GitLab, has released critical updates for both its Community Edition (CE) and Enterprise Edition (EE). The new versions, 17.1.1, 17.0.3, and 16.11.5, contain essential security and bug fixes. GitLab urges all users to upgrade immediately to protect their installations from potential exploits.
Run Pipelines as Any User
This vulnerability tracked as CVE-2024-5655 with a CVSS score of 9.6, allows attackers to trigger pipelines as another user under specific conditions, posing a significant security risk. The patch alters the Merge Request (MR) re-targeting workflow, requiring users to manually start pipelines when a target branch is merged. The GraphQL authentication using CI_JOB_TOKEN is now disabled by default, requiring alternative authentication methods.
Stored XSS in Imported Project’s Commit Notes
This vulnerability tracked as CVE-2024-4901 with a CVSS score of 8.7 involves a stored Cross-Site Scripting (XSS) vulnerability. This flaw can be exploited through malicious commit notes in imported projects, affecting versions from 16.9 onwards. Successful exploitation could allow attackers to execute arbitrary scripts in the context of the user’s session.
CSRF on GraphQL API IntrospectionQuery
This vulnerability tracked as CVE-2024-4994 with a CVSS score of 8.1, allows attackers to execute arbitrary GraphQL mutations, potentially leading to unauthorized actions within the GitLab instance.
Other vulnerabilities fix as given below.
- CVE-2024-6323 with a CVSS score of 7.5, Improper authorization in global search allowing leakage of private repository content in public projects.
- CVE-2024-2177 with a CVSS score of 6.8, Cross-window forgery in user application OAuth flow.
- CVE-2024-5430 with a CVSS score of 6.8, is a Project maintainer bypassing group merge request approval policies.
- CVE-2024-4025 with a CVSS score of 6.5, is a Regular Expression Denial of Service (ReDoS) via custom-built markdown pages.
- CVE-2024-3959 with a CVSS score of 6.5, is an Unauthorized access to private job artifacts.
- CVE-2024-4557 with a CVSS score of 6.5, is a Security fixes for Banzai pipeline.
- CVE-2024-1493 with a CVSS score of 6.5, is a ReDoS in dependency linker.
- CVE-2024-1816 with a CVSS score of 5.3,is a Denial of Service (DoS) using crafted OpenAPI files.
- CVE-2024-2191 with a CVSS score of 5.3, is a disclosure of Merge Request titles.
- CVE-2024-3115 with a CVSS score of 4.3, is an access issues to epics without an SSO session.
- CVE-2024-4011 with a CVSS score of 3.1, is a Non-project members promoting key results to objectives.
While GitLab has not found evidence of these vulnerabilities being exploited in the wild, the critical nature of these flaws necessitates immediate action. Users of GitLab CE and EE are strongly advised to upgrade to versions 17.1.1, 17.0.3, or 16.11.5 without delay to ensure the security and integrity of their installations.
