GitLab has released crucial updates for both its Community Edition (CE) and Enterprise Edition (EE) with versions 17.1.1, 17.0.3, and 16.11.5. These updates address multiple high-severity security vulnerabilities, and all GitLab installations must be upgraded to these versions immediately. GitLab.com is already running the patched versions.
Run Pipelines as Any User (CVE-2024-5655)
This flaw allows an attacker to trigger a pipeline as another user under certain conditions. The severity of this issue is rated as critical with a CVSS score of 9.6. This vulnerability is resolved in the latest release and is assigned CVE-2024-5655.
This vulnerability could let a low-privileged user escalate their privileges to gain access to CI/CD sensitive assets, such as cloud tokens, Kubernetes service accounts, and privileged attached identities. Exploiting this flaw could lead to unauthorized access and control over critical infrastructure components.
Changes to Be Aware Of
- MR Retargeting Workflow
Pipelines will no longer run automatically when a merge request is re-targeted. Users must manually start the pipeline to run CI. - GraphQL Authentication
CI_JOB_TOKENauthentication for GraphQL is disabled by default from version 17.0.0 and backported to 17.0.3 and 16.11.5. Use supported token types for GraphQL API access.
Stored XSS in Imported Project’s Commit Notes (CVE-2024-4901)
A high-severity stored XSS vulnerability has been discovered in GitLab CE/EE. The vulnerability allows a malicious commit note in an imported project to execute stored XSS attacks. This issue is rated with a CVSS score of 8.7.
Attackers could exploit this vulnerability by using low-privileged accounts to commit malicious notes. These notes could then execute code on the machines of higher-privileged users, such as DevOps and IT when they interact with the repository. This could lead to unauthorized actions being performed or sensitive data being compromised.
CSRF on GraphQL API IntrospectionQuery (CVE-2024-4994)
A high-severity vulnerability, identified as CVE-2024-4994, has been discovered in GitLab CE/EE, affecting all previously mentioned versions. This flaw allows for a CSRF attack on GitLab’s GraphQL API, enabling attackers to execute arbitrary GraphQL mutations.
Exploiting this vulnerability, attackers could potentially update project settings, trigger pipelines, and create issues, leading to unauthorized modifications and disruptions.
Recommended Action
We strongly recommend that all affected installations be upgraded to the latest version. All types are affected if no specific deployment type (omnibus, source code, helm chart, etc.) is mentioned.
Additionally, we recommend implementing the following measures:
- Limit Access to Pipeline Execution: Ensure that only authorized users can trigger and manage pipelines.
- Review and Update Security Settings: Regularly review your security configurations and update them as needed to mitigate potential risks.
- Disable
CI_JOB_TOKENfor GraphQL by default, use supported token types for GraphQL API access.
How Upwind Protects Against Gitlab Vulnerabilities
The Upwind Cloud Security Platform offers several solutions to Gitlab vulnerabilities and other critical vulnerabilities by providing the following:
- Locate Vulnerable Packages: Use Upwind’s SBOM explorer to search your running packages and easily find Gitlab CE and EE packages prior to 17.1.1, 17.0.3, and 16.11.5.
- View Resource Impact: Find all resources that contain
CVE-2024-4994,CVE-2024-4901andCVE-2024-5655, and correlate additional context such as which cloud accounts they are in, and which clusters, pods, namespaces, VMs and resources they are using. - Prioritize At-Risk Resources: View the immediate impact
CVE-2024-4994,CVE-2024-4901andCVE-2024-5655have on your environment and identify affected resources with additional risk factors that create toxic combinators such as internet exposure, talking to a database, containing secrets, or containing sensitive data. package dependencies, all affected resources, and available fixes. - Prioritize Package Upgrades: Create a list of vulnerable resources that should be prioritized for updates, using the recommended upgrades listed in this article to quickly secure your environment.
Learn More
Want to learn more about how Upwind protects you against critical vulnerabilities? Send us a note to [email protected] or schedule a demo.
