GitLab Releases Critical Security Updates
GitLab has released crucial security updates for its Community Edition (CE) and Enterprise Edition (EE), addressing 14 vulnerabilities, including a critical one that poses a significant risk. The updates are available in versions 17.1.1, 17.0.3, and 16.11.5.
Critical Vulnerability: CVE-2024-5655
The most severe flaw, identified as CVE-2024-5655, has a CVSS score of 9.6. This vulnerability could allow an attacker to run Continuous Integration/Continuous Deployment (CI/CD) pipelines as any user. The issue impacts the following GitLab versions:
•Versions prior to 17.1.1
•Versions prior to 17.0.3
•Versions 15.8 to 16.11.4
Major Changes with the Update
To address the vulnerability, GitLab has introduced two significant changes:
1. Manual Pipeline Execution: Pipelines will no longer run automatically when a merge request is re-targeted after its previous target branch is merged. Users must now manually start the pipeline to execute CI for their changes.
2. GraphQL Authentication: CI_JOB_TOKEN is now disabled by default for GraphQL authentication starting from version 17.0.0, with this change backported to versions 17.0.3 and 16.11.5. Users needing GraphQL API access must configure one of the supported token types for authentication.
Other High-Severity Vulnerabilities
In addition to the critical flaw, the updates address three other high-severity vulnerabilities:
•CVE-2024-4901 (CVSS score: 8.7): A stored cross-site scripting (XSS) vulnerability that could be imported from a project with malicious commit notes.
•CVE-2024-4994 (CVSS score: 8.1): A cross-site request forgery (CSRF) vulnerability in the GraphQL API, allowing arbitrary GraphQL mutations to be executed by tricking authenticated users.
•CVE-2024-6323 (CVSS score: 7.5): An authorization flaw in the global search feature, potentially leading to sensitive information leakage from private repositories within public projects.
Recommendations
While there is no evidence that these vulnerabilities have been exploited, GitLab strongly recommends users to update their installations to the latest versions immediately to mitigate potential threats.