GitLab has issued a critical set of security updates for both its Community Edition (CE) and Enterprise Edition (EE) products. The company strongly advises users of self-hosted GitLab installations to upgrade immediately to the latest versions: 17.4.2, 17.3.5, or 17.2.9, in order to safeguard against newly identified vulnerabilities.
These updates address several security issues, including a major vulnerability that could potentially allow attackers to execute pipelines on unauthorized branches. This latest round of fixes follows a series of significant security incidents that have plagued GitLab over the past few months.
In the previous month, GitLab patched another severe flaw (CVE-2024-6678) with a CVSS score of 9.9. This vulnerability could have allowed unauthorized users to run pipeline jobs as different users. Additionally, GitLab has fixed three other critical security bugs in recent updates: CVE-2023-5009, CVE-2024-5655, and CVE-2024-6385, all of which were assigned a CVSS score of 9.6.
Back in May, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified another significant vulnerability (CVE-2023-7028) in GitLab, marking it as a Known Exploited Vulnerability (KEV) due to confirmed exploitation attempts.
Key Vulnerabilities in Latest Security Fixes
The newest patch addresses several high-risk issues. These include vulnerabilities that could allow attackers to impersonate other users, exploit server-side request forgery (SSRF) through the Analytics Dashboard, and inject harmful HTML into the OAuth page.
In total, GitLab’s security team uncovered eight vulnerabilities, ranging from critical to low severity. According to the company’s statement, their goal is to ensure that all customer-facing components meet the highest security standards.
The most severe of these flaws, CVE-2024-9164, impacts versions from 12.5 onwards and could enable attackers to launch pipelines on unauthorized branches. Such a vulnerability could lead to compromised projects and sensitive data exposure.
Another high-severity vulnerability, CVE-2024-8970, affects all GitLab versions from 11.6 onwards. Under certain conditions, it allows attackers to run a pipeline on behalf of another user, highlighting the need for urgent action to patch systems and protect GitLab instances.
Though no known active exploitation of these vulnerabilities has been detected, GitLab strongly recommends users to update to the latest available versions to prevent potential security threats.
Additional Bug Fixes and Performance Enhancements
Beyond addressing these security concerns, the latest patches also include various performance improvements and bug fixes. Notable issues resolved include problems with label filtering, a 401 error affecting unauthenticated requests in the go-get feature, and unintended disclosures of project templates.
GitLab continues to stress the importance of maintaining strong security practices. Regular updates and vigilant patching are essential for organizations using GitLab’s tools to ensure the security and integrity of their development environments.
In light of the recent wave of critical vulnerabilities, organizations are encouraged to act swiftly in applying patches and maintaining robust security protocols.