9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
7.3 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
46.8%
GitLab has released security updates to address 14 security flaws, including one critical vulnerability that could be exploited to run continuous integration and continuous deployment (CI/CD) pipelines as any user.
The weaknesses, which affect GitLab Community Edition (CE) and Enterprise Edition (EE), have been addressed in versions 17.1.1, 17.0.3, and 16.11.5.
The most severe of the vulnerabilities is CVE-2024-5655 (CVSS score: 9.6), which could permit a malicious actor to trigger a pipeline as another user under certain circumstances.
It impacts the following versions of CE and EE -
GitLab said the fix introduces two breaking changes as a result of which GraphQL authentication using CI_JOB_TOKEN is disabled by default and pipelines will no longer run automatically when a merge request is re-targeted after its previous target branch is merged.
Some of the other important flaws fixed as part of the latest release are listed below -
While there is no evidence of active exploitation of the flaws, users are recommended to apply the patches to mitigate against potential threats.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
7.3 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
46.8%