Gitlab has recently released security updates to address a total of 14 vulnerabilities, one of which is deemed critical. This critical vulnerability can potentially allow attackers to initiate the CI/CD of the Piplade on behalf of any user. The identified vulnerabilities impact both Gitlab Community Edition (CE) and Enterprise Edition (EE).
The most severe of these vulnerabilities is CVE-2024-5655, scoring 9.6 on the CVSS scale. It enables attackers to launch Pipes on behalf of another user under specific conditions. This vulnerability affects various versions of Gitlab CE and EE, including versions 17.1 to 17.1.1, versions 17.0 to 17.0.3, and versions 15.8 to 16.11.5.
Gitlab noted that the latest update incorporates two significant changes. Firstly, authentication using CI_JOB_TOKEN is now disabled by default. Secondly, the pipelines will no longer be automatically launched when the target branch is modified in the merger after the previous target branch.
Additionally, the recent update addresses other significant vulnerabilities, including CVE-2024-4901.