CVE-2024-5655: Latest GitLab API Vulnerability Threatens Customer Data Exposure

A security flaw that impacts specific versions of GitLab's Community and Enterprise Edition products was just detected. This vulnerability can be exploited to execute pipelines under any user's credentials.

GitLab is a web-based DevOps platform offering tools for software development, version control, and project management. Launched as an open-source project in 2011, it has become a powerful solution used globally by millions. GitLab integrates CI/CD pipelines for efficient automation of testing and deployment, supporting all stages of the software development lifecycle.

This security vulnerability, designated as CVE-2024-5655, is classified with a critical severity rating of 9.6 out of 10. The vulnerability allows an attacker (under specific but unspecified conditions) to exploit the flaw and initiate a pipeline impersonating another user. The vulnerability affects all GitLab CE/EE versions from 15.8 to 16.11.4, 17.0.0 to 17.0.2, and 17.1.0. 

This could lead to unauthorized actions within the system, potentially compromising sensitive data and overall system integrity. Immediate attention and remediation are crucial to prevent exploitation and ensure the security of affected GitLab instances.

GitLab Announces Patch Updates

GitLab has fixed the vulnerability by releasing versions 17.1.1, 17.0.3, and 16.11.5, and advises users to install these updates promptly.

“We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version.” - GitLab Community

The vendor also notes that upgrading to the latest versions introduces two significant changes that users need to be aware of:

• Pipelines will no longer automatically run when a merge request is re-targeted after its previous target branch was merged. Users will need to start the pipeline to execute CI for their changes manually.
• Starting from version 17.0.0, the CI_JOB_TOKEN is disabled by default for GraphQL authentication. This change has been backported to versions 17.0.3 and 16.11.5. Users must configure one of the supported token types for authentication to access the GraphQL API.

The latest GitLab update also addresses security fixes for 13 additional issues, with three of them rated as "high" severity (CVSS v3.1 scores: 7.5 – 8.7). These three vulnerabilities are described as follows:

• CVE-2024-4901: A stored XSS vulnerability allowing malicious commit notes from imported projects to inject scripts, potentially leading to unauthorized actions and data exposure
• CVE-2024-4994: A CSRF vulnerability in the GraphQL API enabling attackers to execute arbitrary GraphQL mutations by tricking authenticated users into making unwanted requests, potentially leading to data manipulation and unauthorized operations
• CVE-2024-6323: An authorization flaw in GitLab’s global search feature that allows attackers to view search results from private repositories within public projects, potentially causing information leaks and unauthorized access to sensitive data

Protecting GraphQL Endpoints with Wallarm

You can explore GraphQL policy violations (GraphQL attacks) in the Wallarm Console → Attacks section. Read more about GraphQL attacks and graphQL attack protection.