July 12, 2024 at 04:34PM
GitLab recently disclosed a critical vulnerability, CVE-2024-6385, impacting its DevOps platform, allowing attackers to run pipelines within users’ contexts. With a severity rating of 9.6 on the CVSS scale, the bug affects GitLab versions 15.8 to 17.1. Users were strongly urged to upgrade as soon as possible. This follows a similar bug disclosed in June, raising concerns over the platform’s security.
Based on the meeting notes, the key takeaways are as follows:
1. GitLab has issued a critical security advisory regarding a vulnerability, identified as CVE-2024-6385, impacting its CI/CD pipeline. The severity rating is 9.6 out of 10 and affects GitLab CE/EE versions 15.8 prior to 16.11.6, 17.0 prior to 17.0.4, and 17.1 prior to 17.1.2.
2. The vulnerability allows attackers to run a pipeline in the context of any user within the GitLab system, potentially hijacking user identities and gaining unauthorized access to projects, data, and code repositories.
3. GitLab strongly advises users to upgrade to the latest version as soon as possible to mitigate the risk of exploitation.
4. This new vulnerability is distinct from a prior one, CVE-2024-5655, and involves a broader range of potential attack vectors within the GitLab CI/CD pipeline process.
5. Although an attacker would require a valid user account within a specific GitLab environment to exploit the flaws, the severity of the vulnerabilities poses a significant security risk for organizations using GitLab.
6. GitLab’s security measures and monitoring are recommended to detect and mitigate potential exploitation, and organizations should be proactive in deploying fixes and maintaining active security protocols.
In summary, organizations using GitLab must prioritize deploying the latest fix to address the critical vulnerabilities and actively maintain security measures to mitigate potential risks.