June 27, 2024 at 10:57AM
A critical vulnerability affecting certain versions of GitLab allows running pipelines as any user, with a severity score of 9.6 out of 10. It impacts versions from 15.8 through 16.11.4, 17.0.0 to 17.0.2, and 17.1.0 to 17.1.0, with updates to versions 17.1.1, 17.0.3, and 16.11.5 available. Two breaking changes and security fixes for other issues are also introduced. Users are recommended to upgrade immediately.
Based on the meeting notes, the key takeaways are as follows:
– A critical vulnerability (CVE-2024-5655) is affecting certain versions of GitLab Community and Enterprise Edition products, with a severity score of 9.6 out of 10.
– The vulnerability could be exploited to run pipelines as any user and impacts GitLab CE/EE versions from 15.8 through 16.11.4, 17.0.0 to 17.0.2, and 17.1.0 to 17.1.0.
– GitLab has released versions 17.1.1, 17.0.3, and 16.11.5 to address the vulnerability and recommends that all affected installations be upgraded as soon as possible.
– The latest update also includes security fixes for 13 other issues, with the severity of three of them being rated as “high” (CVSS v3.1 score: 7.5 – 8.7), including CVE-2024-4901, CVE-2024-4994, and CVE-2024-6323.
– Upgrading to the latest versions involves two breaking changes related to pipeline execution and GraphQL authentication.
– The resources for GitLab updates are available on the GitLab website, and guidelines for GitLab Runner can be found on another specific page.