Summary
A critical vulnerability is affecting certain versions of GitLab Community and Enterprise Edition products, which could be exploited to run pipelines as any user. The vulnerability, tracked as CVE-2024-5655, impacts all GitLab CE/EE versions from 15.8 through 16.11.4, 17.0.0 to 17.0.2, and 17.1.0 to 17.1.0. GitLab has addressed the vulnerability by releasing versions 17.1.1, 17.0.3, and 16.11.5, and recommends users to apply the updates as soon as possible.
Community Impact
GitLab is a popular web-based open-source software project management and work tracking platform; it has an estimated one million active license users. The widespread use of GitLab in both consumer and corporate settings by RH-ISAC Core Members makes any potential exploitation a serious concern. All Core Members are encouraged to determine whether they utilize GitLab in their operations, and if so, update to GitLab versions 17.1.1, 17.0.3, and 16.11.5 as soon as technically feasible.
Background
A GitLab pipeline is a series of automated processes, often referred to as jobs, that run in sequence or in parallel to achieve a desired outcome. Pipelines are defined in a file at the root of a repository and are used to automate tasks such as building, testing, and deploying code. CVE-2024-5655 can allow users to run pipelines without any permissions. Allowing any user to run GitLab pipelines can pose significant security risks. One major concern is that it grants potentially malicious users the ability to execute arbitrary code within the pipeline’s environment, which could lead to unauthorized access to sensitive data, exploitation of vulnerabilities, or even disruption of services. Users could potentially inject malicious scripts into the pipeline, which might then be propagated via CVE-2024-5655 through subsequent stages, affecting the build, test, and deployment processes.
GitLab has addressed the vulnerability by releasing versions 17.1.1, 17.0.3, and 16.11.5, and recommends users to apply the updates as soon as possible. The vendor also informs that upgrading to the latest versions comes with two breaking changes that users should be aware of:
- Pipelines will no longer run automatically when a merge request is re-targeted after its previous target branch is merged. Users must manually start the pipeline to execute CI for their changes.
- CI_JOB_TOKEN is now disabled by default for GraphQL authentication starting from version 17.0.0, with this change backported to versions 17.0.3 and 16.11.5. To access the GraphQL API, users need to configure one of the supported token types for authentication.
