GitLab has launched safety updates for Neighborhood Version (CE) and Enterprise Version (EE) to deal with eight safety flaws, together with a essential bug that would enable working Steady Integration and Steady Supply (CI/CD) pipelines on arbitrary branches.
Tracked as CVE-2024-9164, the vulnerability carries a CVSS rating of 9.6 out of 10.
“A problem was found in GitLab EE affecting all variations ranging from 12.5 previous to 17.2.9, ranging from 17.3, previous to 17.3.5, and ranging from 17.4 previous to 17.4.2, which permits working pipelines on arbitrary branches,” GitLab mentioned in an advisory.
Of the remaining seven points, 4 are rated excessive, two are rated medium, and one is rated low in severity –
- CVE-2024-8970 (CVSS rating: 8.2), which permits an attacker to set off a pipeline as one other consumer underneath sure circumstances
- CVE-2024-8977 (CVSS rating: 8.2), which permits SSRF assaults in GitLab EE cases with Product Analytics Dashboard configured and enabled
- CVE-2024-9631 (CVSS rating: 7.5), which causes slowness when viewing diffs of merge requests with conflicts
- CVE-2024-6530 (CVSS rating: 7.3), which leads to HTML injection in OAuth web page when authorizing a brand new software attributable to a cross-site scripting difficulty
The advisory is the most recent wrinkle of what seems to be a gentle stream of pipeline-related vulnerabilities which have been disclosed by GitLab in current months.
Final month, the corporate addressed one other essential flaw (CVE-2024-6678, CVSS rating: 9.9) that would enable an attacker to run pipeline jobs as an arbitrary consumer.
Previous to that, it additionally patched three different related shortcomings – CVE-2023-5009 (CVSS rating: 9.6), CVE-2024-5655 (CVSS rating: 9.6), and CVE-2024-6385 (CVSS rating: 9.6).
Whereas there isn’t any proof of lively exploitation of the vulnerability, customers are really useful to replace their cases to the most recent model to safeguard towards potential threats.
