In a critical move to enhance security, GitLab has released updates to fix 14 security vulnerabilities, including a crucial vulnerability that could enable malicious actors to exploit Continuous Integration and Deployment (CI/CD) pipelines as any user. These updates affect both GitLab Community Edition (CE) and Enterprise Edition (EE) and have been implemented in versions 17.1.1, 17.0.3, and 16.11.5.
The most severe of these vulnerabilities, CVE-2024-5655, carries a CVSS score of 9.6 and permits attackers to trigger pipelines as another user under specific conditions. This issue affects GitLab versions 17.1 before 17.1.1, 17.0 before 17.0.3, and 15.8 before 16.11.5.
Think of it like this: In school, if a mischievous student could submit homework under another student’s name, it would cause confusion and potential chaos. This GitLab flaw is similar. Attackers could exploit it to run CI/CD pipelines under someone else’s identity. This could lead to significant security risks.
Among the other notable vulnerabilities addressed are CVE-2024-4901 (CVSS score: 8.7), a stored XSS flaw that could be imported via malicious commit notes, and CVE-2024-4994 (CVSS score: 8.1), a CSRF attack on GitLab’s GraphQL API allowing arbitrary mutation execution. CVE-2024-6323 (CVSS score: 7.5) and CVE-2024-2177 (CVSS score: 6.8) were also fixed to prevent sensitive information leakage and OAuth abuse, respectively.
While there is no evidence of these vulnerabilities being actively exploited, GitLab strongly recommends users apply the patches to safeguard against potential threats. The update also includes breaking changes, disabling GraphQL authentication using CI_JOB_TOKEN by default and stopping automatic pipeline runs when a merge request’s target branch is re-targeted after merging.
Stay secure and ensure your GitLab installations are up-to-date to protect your projects and data.
