GitLab has issued security patches addressing 14 vulnerabilities, including a critical flaw that allows for exploitation to execute continuous integration and continuous deployment (CI/CD) pipelines under any user’s identity.
These security weaknesses, impacting both GitLab Community Edition (CE) and Enterprise Edition (EE), are remedied in the newly released versions 17.1.1, 17.0.3, and 16.11.5.
The paramount vulnerability, designated as CVE-2024-5655 with a CVSS score of 9.6, could enable a nefarious actor to initiate a pipeline impersonating another user under specific conditions.
Affected versions include:
- CE and EE version 17.1 before 17.1.1
- CE and EE version 17.0 before 17.0.3
- CE and EE version 15.8 before 16.11.5
The remediation includes two significant changes: disabling GraphQL authentication using CI_JOB_TOKEN by default and ceasing automatic pipeline execution when a merge request’s target branch is altered post-merge.
Highlighted among the other patched vulnerabilities are:
- CVE-2024-4901 (CVSS score: 8.7): A stored XSS vulnerability that can be introduced through a project with malevolent commit notes.
- CVE-2024-4994 (CVSS score: 8.1): A CSRF attack on GitLab’s GraphQL API, facilitating the execution of arbitrary GraphQL mutations.
- CVE-2024-6323 (CVSS score: 7.5): An authorization loophole in the global search functionality, leading to sensitive information leakage from private repositories in public projects.
- CVE-2024-2177 (CVSS score: 6.8): A cross-window forgery vulnerability permitting an attacker to exploit the OAuth authentication process using a crafted payload.
Although there is no indication of these flaws being actively exploited, users are strongly advised to apply these patches promptly to safeguard against potential threats.
