GitLab Releases Critical Updates to Address Multiple Vulnerabilities

GitLab, a leading platform for DevOps lifecycle tools, has announced the release of critical updates for both its Community Edition (CE) and Enterprise Edition (EE). The new versions, 17.1.1, 17.0.3, and 16.11.5, contain essential security and bug fixes. GitLab urges all users to upgrade immediately to protect their installations from potential exploits.

Key Security Fixes

• CVE-2024-5655 (CVSS 9.6) – Run Pipelines as Any User

A severe vulnerability (CVE-2024-5655) has been identified, impacting GitLab versions from 15.8 onwards. This flaw allows attackers to trigger pipelines as another user under specific conditions, posing a significant security risk. The patch alters the Merge Request (MR) re-targeting workflow, requiring users to manually start pipelines when a target branch is merged. Additionally, GraphQL authentication using CI_JOB_TOKEN is now disabled by default, requiring alternative authentication methods.

• CVE-2024-4901 (CVSS 8.7) – Stored XSS in Imported Project’s Commit Notes

Another critical issue (CVE-2024-4901) involves a stored Cross-Site Scripting (XSS) vulnerability. This flaw can be exploited through malicious commit notes in imported projects, affecting versions from 16.9 onwards. Successful exploitation could allow attackers to execute arbitrary scripts in the context of the user’s session.

• CVE-2024-4994 (CVSS 8.1) – CSRF on GraphQL API IntrospectionQuery

The Cross-Site Request Forgery (CSRF) vulnerability (CVE-2024-4994) affects all versions from 16.1.0 onwards. This issue allows attackers to execute arbitrary GraphQL mutations, potentially leading to unauthorized actions within the GitLab instance.

Additional Vulnerabilities Addressed

GitLab’s latest releases also address several other significant vulnerabilities:

• CVE-2024-6323 (CVSS 7.5): Improper authorization in global search allowing leakage of private repository content in public projects.
• CVE-2024-2177 (CVSS 6.8): Cross-window forgery in user application OAuth flow.
• CVE-2024-5430 (CVSS 6.8): Project maintainers bypassing group merge request approval policies.
• CVE-2024-4025 (CVSS 6.5): Regular Expression Denial of Service (ReDoS) via custom-built markdown pages.
• CVE-2024-3959 (CVSS 6.5): Unauthorized access to private job artifacts.
• CVE-2024-4557 (CVSS 6.5): Security fixes for Banzai pipeline.
• CVE-2024-1493 (CVSS 6.5): ReDoS in dependency linker.
• CVE-2024-1816 (CVSS 5.3): Denial of Service (DoS) using crafted OpenAPI files.
• CVE-2024-2191 (CVSS 5.3): Disclosure of Merge Request titles.
• CVE-2024-3115 (CVSS 4.3): Access issues to epics without an SSO session.
• CVE-2024-4011 (CVSS 3.1): Non-project members promoting key results to objectives.

Urgent Upgrade Recommendation

While GitLab has not found evidence of these vulnerabilities being exploited in the wild, the critical nature of these flaws necessitates immediate action. Users of GitLab CE and EE are strongly advised to upgrade to versions 17.1.1, 17.0.3, or 16.11.5 without delay to ensure the security and integrity of their installations.