GitLab has launched safety updates for Neighborhood Version (CE) and Undertaking Version (EE) to handle 8 safety flaws, together with a essential malicious program that might permit working Steady Integration and Steady Supply (CI/CD) pipelines on arbitrary branches.
Tracked as CVE-2024-9164, the vulnerability carries a CVSS ranking of 9.6 out of 10.
“A subject used to be found out in GitLab EE affecting all variations ranging from 12.5 previous to 17.2.9, ranging from 17.3, previous to 17.3.5, and ranging from 17.4 previous to 17.4.2, which permits working pipelines on arbitrary branches,” GitLab mentioned in an advisory.
Of the remainder seven problems, 4 are rated top, two are rated medium, and one is rated low in severity –
- CVE-2024-8970 (CVSS ranking: 8.2), which permits an attacker to cause a pipeline as any other consumer underneath positive instances
- CVE-2024-8977 (CVSS ranking: 8.2), which permits SSRF assaults in GitLab EE circumstances with Product Analytics Dashboard configured and enabled
- CVE-2024-9631 (CVSS ranking: 7.5), which reasons slowness when viewing diffs of merge requests with conflicts
- CVE-2024-6530 (CVSS ranking: 7.3), which ends up in HTML injection in OAuth web page when authorizing a brand new software because of a cross-site scripting factor
The advisory is the most recent wrinkle of what seems to be a gradual circulate of pipeline-related vulnerabilities which have been disclosed through GitLab in contemporary months.
Final month, the corporate addressed any other essential flaw (CVE-2024-6678, CVSS ranking: 9.9) that might permit an attacker to run pipeline jobs as an arbitrary consumer.
Previous to that, it additionally patched 3 different equivalent shortcomings – CVE-2023-5009 (CVSS ranking: 9.6), CVE-2024-5655 (CVSS ranking: 9.6), and CVE-2024-6385 (CVSS ranking: 9.6).
Whilst there’s no proof of lively exploitation of the vulnerability, customers are advisable to replace their circumstances to the most recent model to safeguard in opposition to possible threats.