GitLab fixed a critical flaw that could allow arbitrary CI/CD pipeline execution

GitLab issued updates for CE and EE to address multiple flaws, including a critical bug allowing CI/CD pipeline runs on unauthorized branches.

GitLab released security updates for Community Edition (CE) and Enterprise Edition (EE) to address multiple vulnerabilities, including a critical bug, tracked as CVE-2024-9164 (CVSS score of 9.6), allowing CI/CD pipeline runs on unauthorized branches.

“An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. This is a critical severity issue. It is now mitigated in the latest release and is assigned CVE-2024-9164.” reads the advisory.

The company addressed the following four high-severity issues:

• CVE-2024-8970 (CVSS score: 8.2): an attacker can exploit the flaw to trigger a pipeline as another user under certain circumstances
• CVE-2024-8977 (CVSS score: 8.2): an attacker can exploit the flaw to conduct SSRF attacks in GitLab EE instances with Product Analytics Dashboard configured and enabled
• CVE-2024-9631 (CVSS score: 7.5), which causes slowness while viewing diffs of merge requests with conflicts.
• CVE-2024-6530 (CVSS score: 7.3), which results in HTML injection in OAuth page when authorizing a new application due to a cross-site scripting issue

The two medium severity issues addressed by the organization are:

• CVE-2024-9623 – Deploy Keys can push changes to an archived repository
• CVE-2024-5005 – Guests can disclose project templates

In mid-September, GitLab released security patches for 17 vulnerabilities in GitLab CE (Community Edition) and EE (Enterprise Edition).

One of these vulnerabilities is a critical pipeline execution flaw, tracked as CVE-2024-6678 (CVSS score of 9.9), that could allow an attacker to trigger a pipeline as an arbitrary user under certain circumstances.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, GitLab)