GitLab warns of critical arbitrary branch pipeline execution flaw

10 Oct 2024, 15:12 by Bill Toulas · BleepingComputer

GitLab has released security updates to address multiple flaws in Community Edition (CE) and Enterprise Edition (EE), including a critical arbitrary branch pipeline execution flaw.

The vulnerability, which is tracked as CVE-2024-9164, allows unauthorized users to trigger Continuous Integration/Continuous Delivery (CI/CD) pipelines on any branch of a repository.

CI/CD pipelines are automated processes that perform tasks such as building, testing, and deploying code, normally available only to users with appropriate permissions.

An attacker capable of bypassing branch protections could potentially perform code execution or gain access to sensitive information.

The issue, which has received a CVSS v3.1 rating of 9.6, rating it critical, impacts all GitLab EE versions starting from 12.5 and up to 17.2.8, from 17.3 up to 17.3.4, and from 17.4 up to 17.4.1.

Patches have been made available in versions 17.4.2, 17.3.5, and 17.2.9, which are the upgrade targets for GitLab users.

"We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible," warns GitLab's security bulletin.

It is clarified that GitLab Dedicated customers do not need to take any action, as their cloud-hosted instances always run the latest available version.

Along with CVE-2024-9164, the latest GitLab releases address the below security issues:

CVE-2024-8970: High severity arbitrary user impersonation flaw enabling attackers to trigger pipelines as another user.
CVE-2024-8977: High severity SSRF flaw in the Analytics Dashboard, making instances vulnerable to SSRF attacks.
CVE-2024-9631: High severity flaw causing slow performance when viewing diffs of merge requests with conflicts.
CVE-2024-6530: High severity HTML injection vulnerability in OAuth page allowing cross-site scripting during OAuth authorization.
CVE-2024-9623, CVE-2024-5005, CVE-2024-9596: Low to medium severity flaws, including deploying keys pushing to archived repositories, guest users disclosing project templates via API, and GitLab instance version disclosure to unauthorized users.

GitLab pipelines have lately proved to be a constant source of security vulnerabilities for the platform and its users.

GitLab addressed arbitrary pipeline execution vulnerabilities multiple times this year, including CVE-2024-6678 last month, CVE-2024-6385 in July, and CVE-2024-5655 in June, all rated critical.

For instructions, source code, and packages, check out GitLab's official download portal. The latest GitLab Runner packages are available here.