GitLab has issued new security patches for both its Community Edition (CE) and Enterprise Edition (EE) products, urging all self-managed users to update immediately to versions 17.4.2, 17.3.5, or 17.2.9. These updates address multiple critical and high-severity vulnerabilities, including a serious flaw that could allow unauthorized users to execute pipelines on arbitrary branches.

The latest release follows a recent surge in security issues GitLab has had to resolve. Last month, GitLab addressed a critical vulnerability (CVE-2024-6678) with a CVSS score of 9.9, which could have allowed attackers to run pipeline jobs as any user. Prior to that, the company resolved several other high-severity vulnerabilities—CVE-2023-5009, CVE-2024-5655, and CVE-2024-6385—each scoring 9.6 in CVSS ratings. In May, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) classified CVE-2023-7028 as a Known Exploited Vulnerability (KEV) after detecting active exploitation attempts.

Highlights of Recent GitLab Security Fixes

The latest patches resolve critical and high-severity vulnerabilities, including risks such as unauthorized user impersonation, server-side request forgery (SSRF) on the Analytics Dashboard, and HTML injection vulnerabilities on the OAuth page. GitLab’s security team has addressed eight vulnerabilities in total, covering a range of severities.

The most serious vulnerability, CVE-2024-9164, affects all GitLab versions from 12.5 up to the latest patch. This flaw could enable attackers to run pipelines on arbitrary branches, potentially compromising project integrity and data security. Another high-severity issue, CVE-2024-8970, impacts versions from 11.6 onwards, potentially allowing unauthorized pipeline triggers as another user in specific cases. Although there is currently no evidence of these vulnerabilities being actively exploited, GitLab strongly advises users to upgrade immediately to mitigate potential threats.

Alongside security enhancements, these patches also resolve several bugs, including issues with label filtering, 401 errors for unauthenticated requests in the go-get feature, and project template disclosure.

GitLab continues to advocate for consistent security practices, reminding customers of the importance of timely updates to ensure secure and resilient GitLab instances, especially in light of recent critical vulnerabilities. The company underscores that prompt patching and proactive security measures are essential for all organizations using GitLab for development and collaboration.