GitLab on Wednesday announced security patches for GitLab Community Edition (CE) and Enterprise Edition (EE) that resolve 14 vulnerabilities, including one critical- and three high-severity flaws.
The critical issue, tracked as CVE-2024-5655 (CVSS score of 9.6) and impacting GitLab CE/EE versions newer than 15.8, 17.0, and 17.1, could allow an attacker to trigger a pipeline as another user under certain circumstances.
Reported via GitLab’s bug bounty program, the issue was addressed by modifying the workflow so that “a pipeline will not automatically run when a merge request is automatically re-targeted due to its previous target branch being merged”.
“GraphQL authentication using CI_JOB_TOKEN is disabled by default from 17.0.0, and back ported to 17.0.3, 16.11.5 in the current patch release. If access to the GraphQL API is required, please configure one of the several supported token types for authentication,” GitLab also notes in its advisory.
According to GitLab, it has no evidence of this security defect being exploited on any platforms it manages, such as GitLab.com and GitLab Dedicated instances.
Two of the addressed high-severity vulnerabilities include a cross-site scripting (XSS) issue that could be imported from a project with malicious commit notes (CVE-2024-4901), and a cross-site request forgery (CSRF) issue in GraphQL API that could lead to the execution of arbitrary GraphQL mutations (CVE-2024-4994).
The GitLab EE updates also resolve a high-severity improper authorization in global search (CVE-2024-6323) that could allow an attacker to leak content from a private repository in a public project.
The latest GitLab releases also address nine medium-severity vulnerabilities that could lead to OAuth authentication flow abuse, the deletion of the merge request approval policy, denial-of-service (DoS), improper access to private job artifacts, resource exhaustion via banzai pipeline, merge request titles to be publicly visible, and to access to issues and epics without having an SSO session.
GitLab CE/EE versions 17.1.1, 17.0.3, and 16.11.5 include patches for all these vulnerabilities. Users are advised to update their installations as soon as possible.
Related: GitLab Security Update Patches Critical Vulnerability
Related: Vulnerabilities in Eclipse ThreadX Could Lead to Code Execution
Related: KeePass Update Patches Vulnerability Exposing Master Password
Related: Critical Vulnerabilities Found in Faronics Education Software