Introduction
GitLab has issued critical security updates for its Community Edition (CE) and Enterprise Edition (EE) to address multiple vulnerabilities [5] [6] [7], including a severe flaw identified as CVE-2024-9164. These updates are crucial for maintaining the security and integrity of GitLab environments.
Description
GitLab has released urgent security updates for both Community Edition (CE) and Enterprise Edition (EE) to address eight vulnerabilities [5] [6] [7], including a critical flaw tracked as CVE-2024-9164 [5] [6] [7]. This vulnerability, which has a high Common Vulnerability Scoring System (CVSS) rating of 9.6 [5], allows unauthorized execution of Continuous Integration and Continuous Delivery (CI/CD) pipelines on arbitrary branches [5] [6], potentially enabling attackers to trigger malicious jobs and gain access to sensitive pipeline operations. It affects all versions of GitLab EE from 12.5 to 17.2.9 [6] [7], as well as versions 17.3 prior to 17.3.5 and 17.4 prior to 17.4.2 [5]. Users are strongly urged to upgrade to the patched versions 17.4.2, 17.3.5 [4], or 17.2.9 to mitigate potential exploitation [4].
The critical flaw was published on September 12, 2024 [2], and has been resolved in the latest release, made available on October 11, 2024 [1]. In addition to CVE-2024-9164 [2] [5], GitLab has addressed seven other vulnerabilities [5], including four rated as high severity: CVE-2024-8970 (CVSS score: 8.2) [5], which allows attackers to trigger pipelines as another user; CVE-2024-8977 (CVSS score: 8.2) [5], which enables Server-Side Request Forgery (SSRF) attacks; CVE-2024-9631 (CVSS score: 7.5) [5], a performance issue affecting merge request diffs; and CVE-2024-6530 (CVSS score: 7.3) [5], which results in HTML injection via OAuth pages [5]. Previous updates in mid-September addressed a total of 17 vulnerabilities [2].
While there is currently no evidence of active exploitation of CVE-2024-9164 or publicly available proof of concept, organizations are encouraged to follow their patching and testing guidelines to minimize operational impact [3], given the history of threat actors targeting GitLab instances [3]. GitLab Dedicated customers are not required to take any action [3] [4], as their instances are automatically updated [4]. The attack vector for CVE-2024-9164 is classified as network-based, with significant implications for confidentiality and integrity, and the vulnerability has been assigned a critical severity rating, reflecting its potential impact on security. Keeping systems updated is essential to securing CI/CD environments against unauthorized access [5], malware deployment [5], or disruption of development operations [5].
Conclusion
The recent security updates from GitLab are vital for protecting against significant vulnerabilities that could compromise CI/CD environments. Organizations should prioritize applying these patches to safeguard their systems from potential threats. Continuous vigilance and adherence to patch management protocols are essential to mitigate risks and ensure the security of development operations in the future.
References
[1] https://www.tenable.com/plugins/nessus/208737
[2] https://thenimblenerd.com/article/gitlabs-pipeline-panic-critical-flaw-fixed-just-in-time/
[3] https://arcticwolf.com/resources/blog/cve-2024-9164/
[4] https://www.blackhatethicalhacking.com/news/gitlab-urges-users-to-patch-critical-ci-cd-vulnerability-affecting-multiple-versions/
[5] https://cybourn.com/the-cybersecurity-express-11-october-2024
[6] https://thehackernews.com/2024/10/new-critical-gitlab-vulnerability-could.html
[7] https://securityaffairs.com/169671/security/gitlab-fixed-critical-flaw-cve-2024-9164.html
