GitLab has released Security Updates to address 13 vulnerabilities, with the addition of one critical vulnerability that could be exploited to run continuous integration and continuous deployment (CI/CD) pipelines as any user.
GitLab: A Brief Overview of What It Is, In Case You’re a Layman
GitLab is a complete DevOps platform that offers tools for managing the software development lifecycle, from the initial idea to deployment and monitoring; it includes features for source code management (via Git), continuous integration (CI), continuous delivery (CD), project management, performance monitoring and team collaboration.
GitLab is available in two main editions: Community Edition (CE), which is open source, and Enterprise Edition (EE), which offers advanced features and support for enterprises.
Its popularity in the Linux world
GitLab is very popular in the Linux world and among open source developers. There are several reasons for this popularity:
- Open Source: GitLab Community Edition (CE) is open source, making it attractive to the Linux and open source community that values transparency and the ability to contribute code.
- Complete DevOps Integration: The platform offers a complete DevOps platform that covers the entire software development lifecycle, making it a cost-effective choice for developers using Linux.
- Self-Hosting: This platform can be easily installed and managed on Linux servers, allowing organizations to have complete control over their development and deployment environments.
- Strong Community and Support: GitLab has a large community of users and contributors using Linux, which leads to strong community support and rapid development of new features.
- Git Compatibility: GitLab is built around Git, a distributed version control system that is very popular in the Linux world.
- Integration with Linux Tools: GitLab integrates well with various commonly used tools and services on Linux, such as Docker, Kubernetes, and CI/CD pipelines.
![](https://tech.icrewplay.com/wp-content/uploads/2024/06/GitLab-1024x313.png)
These factors combined make GitLab a natural and popular choice among users and organizations operating in the Linux world.
What are the CVE issues found in the well-known Open Source platform
The flaws, which affect GitLab Community Edition (CE) and Enterprise Edition (EE), have been fixed in versions 17.1.1, 17.0.3, and 16.11.5.
The most severe vulnerability is CVE-2024-5655 (CVSS score: 9.6), which could allow a malicious actor to start a pipeline as another user under certain circumstances.
It affects the following versions of CE and EE:
- 17.1 before 17.1.1
- 17.0 before 17.0.3, e
- 15.8 before 16.11.5
![](https://tech.icrewplay.com/wp-content/uploads/2024/06/GitLab-1024x576.webp)
GitLab said that the fix introduces two significant changes following which GraphQL authentication using CI_JOB_TOKEN is disabled by default and pipelines are not will no longer be executed automatically when a merge request is retargeted after its previous target branch has been merged.
The corrections made in detail
Some of the other important vulnerabilities fixed as part of the latest release are listed below:
- CVE-2024-4901 (CVSS score: 8.7) – A stored XSS vulnerability could be imported from a project with malicious commit notes
- CVE-2024-4994 (CVSS score: 8.1) – A CSRF attack on GitLab’s GraphQL API leading to execution of arbitrary GraphQL mutations
- CVE-2024-6323 (CVSS score: 7.5) – A permission flaw in the global search function that allows the leak of sensitive information from a private repository into a public project
- CVE-2024-2177 (CVSS score: 6.8) – A cross window forgery vulnerability that allows an attacker to abuse the OAuth authentication flow via a specially crafted payload
Although there is no evidence of active exploitation of the aforementioned vulnerabilities, Users are recommended to apply patches to mitigate potential threats.
#GitLab #security #patches #released #vulnerabilities