GitLab has launched vital updates to deal with a number of vulnerabilities, probably the most extreme of them (CVE-2024-6678) permitting an attacker to set off pipelines as arbitrary customers underneath sure circumstances.
The discharge is for variations 17.3.2, 17.2.5, and 17.1.7 for each GitLab Group Version (CE) and Enterprise Version (EE), and patches a complete of 18 safety points as a part of the bi-monthly (scheduled) safety updates.
With a vital severity rating of 9.9, the CVE-2024-6678 vulnerability might allow an attacker to execute surroundings cease actions because the proprietor of the cease motion job.
The severity of the flaw comes from its potential for distant exploitation, lack of consumer interplay, and the low privileges required for exploiting it.
GitLab warns that the problem impacts CE/EE variations from 8.14 as much as 17.1.7, variations from 17.2 previous to 17.2.5, and variations from 17.3 previous to 17.3.2.
We strongly advocate that each one installations operating a model affected by the problems described beneath are upgraded to the most recent model as quickly as potential. – GitLab
GitLab pipelines are automated workflows used to construct, take a look at, and deploy code, a part of GitLab’s CI/CD (Steady Integration/Steady Supply) system.
They’re designed to streamline the software program growth course of by automating repetitive duties and guaranteeing that modifications to the codebase are examined and deployed constantly.
GitLab addressed arbitrary pipeline execution vulnerabilities a number of instances in current months, together with in July 2024, to repair CVE-2024-6385, in June 2024, to repair CVE-2024-5655, and in September 2023 to patch CVE-2023-5009, all rated vital.
The bulletin additionally lists 4 high-severity points with scores between 6.7 – 8.5, that would probably enable attackers to disrupt providers, execute unauthorized instructions, or compromise delicate sources. The problems are summarized as follows:
- CVE-2024-8640: Because of improper enter filtering, attackers might inject instructions right into a linked Dice server through YAML configuration, probably compromising information integrity. Impacts GitLab EE ranging from 16.11.
- CVE-2024-8635: Attackers might exploit a Server-Facet Request Forgery (SSRF) vulnerability by crafting a customized Maven Dependency Proxy URL to make requests to inner sources, compromising inner infrastructure. Impacts GitLab EE ranging from 16.8.
- CVE-2024-8124: Attackers might set off a DoS assault by sending a big ‘glm_source’ parameter, overwhelming the system and making it unavailable. Impacts GitLab CE/EE ranging from 16.4.
- CVE-2024-8641: Attackers might exploit a CI_JOB_TOKEN to realize entry to a sufferer’s GitLab session token, permitting them to hijack a session. Impacts GitLab CE/EE ranging from 13.7.
For replace directions, supply code, and packages, try GitLab’s official obtain portal. The most recent GitLab Runner packages can be found right here.