GitLab Security Updates Patch 14 Vulnerabilities
27-June-24
The critical issue, tracked as CVE-2024-5655 (CVSS score of 9.6) and impacting GitLab CE/EE versions newer than 15.8, 17.0, and 17.1, could allow an attacker to trigger a pipeline as another user under certain circumstances. Reported via GitLab’s bug bounty program, the issue was addressed by modifying the workflow so that “a pipeline will not automatically run when a merge request is automatically re-targeted due to its previous target branch being merged”. “GraphQL authentication using CI_JOB_TOKEN is disabled by default from 17.0.0, and back ported to 17.0.3, 16.11.5 in the current patch release. If access to the GraphQL API is required, please configure one of the several supported token types for authentication,” GitLab also notes in its advisory. Two of the addressed high-severity vulnerabilities include a cross-site scripting (XSS) issue that could be imported from a project with malicious commit notes (CVE-2024-4901), and a cross-site request forgery (CSRF) issue in GraphQL API that could lead to the execution of arbitrary GraphQL mutations (CVE-2024-4994).
