Critical Pipeline Execution Flaw Among 17 Vulnerabilities Patched by GitLab

September 14, 2024

GitLab has recently addressed a critical flaw in both its Community Edition (CE) and Enterprise Edition (EE), along with 16 other vulnerabilities, by releasing security patches. The most severe of these vulnerabilities is a pipeline execution flaw, identified as CVE-2024-6678, with a CVSS score of 9.9. Under certain conditions, this flaw could permit an attacker to trigger a pipeline as an arbitrary user. The company's advisory states, “An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.” The issue was reported to GitLab through their bug bounty program operated by HackerOne, and is now mitigated in the latest release.

Another high severity issue, tracked as CVE-2024-8640 and with a CVSS score of 8.5, was also addressed in GitLab EE. The flaw could allow an attacker to inject commands into a connected Cube server. The advisory reads, “An issue has been discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. Due to incomplete input filtering, it was possible to inject commands into a connected Cube server.” This vulnerability was also reported through the HackerOne bug bounty program.

In addition to these, GitLab fixed a number of medium and low-severity vulnerabilities. These could potentially lead to protection bypasses, privilege escalation, unauthorized read access to private project source code, GitLab token retrieval, account takeover, and information leaks. The company continues to encourage the reporting of any potential vulnerabilities through its bug bounty program, in its ongoing commitment to maintaining the security and integrity of its software.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.