GitLab Issues Fix for Critical CI/CD Pipeline Security Issue and 13 Other Vulnerabilities
GitLab has rolled out security patches to fix 14 security vulnerabilities, including a critical flaw that could allow unauthorized execution of continuous integration and continuous deployment (CI/CD) pipelines.
These vulnerabilities affect GitLab Community Edition (CE) and Enterprise Edition (EE), and have been rectified in versions 17.1.1, 17.0.3, and 16.11.5.
The most significant vulnerability is CVE-2024-5655 (CVSS score: 9.6), which could enable a malicious actor to initiate a pipeline as a different user under specific conditions.
It impacts the following versions of CE and EE:
- Versions 17.1 before 17.1.1
- Versions 17.0 before 17.0.3
- Versions 15.8 before 16.11.5
According to GitLab, the fix brings about two major changes, resulting in the deactivation of GraphQL authentication using CI_JOB_TOKEN by default and halting automatic pipeline execution when a merge request is retargeted after merging its previous target branch.
Here are some of the other critical flaws addressed in the latest update:
- CVE-2024-4901 (CVSS score: 8.7) – Addressed a stored XSS vulnerability that could be introduced from a project with malicious commit notes
- CVE-2024-4994 (CVSS score: 8.1) – Fixed a CSRF attack on GitLab’s GraphQL API that could lead to the execution of unauthorized GraphQL mutations
- CVE-2024-6323 (CVSS score: 7.5) – Resolved an authorization flaw in the global search feature, preventing sensitive information leakage from private repositories within public projects
- CVE-2024-2177 (CVSS score: 6.8) – Mitigated a cross-window forgery vulnerability that allows a threat actor to manipulate the OAuth authentication flow using a forged payload
While there is no reported exploitation of these vulnerabilities, it is recommended for users to apply the patches as a preventive measure against potential security risks.
About Author
