GitLab operators have published critical patch releases for the version management platform. The vulnerabilities fixed in versions 17.1.1, 17.0.3 and 16.11.5 affect both the Community Edition (CE) and the Enterprise Edition (EE). Anyone who uses the service on GitLab.com is already working with the updated version.
Advertisement
As is the case with serious vulnerabilities, the release notes include an urgent recommendation to install the current version as soon as possible.
User changes when executing pipeline
The critical vulnerability has a CVE (Common Vulnerabilities and Exposures) entry in the MITRE database. CVE-2024-5655. At the time of writing this message, links to a detailed description of the vulnerability on MITRE and National Vulnerability Database (NIST) No: they lead to a 404 void, or a message to HackerOne indicating that the report doesn’t exist yet.
The vulnerability is classified as Improper Access Control (CWE-284) and allows a CI pipeline to be triggered as a different user. Even though GitLab classifies it as a critical risk with a CVSS score of 9.6 out of 10, there are probably no signs that attackers have already actively exploited it.
The cause of the vulnerability can be seen indirectly from the breaking change associated with the patch: access during the merge process occurs explicitly via retargeting, which was previously able to trigger the CI pipeline automatically. For example, if the following two merge requests are pending at the same time:
- merge x into main
- add y to x,
The first merge can be done first and then the second one can be merged via re-targeting directly into the main branch, which now includes the original target x.
With the patch release, GitLab no longer automatically triggers the CI pipeline when retargeting merge requests, but users must start it manually. The patch also disables GraphQL authentication via CI_JOB_TOKEN,
Vulnerabilities with XSS and CSRF
GitLab classifies another vulnerability as high risk, with a CVSS score of 8.7: CVE-2024-4901 Importing via commit notes makes it possible to introduce cross-site scripting (XSS), more precisely stored XSS, i.e. code that is persistent on the target server, into the project.
The vulnerability is also considered high risk (CVSS value 8.1). CVE-2024-4994 (detailed information is also missing here), which allows attackers to execute arbitrary GraphQL mutations via GitLab’s GraphQL API via cross-site request forgery (CSRF).
A detailed description of the mentioned and eleven other vulnerabilities can be found Release notes for the patch are released on GitLab Removal
German admins are grumpy
Prompt updates are recommended in any case, although apparently not everyone responsible for the GitLab servers takes the advice seriously. In January, IT researchers published a study in which they found 5,379 GitLab servers accessible over the Internet around the world with a vulnerability for which a patch had already been available for two weeks at the time of the study.
Difference from 2023 with the entry CVE-2023-7028 Attackers were allowed to send password reset emails to unverified email addresses and thus take over arbitrary accounts. Germany came in second in terms of the number of compromised GitLab servers with 730 systems, behind the United States (964) and slightly ahead of Russia (721).
(RME)
