SecurityWeek reports that updates have been released by GitLab to resolve 14 vulnerabilities impacting several versions of its Community Edition and Enterprise Edition software.
Most severe of the addressed flaws is a critical bug in GitLab CE/EE versions newer than 15.8, 17.0, and 17.1, tracked as CVE-2024-5655, which could be leveraged to facilitate automated execution of a pipeline upon the automated re-targeting of a merge request, according to GitLab, which noted no active exploitation of such an issue so far. Also remediated in the updates were three high-severity flaws, including an improper authorization in search issue, tracked as CVE-2024-6323, a cross-site request forgery bug, tracked as CVE-2024-4994, and a cross-site scripting vulnerability, tracked as CVE-2024-4901. Moreover, GitLab has also addressed nine medium-severity flaws, including those that could be leveraged for denial-of-service, OAuth authentication flow exploitation, and merge request approval policy deletions. Organizations with vulnerable GitLab CE/EE instances have been urged to immediately update to versions 17.1.1, 17.0.3, and 16.11.5.