GitLab on Thursday announced patches for 17 vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE), including a critical-severity pipeline execution bug.
Tracked as CVE-2024-6678 (CVSS score of 9.9), the critical flaw could allow “an attacker to trigger a pipeline as an arbitrary user under certain circumstances,” GitLab notes in its advisory.
Successful exploitation of this vulnerability could allow attackers to disrupt services and inject malicious code into production environments, Contrast Security director of product security Naomi Buckwalter told SecurityWeek in an emailed comment.
“Unauthenticated remote execution vulnerabilities like the one recently disclosed can allow attackers to control your CI/CD pipelines without needing legitimate credentials,” Buckwalter warns.
The vulnerability impacts GitLab CE/EE versions from 8.14 to 17.1.6, 17.2 to 17.2.4, and 17.3 to 17.3.1. Patches were included in versions 17.3.2, 17.2.5, and 17.1.7.
CVE-2024-6678 is the third critical-severity pipeline execution defect that GitLab has patched over the past four months, after CVE-2024-5655 and CVE-2024-6385 were fixed in June and July, respectively.
The latest GitLab CE/EE releases also resolve three high-severity bugs that could allow attackers to inject commands into a connected Cube server, make requests to internal resources via a custom Maven Dependency Proxy URL, and send a large glm_source parameter to cause a denial-of-service (DoS) condition.
The security updates also include patches for 11 medium-severity and three low-severity flaws that could lead to GitLab token retrieval, protection bypasses, read access to source code from private projects, account squatting, account takeover, privilege escalation, and information leaks.
Most of the resolved vulnerabilities were reported via GitLab’s bug bounty program on HackerOne. The code-collaboration platform makes no mention of any of these vulnerabilities being exploited in the wild, but recommends that users upgrade to the latest versions as soon as possible.
Related: GitLab Ships Update for Critical Pipeline Execution Vulnerability
Related: GitLab Security Update Patches Critical Vulnerability
Related: Veeam Patches Critical Vulnerabilities in Enterprise Products
Related: Western Digital Blocks Unpatched Devices From Cloud Services
