLab stated in an advisory.
Of the remaining seven points, 4 are rated excessive, two are rated medium, and one is rated low in severity –
- CVE-2024-8970 (CVSS rating: 8.2), which permits an attacker to set off a pipeline as one other person beneath sure circumstances
- CVE-2024-8977 (CVSS rating: 8.2), which permits SSRF assaults in GitLab EE situations with Product Analytics Dashboard configured and enabled
- CVE-2024-9631 (CVSS rating: 7.5), which causes slowness when viewing diffs of merge requests with conflicts
- CVE-2024-6530 (CVSS rating: 7.3), which leads to HTML injection in OAuth web page when authorizing a brand new software as a result of a cross-site scripting subject
The advisory is the most recent wrinkle of what seems to be a gentle stream of pipeline-related vulnerabilities which have been disclosed by GitLab in latest months.
Final month, the corporate addressed one other essential flaw (CVE-2024-6678, CVSS rating: 9.9) that might permit an attacker to run pipeline jobs as an arbitrary person.
Previous to that, it additionally patched three different comparable shortcomings – CVE-2023-5009 (CVSS rating: 9.6), CVE-2024-5655 (CVSS rating: 9.6), and CVE-2024-6385 (CVSS rating: 9.6).
Whereas there isn’t any proof of energetic exploitation of the vulnerability, customers are advisable to replace their situations to the most recent model to safeguard in opposition to potential threats.