GitLab released security updates for Community Edition (CE) and Enterprise Edition (EE) to address multiple vulnerabilities, including a critical bug, tracked as CVE-2024-9164 (CVSS score of 9.6), allowing CI/CD pipeline runs on unauthorized branches.
“An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. This is a critical severity issue. It is now mitigated in the latest release and is assigned CVE-2024-9164.” reads the advisory.
The company addressed the following four high-severity issues:
The two medium severity issues addressed by the organization are:
In mid-September, GitLab released security patches for 17 vulnerabilities in GitLab CE (Community Edition) and EE (Enterprise Edition).
One of these vulnerabilities is a critical pipeline execution flaw, tracked as CVE-2024-6678 (CVSS score of 9.9), that could allow an attacker to trigger a pipeline as an arbitrary user under certain circumstances.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, GitLab)