GitLab has issued security updates to address 14 vulnerabilities in its software, including a critical flaw that could allow attackers to run continuous integration and continuous deployment (CI/CD) pipelines as any user. This report details the vulnerabilities, affected versions, potential impacts, and recommended mitigations.

Vulnerability Overview

Critical Vulnerability (CVE-2024-5655)

• CVSS Score: 9.6
• Description: This critical flaw permits a malicious actor to trigger CI/CD pipelines as another user under certain conditions.
• Impacted Versions:
  • GitLab CE/EE 17.1 prior to 17.1.1
  • GitLab CE/EE 17.0 prior to 17.0.3
  • GitLab CE/EE 15.8 prior to 16.11.5
• Mitigation: Update to versions 17.1.1, 17.0.3, or 16.11.5.

Additional Vulnerabilities

1. CVE-2024-4901
   • CVSS Score: 8.7
   • Description: Stored XSS vulnerability imported from a project with malicious commit notes.
   • Mitigation: Apply the latest GitLab updates.
2. CVE-2024-4994
   • CVSS Score: 8.1
   • Description: CSRF attack on GitLab’s GraphQL API leading to the execution of arbitrary GraphQL mutations.
   • Mitigation: Apply the latest GitLab updates.
3. CVE-2024-6323
   • CVSS Score: 7.5
   • Description: Authorization flaw in the global search feature allowing leakage of sensitive information from a private repository within a public project.
   • Mitigation: Apply the latest GitLab updates.
4. CVE-2024-2177
   • CVSS Score: 6.8
   • Description: Cross window forgery vulnerability enabling an attacker to abuse the OAuth authentication flow via a crafted payload.
   • Mitigation: Apply the latest GitLab updates.

Affected Products

• GitLab Community Edition (CE)
• GitLab Enterprise Edition (EE)

Versions Affected

• GitLab CE/EE 17.1 prior to 17.1.1
• GitLab CE/EE 17.0 prior to 17.0.3
• GitLab CE/EE 15.8 prior to 16.11.5

Mitigation Steps

1. Update GitLab: Users are advised to update their GitLab installations to the latest versions (17.1.1, 17.0.3, or 16.11.5) to patch these vulnerabilities.
2. Review CI_JOB_TOKEN Usage: With the new update, GraphQL authentication using CI_JOB_TOKEN is disabled by default. Ensure your CI/CD pipelines are reviewed for any dependencies on this token.
3. Merge Request Adjustments: Pipelines will no longer run automatically when a merge request is re-targeted after its previous target branch is merged. Adjust your workflows accordingly.

Potential Impact

Exploitation of these vulnerabilities could result in unauthorized actions within the CI/CD pipelines, execution of arbitrary code, leakage of sensitive information, and other security breaches. Although no active exploitation has been reported, it is crucial to apply the provided patches to safeguard against potential threats.

Recommendations

• Immediate Update: Apply the patches released by GitLab without delay.
• Monitor Systems: Keep an eye on your systems for any unusual activity that could indicate an attempted exploitation of these vulnerabilities.
• Review Security Practices: Regularly review and update your security practices, particularly around CI/CD pipeline configurations and access controls.

Stay Secure. Stay Informed.

OP Innovate Research Team.