Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

GitLab Updates Resolve Critical Pipeline Execution Vulnerability

GitLab has released security updates to resolve multiple vulnerabilities in GitLab CE/EE, including a critical-severity pipeline execution flaw.

GitLab on Thursday announced patches for 17 vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE), including a critical-severity pipeline execution bug.

Tracked as CVE-2024-6678 (CVSS score of 9.9), the critical flaw could allow “an attacker to trigger a pipeline as an arbitrary user under certain circumstances,” GitLab notes in its advisory.

Successful exploitation of this vulnerability could allow attackers to disrupt services and inject malicious code into production environments, Contrast Security director of product security Naomi Buckwalter told SecurityWeek in an emailed comment.

“Unauthenticated remote execution vulnerabilities like the one recently disclosed can allow attackers to control your CI/CD pipelines without needing legitimate credentials,” Buckwalter warns.

The vulnerability impacts GitLab CE/EE versions from 8.14 to 17.1.6, 17.2 to 17.2.4, and 17.3 to 17.3.1. Patches were included in versions 17.3.2, 17.2.5, and 17.1.7.

CVE-2024-6678 is the third critical-severity pipeline execution defect that GitLab has patched over the past four months, after CVE-2024-5655 and CVE-2024-6385 were fixed in June and July, respectively.

The latest GitLab CE/EE releases also resolve three high-severity bugs that could allow attackers to inject commands into a connected Cube server, make requests to internal resources via a custom Maven Dependency Proxy URL, and send a large glm_source parameter to cause a denial-of-service (DoS) condition.

The security updates also include patches for 11 medium-severity and three low-severity flaws that could lead to GitLab token retrieval, protection bypasses, read access to source code from private projects, account squatting, account takeover, privilege escalation, and information leaks.

Advertisement. Scroll to continue reading.

Most of the resolved vulnerabilities were reported via GitLab’s bug bounty program on HackerOne. The code-collaboration platform makes no mention of any of these vulnerabilities being exploited in the wild, but recommends that users upgrade to the latest versions as soon as possible.

Related: GitLab Ships Update for Critical Pipeline Execution Vulnerability

Related: GitLab Security Update Patches Critical Vulnerability

Related: Veeam Patches Critical Vulnerabilities in Enterprise Products

Related: Western Digital Blocks Unpatched Devices From Cloud Services

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.