https://vulnerability.circl.lu/comments/feed 2024-11-15T04:22:51.232706+00:00 Vulnerability Lookup info@circl.lu python-feedgen Contains only the most 10 recent comments. https://vulnerability.circl.lu/comment/af885327-bc8d-4e07-9ea5-a86cda87beb0 2024-11-15T04:22:51.238549+00:00 Alexandre Dulaunoy http://vulnerability.circl.lu/user/adulau - GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9 - [https://about.gitlab.com/releases/2024/10/09/patch-release-gitlab-17-4-2-released/](https://about.gitlab.com/releases/2024/10/09/patch-release-gitlab-17-4-2-released/) Run pipelines on arbitrary branches An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6). It is now mitigated in the latest release and is assigned CVE-2024-9164. 2024-10-11T12:22:18.480655+00:00 https://vulnerability.circl.lu/comment/62ceedbe-65b3-4d7b-ab79-6c0240b18d71 2024-11-15T04:22:51.236608+00:00 Luciano http://vulnerability.circl.lu/user/righel From a quick analysis comparing the previous tag and the information found in the the changelog: `[Do not create a pipeline on MR refresh if source branch was deleted](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3dd89a71b436e8218a5d159a1dd75cb2de078129) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4524))` the fix of this vuln seems to be: https://gitlab.com/gitlab-org/gitlab/-/commit/480d0bd7ccdca6f93ff715abcd6c2fa7a9bebec2 2024-10-11T12:46:48.032889+00:00