Important: GitLab Fixes Critical Flaw Permitting Unauthorized Pipeline Job Execution
GitLab issued security updates on Wednesday to fix 17 security vulnerabilities, including a critical flaw that enables an intruder to execute pipeline jobs as an arbitrary user.
The problem, known as CVE-2024-6678, has received a CVSS score of 9.9 out of a possible 10.0
“A vulnerability has been identified in GitLab CE/EE affecting all versions from 8.14 to 17.1.7, from 17.2 to 17.2.5, and from 17.3 to 17.3.2, permitting an attacker to initiate a pipeline as an arbitrary user under specific conditions,” as mentioned by the firm in an alert here.
The flaw, in addition to three high-severity, 11 medium-severity, and two low-severity issues, have been resolved in versions 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
It’s important to highlight that CVE-2024-6678 is the fourth such issue that GitLab has addressed in the last year following CVE-2023-5009 (CVSS score: 9.6), CVE-2024-5655 (CVSS score: 9.6), and CVE-2024-6385 (CVSS score: 9.6).
Although there is no proof of active exploitation of these vulnerabilities, users are advised to implement the patches promptly to minimize potential risks.
In May earlier this year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed that a critical GitLab vulnerability (CVE-2023-7028, CVSS score: 10.0) was being actively leveraged in the wild.
About Author
