GitLab has launched safety updates to deal with 14 safety flaws, together with one vital vulnerability that might be exploited to run steady integration and steady deployment (CI/CD) pipelines as any consumer.
The weaknesses, which have an effect on GitLab Group Version (CE) and Enterprise Version (EE), have been addressed in variations 17.1.1, 17.0.3, and 16.11.5.
Essentially the most extreme of the vulnerabilities is CVE-2024-5655 (CVSS rating: 9.6), which might allow a malicious actor to set off a pipeline as one other consumer below sure circumstances.
It impacts the next variations of CE and EE –
- 17.1 previous to 17.1.1
- 17.0 previous to 17.0.3, and
- 15.8 previous to 16.11.5
GitLab mentioned the repair introduces two breaking modifications because of which GraphQL authentication utilizing CI_JOB_TOKEN is disabled by default and pipelines will now not run mechanically when a merge request is re-targeted after its earlier goal department is merged.
A few of the different vital flaws mounted as a part of the newest launch are listed beneath –
- CVE-2024-4901 (CVSS rating: 8.7) – A saved XSS vulnerability might be imported from a challenge with malicious commit notes
- CVE-2024-4994 (CVSS rating: 8.1) – A CSRF assault on GitLab’s GraphQL API resulting in the execution of arbitrary GraphQL mutations
- CVE-2024-6323 (CVSS rating: 7.5) – An authorization flaw within the world search function that permits for leakage of delicate info from a non-public repository inside a public challenge
- CVE-2024-2177 (CVSS rating: 6.8) – A cross window forgery vulnerability that permits an attacker to abuse the OAuth authentication stream by way of a crafted payload
Whereas there is no such thing as a proof of lively exploitation of the issues, customers are advisable to use the patches to mitigate in opposition to potential threats.