GitLab released security updates for Community Edition (CE) and Enterprise Edition (EE) to address multiple vulnerabilities,
The critical vulnerability tracked as CVE-2024-9164, An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches.
Gitlab addressed the following four high-severity issues:
- CVE-2024-8970 with a CVSS score: 8.2, An attacker can exploit the flaw to trigger a pipeline as another user under certain circumstances
- CVE-2024-8977 with a CVSS score 8.2, An attacker can exploit the flaw to conduct SSRF attacks in GitLab EE instances with Product Analytics Dashboard configured, and enabled
- CVE-2024-9631 with a CVSS score 7.5, which causes slowness while viewing diffs of merge requests with conflicts.
- CVE-2024-6530 with a CVSS score 7.3, which results in HTML injection in OAuth page when authorizing a new application due to a cross-site scripting issue
The two medium severity issues addressed by the organization are:
Advertisements
- CVE-2024-9623 with a CVSS score of 4.9, Deploy Keys can push changes to an archived repository
- CVE-2024-5005 with a CVSS score of 4.3, Guests can disclose project templates
Gitlab strongly recommends that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
