Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

GitLab Security Updates Patch 14 Vulnerabilities

GitLab CE and EE updates resolve 14 vulnerabilities, including a critical- and three high-severity bugs.

GitLab on Wednesday announced security patches for GitLab Community Edition (CE) and Enterprise Edition (EE) that resolve 14 vulnerabilities, including one critical- and three high-severity flaws.

The critical issue, tracked as CVE-2024-5655 (CVSS score of 9.6) and impacting GitLab CE/EE versions newer than 15.8, 17.0, and 17.1, could allow an attacker to trigger a pipeline as another user under certain circumstances.

Reported via GitLab’s bug bounty program, the issue was addressed by modifying the workflow so that “a pipeline will not automatically run when a merge request is automatically re-targeted due to its previous target branch being merged”.

“GraphQL authentication using CI_JOB_TOKEN is disabled by default from 17.0.0, and back ported to 17.0.3, 16.11.5 in the current patch release. If access to the GraphQL API is required, please configure one of the several supported token types for authentication,” GitLab also notes in its advisory.

According to GitLab, it has no evidence of this security defect being exploited on any platforms it manages, such as GitLab.com and GitLab Dedicated instances.

Two of the addressed high-severity vulnerabilities include a cross-site scripting (XSS) issue that could be imported from a project with malicious commit notes (CVE-2024-4901), and a cross-site request forgery (CSRF) issue in GraphQL API that could lead to the execution of arbitrary GraphQL mutations (CVE-2024-4994).

The GitLab EE updates also resolve a high-severity improper authorization in global search (CVE-2024-6323) that could allow an attacker to leak content from a private repository in a public project.

The latest GitLab releases also address nine medium-severity vulnerabilities that could lead to OAuth authentication flow abuse, the deletion of the merge request approval policy, denial-of-service (DoS), improper access to private job artifacts, resource exhaustion via banzai pipeline, merge request titles to be publicly visible, and to access to issues and epics without having an SSO session.

Advertisement. Scroll to continue reading.

GitLab CE/EE versions 17.1.1, 17.0.3, and 16.11.5 include patches for all these vulnerabilities. Users are advised to update their installations as soon as possible.

Related: GitLab Security Update Patches Critical Vulnerability

Related: Vulnerabilities in Eclipse ThreadX Could Lead to Code Execution

Related: KeePass Update Patches Vulnerability Exposing Master Password

Related: Critical Vulnerabilities Found in Faronics Education Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights