GitLab has announced the release of critical patches for its Community Edition (CE) and Enterprise Edition (EE) with versions 17.4.2, 17.3.5, and 17.2.9. These GitLab critical patches are essential for all self-managed GitLab installations, as they address a series of vulnerabilities and bugs that could potentially compromise the integrity of user data and system security.
GitLab.com is already operating on the patched versions, while GitLab Dedicated customers are advised that no immediate action is necessary on their part.
Latest GitLab Critical Patches
The GitLab critical patches contain crucial fixes for vulnerabilities in GitLab, and the company strongly urges all users to upgrade their installations without delay. Maintaining the latest version not only protects user data but also ensures compliance with GitLab’s commitment to security. For those who rely on self-managed instances, the upgrades are not merely recommended; they are critical for operational integrity.
GitLab follows a structured release schedule that includes both planned and ad-hoc critical patches. Scheduled releases occur twice a month, specifically on the second and fourth Wednesdays, while critical patches address high-severity vulnerabilities as they arise. For additional information on release schedules, users can refer to GitLab’s release handbook and security FAQ.
As part of GitLab’s transparent approach, details about each vulnerability are made publicly available on their issue tracker 30 days after the patch is released. This allows users to stay informed about potential threats and the measures taken to mitigate them.
Key Vulnerabilities Addressed
The latest GitLab critical patches contain multiple fixes for vulnerabilities in GitLab, categorized by severity. Here are some notable issues that have been patched:
- Critical Vulnerability: Running Pipelines on Arbitrary Branches (CVE-2024-9164)
This critical vulnerability allowed attackers to run pipelines on arbitrary branches across versions from 12.5 up to the latest release prior to the patches. The severity rating for this issue is CVSS 9.6, indicating a substantial threat level.
- High Severity: Impersonating Arbitrary Users (CVE-2024-8970)
Another significant vulnerability allowed an attacker to trigger a pipeline as another user under specific conditions. This issue affected versions starting from 11.6 up to 17.4.2 and was also rated high with a CVSS score of 8.2.
- High Severity: SSRF in Analytics Dashboard (CVE-2024-8977)
Instances with Product Analytics Dashboard enabled were found vulnerable to Server-Side Request Forgery (SSRF) attacks. This issue, affecting versions starting from 15.10, was rated high with a CVSS score of 8.2. Again, thanks to community vigilance, this vulnerability has been patched.
- High Severity: Slow Diffs of Merge Requests with Conflicts (CVE-2024-9631)
Viewing diffs of merge requests (MR) that contain conflicts was notably slow due to inefficiencies in processing. This issue impacted versions starting from 13.6, and although it does not compromise security per se, it can hinder productivity. This vulnerability also received a high severity rating of 7.5.
- High Severity: HTML Injection in OAuth Page (CVE-2024-6530)
A cross-site scripting (XSS) vulnerability was identified, allowing unauthorized HTML rendering when authorizing new applications. This vulnerability was patched in all versions prior to the latest releases and carries a severity rating of 7.3.
- Medium Severity: Deploy Keys Pushing Changes to Archived Repositories (CVE-2024-9623)
A medium severity issue was discovered where deploy keys could push changes to archived repositories. This vulnerability affects versions starting from 8.16 and poses risks if not addressed.
- Low Severity: GitLab Instance Version Disclosure (CVE-2024-9596)
A low-severity issue allowed unauthenticated attackers to discover the version number of a GitLab instance, which could lead to targeted attacks. This vulnerability highlights the importance of safeguarding even seemingly minor details in system configurations.
Recommended Actions for Users
Given the critical nature of these GitLab vulnerabilities, the organization strongly advises all users running affected versions to upgrade to the latest patch releases as soon as possible. The GitLab community, which includes both self-managed and cloud users, can significantly benefit from these updates.
For users looking to update their GitLab installations, guidance is available on the GitLab Update page. Additionally, instructions for updating GitLab Runner can be found on a separate page dedicated to the runner’s updates.