June 28, 2024 at 10:43AM
GitLab released updates addressing 14 security flaws, including a critical vulnerability allowing unauthorized execution of CI/CD pipelines. The most severe flaw, CVE-2024-5655 (CVSS score: 9.6), impacts versions 15.8 to 17.1, with 17.1.1, 17.0.3, and 16.11.5 providing fixes. While there’s no active exploitation, users are urged to apply patches.
Key takeaways from the meeting notes on the GitLab security updates are:
– GitLab has released security updates to address 14 security flaws, including a critical vulnerability (CVE-2024-5655) that could allow a malicious actor to trigger a pipeline as another user.
– The vulnerabilities affect GitLab Community Edition (CE) and Enterprise Edition (EE) versions 17.1, 17.0, and 15.8.
– The fix introduces two breaking changes – GraphQL authentication using CI_JOB_TOKEN is disabled by default and pipelines will no longer run automatically when a merge request is re-targeted after its previous target branch is merged.
– Other important flaws fixed in the release include stored XSS vulnerability, CSRF attack on GraphQL API, authorization flaw in global search feature, and a cross-window forgery vulnerability.
– Users are recommended to apply the patches to mitigate potential threats, even though there is currently no evidence of active exploitation of the flaws.
Let me know if you need any further information or assistance.