Critical Security Flaw Found in GitLab Pipeline Execution: Immediate Updates Released

September 12, 2024

GitLab has rolled out critical updates to counteract multiple vulnerabilities, with the most severe one being CVE-2024-6678, which enables an attacker to initiate pipelines as arbitrary users under certain circumstances. This update is for versions 17.3.2, 17.2.5, and 17.1.7 of both GitLab Community Edition (CE) and Enterprise Edition (EE). It addresses a total of 18 security issues as part of the bi-monthly scheduled security updates.

The critical vulnerability, CVE-2024-6678, with a severity score of 9.9, could allow an attacker to execute environment stop actions as the owner of the stop action job. The severity of this flaw is due to its potential for remote exploitation, the absence of user interaction, and the low level of privileges needed to exploit it. GitLab advises that this issue affects CE/EE versions from 8.14 up to 17.1.7, versions from 17.2 prior to 17.2.5, and versions from 17.3 prior to 17.3.2.

GitLab pipelines are automated workflows that are used to build, test, and deploy code. They are part of GitLab’s CI/CD (Continuous Integration/Continuous Delivery) system and are designed to optimize the software development process by automating repetitive tasks and ensuring that changes to the codebase are tested and deployed consistently.

GitLab has addressed arbitrary pipeline execution vulnerabilities several times in recent months, including CVE-2024-6385 in July 2024, CVE-2024-5655 in June 2024, and CVE-2023-5009 in September 2023, all of which were rated as critical.

The bulletin also mentions four high-severity issues with scores between 6.7 – 8.5, that could potentially allow attackers to disrupt services, execute unauthorized commands, or compromise sensitive resources.

For update instructions, source code, and packages, GitLab’s official download portal can be visited.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.