Industry

GitLab releases critical security patches amid vulnerability streak

Oct 11, 2024

GitLab has released a new round of critical security patches for its Community Edition (CE) and Enterprise Edition (EE) products. The company strongly recommends that all self-managed GitLab installations be upgraded immediately to one of the latest versions: 17.4.2, 17.3.5, or 17.2.9.

These patch releases address several critical and high-severity vulnerabilities, including a critical flaw that could allow attackers to run pipelines on arbitrary branches. This latest security update comes in the wake of a series of critical vulnerabilities that GitLab has had to address in recent months.

Last month, GitLab patched another critical flaw (CVE-2024-6678) with a CVSS score of 9.9, which could have allowed an attacker to run pipeline jobs as an arbitrary user. Prior to that, the company also fixed three other similar high-severity vulnerabilities: CVE-2023-5009, CVE-2024-5655, and CVE-2024-6385, each with a CVSS score of 9.6.

In May, the US Cybersecurity and Infrastructure Security Agency (CISA) labelled a critical vulnerability (CVE-2023-7028) affecting GitLab as a Known Exploited Vulnerability (KEV) in response to detecting active exploitation attempts.

Most recent GitLab security patches

Among the high-severity issues resolved in the latest patches are vulnerabilities that could enable an attacker to impersonate arbitrary users, exploit server-side request forgery (SSRF) in the Analytics Dashboard, and execute HTML injection in the OAuth page.

GitLab’s security team discovered eight vulnerabilities in total, ranging from critical to low severity. “We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards,” the company stated.

The most severe vulnerability in this release, CVE-2024-9164, affects all versions from 12.5 prior to the latest patch releases. This critical flaw could allow malicious actors to run pipelines on arbitrary branches, potentially compromising the integrity of projects and their associated data.

Another high-severity issue, CVE-2024-8970, impacts all versions from 11.6 and could allow an attacker to trigger a pipeline as another user under certain circumstances. This vulnerability underscores the importance of prompt patching to maintain the security of GitLab instances.

While there is no evidence of active exploitation of these vulnerabilities, users are strongly advised to update their instances to the latest version to protect against potential threats.

In addition to security fixes, the patch releases also include several bug fixes aimed at improving performance and reliability. These include resolving issues with label filtering, fixing a 401 error for unauthenticated requests in the go-get functionality, and addressing problems with project template disclosure.

GitLab continues to emphasise the importance of maintaining good security hygiene. The company recommends that all customers upgrade to the latest patch release for their supported version as part of best practices in securing their GitLab instances.

Especially in the context of the recent string of critical vulnerabilities, timely patching and vigilant security practices remain crucial for organisations leveraging GitLab’s collaboration and development tools.

(Photo by Diana Polekhina)

See also: Safe Coding: Google’s strategy reduces memory safety vulnerabilities

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo, and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: coding, cyber security, cybersecurity, development, gitlab, hacking, infosec, patch, programming, security, updates, vulnerabilities