GitLab has recently released updates to address over a dozen vulnerabilities affecting various versions of its Community Edition and Enterprise Edition software. According to a report by SecurityWeek, these updates aim to fix 14 vulnerabilities, with the most critical being a bug in versions newer than 15.8, 17.0, and 17.1, known as CVE-2024-5655.

This critical bug could potentially allow for the automated execution of a pipeline upon the automated re-targeting of a merge request. GitLab has emphasized that there have been no reported instances of exploitation of this issue thus far. Alongside this critical flaw, the updates also address three high-severity vulnerabilities, including an improper authorization in search issue (CVE-2024-6323), a cross-site request forgery bug (CVE-2024-4994), and a cross-site scripting vulnerability (CVE-2024-4901).

Additionally, GitLab has fixed nine medium-severity flaws, some of which could be exploited for denial-of-service attacks, OAuth authentication flow exploitation, and merge request approval policy deletions. Organizations using vulnerable GitLab CE/EE instances are strongly advised to update to the latest versions, namely 17.1.1, 17.0.3, and 16.11.5 to mitigate these security risks.