Critical GitLab bug lets attackers run pipelines as any user

A critical vulnerability is affecting certain versions of GitLab Community and Enterprise Edition products, which could be exploited to run pipelines as any user.

GitLab is a popular web-based open-source software project management and work tracking platform. It has an estimated one million active license users.

The security issue addressed in the lasted update is tracked as CVE-2024-5655 and has a severity score of 9.6 out of 10. Under certain circumstances, which the vendor did not define, an attacker could leverage it to trigger a pipeline as another user.

GitLab pipelines are a feature of the Continuous Integration/Continuous Deployment (CI/CD) system that enables users to automatically run processes and tasks, either in parallel or in sequence, to build, test, or deploy code changes.

The vulnerability impacts all GitLab CE/EE versions from 15.8 through 16.11.4, 17.0.0 to 17.0.2, and 17.1.0 to 17.1.0.

“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible” – GitLab

GitLab has addressed the vulnerability by releasing versions 17.1.1, 17.0.3, and 16.11.5, and recommends users to apply the updates as soon as possible.

The vendor also informs that upgrading to the latest versions comes with two breaking changes that users should be aware of:

Pipelines will no longer run automatically when a merge request is re-targeted after its previous target branch is merged. Users must manually start the pipeline to execute CI for their changes.
CI_JOB_TOKEN is now disabled by default for GraphQL authentication starting from version 17.0.0, with this change backported to versions 17.0.3 and 16.11.5. To access the GraphQL API, users need to configure one of the supported token types for authentication.

The latest GitLab update also introduces security fixes for 13 other issues, the severity of three of them being rated as “high” (CVSS v3.1 score: 7.5 – 8.7). These three are summarized as follows:

CVE-2024-4901: Stored XSS vulnerability allowing malicious commit notes from imported projects to inject scripts, potentially leading to unauthorized actions and data exposure.
CVE-2024-4994: A CSRF vulnerability in the GraphQL API allowing attackers to execute arbitrary GraphQL mutations by tricking authenticated users into making unwanted requests, potentially leading to data manipulation and unauthorized operations.
CVE-2024-6323: Authorization flaw in GitLab’s global search feature allowing attackers to view search results from private repositories within public projects, potentially leading to information leaks and unauthorized access to sensitive data.

Resources for GitLab updates are available here, while GitLab Runner guidelines can be found on this page.