GitLab released security updates to address 14 security flaws, including one critical vulnerability that could be exploited to trigger continuous integration and continuous deployment (CI/CD) pipelines from any user.
Vulnerabilities affecting GitLab Community Edition (CE) and Enterprise Edition (EE) have been addressed in versions 17.1.1, 17.0.3, and 16.11.5.
The most serious of vulnerabilities CVE-2024-5655 (CVSS score: 9.6), which could allow an attacker to run a pipeline on behalf of another user under certain circumstances.
This affects the following CE and EE versions –
- 17.1 to 17.1.1
- 17.0 to 17.0.3 and
- 15.8 to 16.11.5
GitLab said the fix introduces two critical changes, whereby GraphQL authentication using CI_JOB_TOKEN is disabled by default, and pipelines will no longer start automatically when a merge request is redirected after a previous target branch has been merged.
Some other important bugs fixed in the latest release are listed below –
- CVE-2024-4901 (CVSS Score: 8.7) – A stored XSS vulnerability can be imported from a project with malicious patch notes
- CVE-2024-4994 (CVSS Score: 8.1) – CSRF attack on GitLab’s GraphQL API leading to arbitrary GraphQL mutations
- CVE-2024-6323 (CVSS Score: 7.5) – Authorization error in the global search function that allows the leakage of sensitive information from a private repository in a public project
- CVE-2024-2177 (CVSS Score: 6.8) – Crusader forgery vulnerability that allows an attacker to abuse the OAuth authentication flow via a crafted payload
Although there is no evidence of active use of the flaws, users are advised to apply patches to reduce potential threats.