GitLab has released critical security updates to address a severe vulnerability in versions 8.14 to 17.3.2 of GitLab CE/EE.
Description
The vulnerability, identified as CVE-2024-6678, allows attackers to run pipeline jobs as arbitrary users and execute environment stop actions [7], posing a significant risk of exploitation with a severity score of 9.9. Attackers must have a user account on the targeted GitLab instance to exploit this flaw [1]. In addition to fixing this critical issue, GitLab has also patched three high-severity, 11 medium-severity [3], and two low-severity bugs in the same versions [2]. This marks the fourth vulnerability addressed by GitLab in the past year, following CVE-2023-5009 [6], CVE-2024-5655 [2] [4] [6], and CVE-2024-6385 [4] [6]. While there have been no reported active exploitations [3], users are strongly advised to apply the patches promptly to mitigate potential threats and prevent downstream impacts to other technologies.
Conclusion
Organizations using GitLab are urged to update their installations promptly to prevent potential exploitation by threat actors [5]. Failure to apply security patches could leave systems vulnerable to data breaches and malicious code execution [5]. Staying informed about security advisories and promptly applying updates is crucial to safeguarding sensitive data and maintaining the integrity of development environments [5].
References
[1] https://www.heise.de/news/Sicherheitspatch-Gitlab-behebt-Luecken-in-Serverversionen-9866401.html
[2] https://thehackernews.com/2024/09/urgent-gitlab-patches-critical-flaw.html
[3] https://fieldeffect.com/blog/gitlab-patches-highly-critical-pipeline-job-execution-flaw
[4] https://secalerts.co/vulnerability/CVE-2024-6678
[5] https://www.krofeksecurity.com/urgent-update-gitlab-addresses-critical-vulnerability-allowing-unauthorized-pipeline-job-execution/
[6] https://cyberdefence247.com/gitlab-patches-critical-flaw-allowing-unauthorized-pipeline-job-execution/
[7] https://feedly.com/cve/CVE-2024-6678