CVE-2024-9164 (CVSS 9.6): GitLab Users Urged to Update Now

Summary: GitLab has released critical security updates in versions 17.4.2, 17.3.5, and 17.2.9 for both Community and Enterprise Editions to address several significant vulnerabilities, including a critical flaw (CVE-2024-9164) that could allow unauthorized access to pipelines. Users are urged to upgrade immediately to mitigate these risks.

Threat Actor: Malicious Actors | Malicious Actors
Victim: GitLab Users | GitLab Users

Key Point :

  • Critical vulnerability (CVE-2024-9164) allows running pipelines on arbitrary branches, with a CVSS score of 9.6.
  • CVE-2024-8970 enables impersonation of arbitrary users, risking unauthorized actions and data breaches.
  • CVE-2024-8977 introduces a server-side request forgery (SSRF) vulnerability in the Analytics Dashboard.
  • CVE-2024-9631 can lead to denial-of-service (DoS) conditions due to slow code difference viewing in merge requests.
  • CVE-2024-6530 is a cross-site scripting (XSS) vulnerability that could allow script injection and data theft.

GitLab, a leading platform for DevOps and continuous integration/continuous delivery (CI/CD), has just released crucial security updates in versions 17.4.2, 17.3.5, and 17.2.9 for both Community Edition (CE) and Enterprise Edition (EE). These updates address several significant vulnerabilities, including a critical severity flaw (CVE-2024-9164) that could allow attackers to run pipelines on arbitrary branches, posing a major security risk to affected instances.

The most severe vulnerability (CVE-2024-9164) affects all GitLab Enterprise Edition versions from 12.5 and allows malicious actors to run pipelines on arbitrary branches, potentially gaining unauthorized access to sensitive data and systems. This flaw has been assigned a CVSS score of 9.6, indicating its high severity.

Other significant vulnerabilities addressed in this update include:

  • CVE-2024-8970: Allows attackers to impersonate arbitrary users under specific circumstances, potentially leading to unauthorized actions and data breaches.
  • CVE-2024-8977: A server-side request forgery (SSRF) vulnerability in the Analytics Dashboard could enable attackers to access internal resources and services.
  • CVE-2024-9631: Viewing code differences in merge requests with conflicts can be slow, leading to a denial-of-service (DoS) condition.
  • CVE-2024-6530: A cross-site scripting (XSS) vulnerability in the OAuth page could allow attackers to inject malicious scripts and steal user data.

GitLab has patched these vulnerabilities in versions 17.4.2, 17.3.5, and 17.2.9 for both Community Edition (CE) and Enterprise Edition (EE). Users are strongly encouraged to upgrade to one of these versions immediately.

Related Posts:

Source: https://securityonline.info/cve-2024-9164-cvss-9-6-gitlab-users-urged-to-update-now