GitLab has issued security updates for both its Community Edition (CE) and Enterprise Edition (EE) to address eight security vulnerabilities, including a critical flaw that could allow the execution of Continuous Integration and Continuous Delivery (CI/CD) pipelines on unauthorized branches. This critical bug, tracked as CVE-2024-9164, has a CVSS score of 9.6, making it a high-risk issue for affected systems.
Vulnerability Overview
The CVE-2024-9164 vulnerability impacts multiple GitLab versions, specifically:
- Versions from 12.5 up to but not including 17.2.9
- Versions from 17.3 up to but not including 17.3.5
- Versions from 17.4 up to but not including 17.4.2
According to GitLab, this flaw allows pipelines to be executed on arbitrary branches, which could be exploited by threat actors to cause potential security breaches or unauthorized changes in the CI/CD process.
Other Notable Vulnerabilities
In addition to CVE-2024-9164, GitLab has addressed seven other vulnerabilities:
- CVE-2024-8970 (CVSS score: 8.2): This vulnerability allows attackers to trigger a pipeline as another user under specific conditions.
- CVE-2024-8977 (CVSS score: 8.2): An issue in GitLab EE instances with Product Analytics Dashboard enabled, which could lead to Server-Side Request Forgery (SSRF) attacks.
- CVE-2024-9631 (CVSS score: 7.5): Causes slow performance when viewing merge request diffs with conflicts.
- CVE-2024-6530 (CVSS score: 7.3): A cross-site scripting (XSS) issue in the OAuth page that can lead to HTML injection when authorizing a new application.
Ongoing Vulnerability Trends in GitLab
This is part of an ongoing trend of pipeline-related vulnerabilities in GitLab’s infrastructure. Last month, GitLab addressed another critical flaw (CVE-2024-6678, CVSS score: 9.9) that allowed attackers to run pipeline jobs as arbitrary users. Additionally, three other similar vulnerabilities (CVE-2023-5009, CVE-2024-5655, and CVE-2024-6385) with CVSS scores of 9.6 were patched earlier this year.
Mitigation and Recommendations
While there is no evidence of active exploitation of the vulnerabilities, GitLab strongly recommends users update their instances to the latest version to ensure protection from potential security threats. Keeping systems up to date with the latest security patches is crucial for maintaining the integrity of CI/CD pipelines and preventing unauthorized access.
GitLab users should apply the latest updates to safeguard their environments from these high-risk vulnerabilities.