GitLab Ships Update for Critical Pipeline Execution Vulnerability

Share This Post

DevOps platform GitLab has pushed out security updates that address six vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE), including a critical-severity bug with serious implications.

The issue, tracked as CVE-2024-6385 (CVSS score 9.6/10), allows an attacker to trigger a pipeline as another users, under certain circumstances, and impacts GitLab CE/EE versions 15.8 to 16.11.5, 17.0.0 to 17.0.3, and 17.1.0 to 17.1.1.

Reported via GitLab’s bug bounty program on HackerOne, the security defect was addressed with the release of GitLab CE/EE versions 17.1.2, 17.0.4, and 16.11.6.

The GitLab advisory does not include further details on the security defect or how it was resolved.

In an emailed comment to SecurityWeek, Contrast Security CEO David Lindner warned that successful exploitation of the bug “could enable attackers to run malicious code, access sensitive data and compromise software integrity”. 

Patches for CVE-2024-6385 were released roughly two weeks after the DevOps platform addressed another flaw (CVE-2024-5655) that allows attackers to run pipeline jobs as another user.

The latest GitLab security updates also resolve a medium-severity bug that could allow a user with a custom role to modify the URL for a group namespace.

The remaining four issues resolved with the latest GitLab CE/EE versions are low-severity flaws leading to the inappropriate creation of project-level deploy tokens, the upload of NPM packages with conflicting package data, users with a custom role banning group members, and subdomain takeover in GitLab Pages.

Advertisement. Scroll to continue reading.

GitLab makes no mention of any of these vulnerabilities being exploited in the wild. Users are advised to update their instances as soon as possible, as threat actors are known to have exploited GitLab vulnerabilities for which patches had been released.

Related: GitLab Patches Critical Pipeline Execution Vulnerability

Related: Thousands of GitLab Instances Unpatched Against Password Reset Bug

Related: GitLab Patches Critical Pipeline Execution Vulnerability

Related: GitLab Security Update Patches Critical Vulnerability

This post was originally published on this site

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .