GitLab Warns of Serious Security Vulnerability in CI/CD Pipeline Feature, Advises Immediate Patching
GitLab Enterprise Edition users the most heavily affected, though fixes abound for the Community Edition too.
GitLab users are being warned of a serious security vulnerability affecting versions of GitLab Enterprise Edition (EE) prior to 17.4.2, 17.3.5, and 17.2.9 — which, if left unpatched, allows for continuous integration (CI) pipeline triggers that could allow for remote code execution.
"An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches," the company explains in its announcement of the bug. "This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6)."
Left unchecked, the vulnerability — reported to the company through the HackerOne bug bounty program — allows attackers to run continuous integration (CI) and continuous deployment (CD) pipelines on the branches of their choice. This, in turn, can allow for arbitrary code execution if branch protection measures are bypassed, meaning patching immediately is strongly recommended.
The same new releases bring a fix for a related issue that allows an attacker to trigger pipelines as an arbitrary other user, rated high severity and affecting both the Enterprise Edition and the Community Edition of the GitLab software. Other fixes close a server-side request forgery (SSRF) vulnerability in GitLab EE's analytics dashboard, a degradation of service issue with diff viewing, a cross-site scripting problem in the software's OAuth page, and a hadful of other bugs.
Full details on the vulnerabilities, which do not affect those hosting their software on GitLab.com nor those using the GitLab Dedicated service, are available on the GitLab website.