Article Details

GitLab warns of critical arbitrary branch pipeline execution flaw. GitLab has released security updates to address multiple flaws in Community Edition (CE) and Enterprise Edition (EE), including a critical arbitrary branch pipeline execution flaw. The vulnerability, which is tracked as CVE-2024-9164, allows unauthorized users to trigger Continuous Integration/Continuous Delivery (CI/CD) pipelines on any branch of a repository. CI/CD pipelines are automated processes that perform tasks such as building, testing, and deploying code, normally available only to users with appropriate permissions. An attacker capable of bypassing branch protections could potentially perform code execution or gain access to sensitive information. The issue, which has received a CVSS v3.1 rating of 9.6, rating it critical, impacts all GitLab EE versions starting from 12.5 and up to 17.2.8, from 17.3 up to 17.3.4, and from 17.4 up to 17.4.1. Patches have been made available in versions 17.4.2, 17.3.5, and 17.2.9, which are the upgrade targets for GitLab users. "We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible," warns GitLab's security bulletin. It is clarified that GitLab Dedicated customers do not need to take any action, as their cloud-hosted instances always run the latest available version. Along with CVE-2024-9164, the latest GitLab releases address the below security issues: GitLab pipelines have lately proved to be a constant source of security vulnerabilities for the platform and its users. GitLab addressed arbitrary pipeline execution vulnerabilities multiple times this year, including CVE-2024-6678 last month, CVE-2024-6385 in July, and CVE-2024-5655 in June, all rated critical. For instructions, source code, and packages, check out GitLab's official download portal. The latest GitLab Runner packages are available here.