GitLab Urges Users to Patch Critical CI/CD Vulnerability Affecting Multiple Versions

by | Oct 11, 2024 | News

GitLab Urges Users to Patch Critical CI/CD Vulnerability Affecting Multiple Versions

Post Views: 220




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

Critical GitLab Flaw Allows Unauthorized CI/CD Pipeline Execution

GitLab has released security patches to address multiple vulnerabilities, including a critical flaw (CVE-2024-9164) that allows unauthorized users to trigger CI/CD pipelines on any branch of a repository. This flaw, with a CVSS v3.1 score of 9.6, can be exploited to execute code or gain access to sensitive information by bypassing branch protections.

Impacted Versions and Urgent Upgrade Recommendations

The vulnerability affects GitLab EE versions 12.5 to 17.2.8, 17.3 to 17.3.4, and 17.4 to 17.4.1. GitLab has urged users to upgrade to patched versions 17.4.2, 17.3.5, or 17.2.9 as soon as possible to avoid potential exploitation. GitLab Dedicated customers do not need to take any action, as their cloud-hosted instances are always kept up-to-date.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Additional High Severity Vulnerabilities Addressed

Alongside CVE-2024-9164, GitLab addressed several other vulnerabilities:

  • CVE-2024-8970: An arbitrary user impersonation flaw, allowing attackers to trigger pipelines as other users.
  • CVE-2024-8977: A Server-Side Request Forgery (SSRF) vulnerability in the Analytics Dashboard.
  • CVE-2024-9631: A performance issue causing delays when viewing diffs of merge requests with conflicts.
  • CVE-2024-6530: An HTML injection vulnerability on the OAuth page, allowing cross-site scripting (XSS) attacks during OAuth authorization.

Less Severe but Notable Vulnerabilities

Several low to medium severity issues were also resolved, including:

  • CVE-2024-9623: An issue allowing deploy keys to push to archived repositories.
  • CVE-2024-5005: Guest users disclosing project templates via API.
  • CVE-2024-9596: Unauthorized GitLab version disclosure.

 

Trending: 10 Misconceptions about Hacking




Trending: Recon Tool: Argus

Persistent Security Issues with GitLab Pipelines

This marks the latest in a series of pipeline-related vulnerabilities for GitLab. The platform has already patched multiple critical flaws this year, including CVE-2024-6678 (August), CVE-2024-6385 (July), and CVE-2024-5655 (June).

Users are advised to check GitLab’s official download portal for instructions, source code, and packages, including the latest GitLab Runner packages.

Trending: Sniper Dz: The PhaaS Platform Behind 140,000+ Phishing Sites Exposed

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This