GitLab

GitLab has released security updates to address multiple flaws in Community Edition (CE) and Enterprise Edition (EE), including a critical arbitrary branch pipeline execution flaw.

The vulnerability, which is tracked as CVE-2024-9164, allows unauthorized users to trigger Continuous Integration/Continuous Delivery (CI/CD) pipelines on any branch of a repository.

CI/CD pipelines are automated processes that perform tasks such as building, testing, and deploying code, normally available only to users with appropriate permissions.

Wiz

An attacker capable of bypassing branch protections could potentially perform code execution or gain access to sensitive information.

The issue, which has received a CVSS v3.1 rating of 9.6, rating it critical, impacts all GitLab EE versions starting from 12.5 and up to 17.2.8, from 17.3 up to 17.3.4, and from 17.4 up to 17.4.1.

Patches have been made available in versions 17.4.2, 17.3.5, and 17.2.9, which are the upgrade targets for GitLab users.

"We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible," warns GitLab's security bulletin.

It is clarified that GitLab Dedicated customers do not need to take any action, as their cloud-hosted instances always run the latest available version.

Along with CVE-2024-9164, the latest GitLab releases address the below security issues:

  • CVE-2024-8970: High severity arbitrary user impersonation flaw enabling attackers to trigger pipelines as another user.
  • CVE-2024-8977: High severity SSRF flaw in the Analytics Dashboard, making instances vulnerable to SSRF attacks.
  • CVE-2024-9631: High severity flaw causing slow performance when viewing diffs of merge requests with conflicts.
  • CVE-2024-6530: High severity HTML injection vulnerability in OAuth page allowing cross-site scripting during OAuth authorization.
  • CVE-2024-9623, CVE-2024-5005, CVE-2024-9596: Low to medium severity flaws, including deploying keys pushing to archived repositories, guest users disclosing project templates via API, and GitLab instance version disclosure to unauthorized users.

GitLab pipelines have lately proved to be a constant source of security vulnerabilities for the platform and its users.

GitLab addressed arbitrary pipeline execution vulnerabilities multiple times this year, including CVE-2024-6678 last month, CVE-2024-6385 in July, and CVE-2024-5655 in June, all rated critical.

For instructions, source code, and packages, check out GitLab's official download portal. The latest GitLab Runner packages are available here.

tines

Break down IAM silos like Bitpanda, KnowBe4, and PathAI

Broken IAM isn't just an IT problem - the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.

Related Articles:

MongoDB warns admins to patch severe vulnerability immediately

FBI and CISA warn of state hackers attacking Fortinet FortiOS servers

Microsoft Teams to let admins block external users via Defender portal

Microsoft Teams strengthens messaging security by default in January

Critical RCE flaw impacts over 115,000 WatchGuard firewalls