Essential GitLab bug lets attackers run pipelines as any person


Critical GitLab bug lets attackers run pipelines as any user

A vital vulnerability is affecting sure variations of GitLab Group and Enterprise Version merchandise, which may very well be exploited to run pipelines as any person.

GitLab is a well-liked web-based open-source software program undertaking administration and work monitoring platform. It has an estimated a million lively license customers.

The safety difficulty addressed within the lasted replace is tracked as CVE-2024-5655 and has a severity rating of 9.6 out of 10. Beneath sure circumstances, which the seller didn’t outline, an attacker might leverage it to set off a pipeline as one other person.

GitLab pipelines are a function of the Steady Integration/Steady Deployment (CI/CD) system that allows customers to mechanically run processes and duties, both in parallel or in sequence, to construct, check, or deploy code adjustments.

The vulnerability impacts all GitLab CE/EE variations from 15.8 via 16.11.4, 17.0.0 to 17.0.2, and 17.1.0 to 17.1.0.

“We strongly advocate that every one installations operating a model affected by the problems described under are upgraded to the newest model as quickly as potential” – GitLab

GitLab has addressed the vulnerability by releasing variations 17.1.1, 17.0.3, and 16.11.5, and recommends customers to use the updates as quickly as potential.

The seller additionally informs that upgrading to the newest variations comes with two breaking adjustments that customers ought to concentrate on:

  1. Pipelines will now not run mechanically when a merge request is re-targeted after its earlier goal department is merged. Customers should manually begin the pipeline to execute CI for his or her adjustments.
  2. CI_JOB_TOKEN is now disabled by default for GraphQL authentication ranging from model 17.0.0, with this alteration backported to variations 17.0.3 and 16.11.5. To entry the GraphQL API, customers have to configure one of many supported token sorts for authentication.

The most recent GitLab replace additionally introduces safety fixes for 13 different points, the severity of three of them being rated as “excessive” (CVSS v3.1 rating: 7.5 – 8.7). These three are summarized as follows:

  • CVE-2024-4901: Saved XSS vulnerability permitting malicious commit notes from imported initiatives to inject scripts, doubtlessly resulting in unauthorized actions and knowledge publicity.
  • CVE-2024-4994: A CSRF vulnerability within the GraphQL API permitting attackers to execute arbitrary GraphQL mutations by tricking authenticated customers into making undesirable requests, doubtlessly resulting in knowledge manipulation and unauthorized operations.
  • CVE-2024-6323: Authorization flaw in GitLab’s international search function permitting attackers to view search outcomes from personal repositories inside public initiatives, doubtlessly resulting in data leaks and unauthorized entry to delicate knowledge.

Sources for GitLab updates are out there right here, whereas GitLab Runner pointers might be discovered on this web page.