National Cyber Warfare Foundation (NCWF) Forums


GitLab fixed a critical flaw that could allow arbitrary CI CD pipeline execution
0 user ratings		2024-10-11 18:09:17
milo
Blue Team (CND)
GitLab issued updates for CE and EE to address multiple flaws, including a critical bug allowing CI/CD pipeline runs on unauthorized branches. GitLab released security updates for Community Edition (CE) and Enterprise Edition (EE) to address multiple vulnerabilities, including a critical bug, tracked as CVE-2024-9164 (CVSS score of 9.6), allowing CI/CD pipeline runs on unauthorized […


GitLab issued updates for CE and EE to address multiple flaws, including a critical bug allowing CI/CD pipeline runs on unauthorized branches.





GitLab released security updates for Community Edition (CE) and Enterprise Edition (EE) to address multiple vulnerabilities, including a critical bug, tracked as CVE-2024-9164 (CVSS score of 9.6), allowing CI/CD pipeline runs on unauthorized branches.





“An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. This is a critical severity issue. It is now mitigated in the latest release and is assigned CVE-2024-9164.” reads the advisory.





The company addressed the following four high-severity issues:






  • CVE-2024-8970 (CVSS score: 8.2): an attacker can exploit the flaw to trigger a pipeline as another user under certain circumstances




  • CVE-2024-8977 (CVSS score: 8.2): an attacker can exploit the flaw to conduct SSRF attacks in GitLab EE instances with Product Analytics Dashboard configured and enabled




  • CVE-2024-9631 (CVSS score: 7.5), which causes slowness while viewing diffs of merge requests with conflicts.




  • CVE-2024-6530 (CVSS score: 7.3), which results in HTML injection in OAuth page when authorizing a new application due to a cross-site scripting issue





The two medium severity issues addressed by the organization are:









In mid-September, GitLab released security patches for 17 vulnerabilities in GitLab CE (Community Edition) and EE (Enterprise Edition).





One of these vulnerabilities is a critical pipeline execution flaw, tracked as CVE-2024-6678 (CVSS score of 9.9), that could allow an attacker to trigger a pipeline as an arbitrary user under certain circumstances.





Follow me on Twitter: @securityaffairs and Facebook and Mastodon





Pierluigi Paganini





(SecurityAffairs – hacking, GitLab)



Source: SecurityAffairs
Source Link: https://securityaffairs.com/169671/security/gitlab-fixed-critical-flaw-cve-2024-9164.html

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Blue Team (CND)


Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.