A critical vulnerability is affecting certain versions of GitLab Community and Enterprise Edition products, which could be exploited to run pipelines as any user.
GitLab is a popular web-based open-source software project management and work tracking platform.
It has an estimated one million active license users.
The security issue addressed in the lasted update is tracked as CVE-2024-5655 and has a severity score of 9.6 out of 10.
Under certain circumstances, which the vendor did not define, an attacker could leverage it to trigger a pipeline as another user.
GitLab pipelines are a feature of the Continuous Integration/Continuous Deployment system that enables users to automatically run processes and tasks, either in parallel or in sequence, to build, test, or deploy code changes.
The vulnerability impacts all GitLab CE/EE versions from 15.8 through 16.11.4, 17.0.0 to 17.0.2, and 17.1.0 to 17.1.0.
GitLab has addressed the vulnerability by releasing versions 17.1.1, 17.0.3, and 16.11.5, and recommends users to apply the updates as soon as possible.
Pipelines will no longer run automatically when a merge request is re-targeted after its previous target branch is merged.
Users must manually start the pipeline to execute CI for their changes.
CI JOB TOKEN is now disabled by default for GraphQL authentication starting from version 17.0.0, with this change backported to versions 17.0.3 and 16.11.5.
To access the GraphQL API, users need to configure one of the supported token types for authentication.
CVE-2024-4901: Stored XSS vulnerability allowing malicious commit notes from imported projects to inject scripts, potentially leading to unauthorized actions and data exposure.
CVE-2024-4994: A CSRF vulnerability in the GraphQL API allowing attackers to execute arbitrary GraphQL mutations by tricking authenticated users into making unwanted requests, potentially leading to data manipulation and unauthorized operations.
CVE-2024-6323: Authorization flaw in GitLab's global search feature allowing attackers to view search results from private repositories within public projects, potentially leading to information leaks and unauthorized access to sensitive data.
Resources for GitLab updates are available here, while GitLab Runner guidelines can be found on this page.
Exploit for critical Fortra FileCatalyst Workflow SQLi flaw released.
Hackers target new MOVEit Transfer critical auth bypass bug.
CISA: Most critical open source projects not using memory safe code.
Chemical facilities warned of possible data theft in CISA CSAT breach.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 29 Jun 2024 06:13:05 +0000