GitLab has released a security patch that fixes several critical vulnerabilities. The most severe vulnerability, CVE-2024-9164 vulnerability, has a CVSS score of 9.6 out of 10 and allowed pipelines to run on arbitrary branches.
GitLab Patches Critical Vulnerabilities
On October 9, 2024, GitLab released patches for several critical vulnerabilities. The security bulletin includes 6 of them, with the most critical being CVE-2024-9164, with a CVSS score of 9.6 out of 10.
This critical vulnerability allows unauthorized users to trigger Continuous Integration/Continuous Delivery (CI/CD) pipelines in any branch of the repository. In brief, CI/CD pipelines are automated processes that perform tasks such as building, testing, and deploying code, usually restricted to authorized users with appropriate permissions. So, an attacker could potentially perform code execution or gain access to sensitive information. It affects versions from 12.5 to 17.2.9, from 17.3, to 17.3.5, and from 17.4 to 17.4.2.
As for the other vulnerabilities, from the other end of the spectrum there is a CVE-2024-6530, that allows HTML code injection into the OAuth page during new application authorization due to a cross-site scripting flaw.
CVE-2024-8970 is another flaw, allowing for arbitrary user impersonation. This potentially enables attackers to trigger pipelines as another user under specific conditions. It has a CVSS score of 8.2, and affects GitLab CE/EE from versions 11.6 up to versions 17.2.8, 17.3.4, and 17.4.1. This attack requires a relatively high level of complexity and only partial privileges, making it more difficult but not impossible to exploit.
CVE-2024-8977is a server-side request forgery (SSRF) flaw in the Analytics Dashboard, making instances vulnerable to SSRF attacks. In systems where the Product Analytics Dashboard is configured and enabled, this flaw exposes them to Server-Side Request Forgery (SSRF) attacks. An SSRF allows an attacker to manipulate server requests, potentially giving them access to internal resources that are otherwise inaccessible from the Internet. Exploitation has a CVSS score of 8.2, does not require user interaction and only requires low privileges and affects GitLab EE (Enterprise Edition) versions from 15.10 to 17.4.
Mitigations and Patches
As there are no workarounds have been provided, the company strongly recommends that all installations running the vulnerable versions be upgraded to versions 17.4.2, 17.3.5, or 17.2.9 of GitLab Community Edition (CE) and Enterprise Edition (EE) as soon as possible. The vulnerable versions are as follows:
- from 12.5 prior to 17.2.9
- from 17.3, prior to 17.3.5
- from 17.4 prior to 17.4.2
