CVE-2024-9164 (CVSS 9.6): GitLab Users Urged to Update Now
GitLab, a leading platform for DevOps and continuous integration/continuous delivery (CI/CD), has just released crucial security updates in versions 17.4.2, 17.3.5, and 17.2.9 for both Community Edition (CE) and Enterprise Edition (EE). These updates address several significant vulnerabilities, including a critical severity flaw (CVE-2024-9164) that could allow attackers to run pipelines on arbitrary branches, posing a major security risk to affected instances.
The most severe vulnerability (CVE-2024-9164) affects all GitLab Enterprise Edition versions from 12.5 and allows malicious actors to run pipelines on arbitrary branches, potentially gaining unauthorized access to sensitive data and systems. This flaw has been assigned a CVSS score of 9.6, indicating its high severity.
Other significant vulnerabilities addressed in this update include:
- CVE-2024-8970: Allows attackers to impersonate arbitrary users under specific circumstances, potentially leading to unauthorized actions and data breaches.
- CVE-2024-8977: A server-side request forgery (SSRF) vulnerability in the Analytics Dashboard could enable attackers to access internal resources and services.
- CVE-2024-9631: Viewing code differences in merge requests with conflicts can be slow, leading to a denial-of-service (DoS) condition.
- CVE-2024-6530: A cross-site scripting (XSS) vulnerability in the OAuth page could allow attackers to inject malicious scripts and steal user data.
GitLab has patched these vulnerabilities in versions 17.4.2, 17.3.5, and 17.2.9 for both Community Edition (CE) and Enterprise Edition (EE). Users are strongly encouraged to upgrade to one of these versions immediately.
