GitLab Vulnerability Allows Pipeline Work to Be Run As Another User

Published corrective updates of the platform for organizing joint development – GitLab 17.1.1, 17.0.3, 16.11.5, 16.10.8, 16.9.9, 16.8.8, 16.7.8 and 16.6.8, which eliminated 14 vulnerabilities. One of the issues (CVE-2024-5655), which has been appearing since the release of GitLab 15.8, has been assigned a critical severity level. The vulnerability allows jobs to be run in the continuous integration pipeline (pipeline jobs) under an arbitrary user. Doing your work in the context of another user allows an attacker to gain access to that user's internal repositories and private projects.

Vulnerability Information transferred in GitLab as part of HackerOne's vulnerability bounty program. Detailed information about the vulnerability is planned to be disclosed 30 days after the patch is published.


Additionally, we can note the elimination in the presented GitLab updates of three vulnerabilities that were assigned a high level of danger: JavaScript code substitution (XSS) in the commit notes, organizing a call to the GraphQL API on behalf of the victim when opening a specially designed page (CSRF) and leaking the contents of private repositories through the use of search in public projects.

Thanks for reading: