SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

GitLab Updates Resolve Critical Pipeline Execution Vulnerability

GitLab has released security updates to resolve multiple vulnerabilities in GitLab CE/EE, including a critical-severity pipeline execution flaw.

GitLab on Thursday announced patches for 17 vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE), including a critical-severity pipeline execution bug.

Tracked as CVE-2024-6678 (CVSS score of 9.9), the critical flaw could allow “an attacker to trigger a pipeline as an arbitrary user under certain circumstances,” GitLab notes in its advisory.

Successful exploitation of this vulnerability could allow attackers to disrupt services and inject malicious code into production environments, Contrast Security director of product security Naomi Buckwalter told SecurityWeek in an emailed comment.

“Unauthenticated remote execution vulnerabilities like the one recently disclosed can allow attackers to control your CI/CD pipelines without needing legitimate credentials,” Buckwalter warns.

The vulnerability impacts GitLab CE/EE versions from 8.14 to 17.1.6, 17.2 to 17.2.4, and 17.3 to 17.3.1. Patches were included in versions 17.3.2, 17.2.5, and 17.1.7.

CVE-2024-6678 is the third critical-severity pipeline execution defect that GitLab has patched over the past four months, after CVE-2024-5655 and CVE-2024-6385 were fixed in June and July, respectively.

Advertisement. Scroll to continue reading.

The latest GitLab CE/EE releases also resolve three high-severity bugs that could allow attackers to inject commands into a connected Cube server, make requests to internal resources via a custom Maven Dependency Proxy URL, and send a large glm_source parameter to cause a denial-of-service (DoS) condition.

The security updates also include patches for 11 medium-severity and three low-severity flaws that could lead to GitLab token retrieval, protection bypasses, read access to source code from private projects, account squatting, account takeover, privilege escalation, and information leaks.

Most of the resolved vulnerabilities were reported via GitLab’s bug bounty program on HackerOne. The code-collaboration platform makes no mention of any of these vulnerabilities being exploited in the wild, but recommends that users upgrade to the latest versions as soon as possible.

Related: GitLab Ships Update for Critical Pipeline Execution Vulnerability

Related: GitLab Security Update Patches Critical Vulnerability

Related: Veeam Patches Critical Vulnerabilities in Enterprise Products

Related: Western Digital Blocks Unpatched Devices From Cloud Services

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: A Step-by-Step Approach to AI Governance
April 28, 2026

With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

MongoDB has appointed Doug Bowers as Chief Information Security Officer.

Ben Wilkens has been promoted to Director of Cybersecurity at NMFTA.

Cato Networks has appointed Meital Koren as Chief Legal Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.