October 11, 2024 at 03:27AM
GitLab has released security updates for its Community and Enterprise Editions, addressing eight vulnerabilities, including a critical one (CVE-2024-9164) with a CVSS score of 9.6, allowing unauthorized CI/CD pipeline execution. Users are urged to update their instances to mitigate potential threats, as ongoing vulnerabilities have recently been disclosed.
**Meeting Takeaways – October 11, 2024: DevOps / Vulnerability**
1. **GitLab Security Updates**: GitLab has released updates for both its Community Edition (CE) and Enterprise Edition (EE) to address eight security vulnerabilities, including a critical one (CVE-2024-9164) with a CVSS score of 9.6, which allows unauthorized pipeline execution on arbitrary branches.
2. **Affected Versions**: The critical vulnerability affects all EE versions between 12.5 to 17.2.9, 17.3 prior to 17.3.5, and 17.4 prior to 17.4.2.
3. **Additional Vulnerabilities**:
– CVE-2024-8970 (CVSS 8.2): Enables an attacker to trigger pipelines as another user under specific circumstances.
– CVE-2024-8977 (CVSS 8.2): Allows SSRF attacks in instances with the Product Analytics Dashboard enabled.
– CVE-2024-9631 (CVSS 7.5): Causes performance issues when viewing merge request diffs with conflicts.
– CVE-2024-6530 (CVSS 7.3): Results in HTML injection on the OAuth page due to cross-site scripting.
4. **Pipeline Vulnerabilities Trend**: The advisory highlights a trend of pipeline-related vulnerabilities disclosed by GitLab, with another critical flaw (CVE-2024-6678, CVSS 9.9) addressed last month, alongside several other significant vulnerabilities over recent months (all with CVSS scores of 9.6).
5. **Recommendation for Users**: Although there is no evidence of active exploitation, users are urged to update their GitLab instances to the latest version to mitigate potential threats.
6. **Follow-Up**: Users interested in staying informed about such updates are encouraged to follow GitLab on Twitter and LinkedIn for more exclusive content.
**Action Item**: Ensure your organization updates GitLab instances to the latest version promptly.