_Bill_Crump_alamy.jpg?disable=upscale&width=1200&height=630&fit=crop)
June 28, 2024 at 04:52PM
A critical GitLab vulnerability (CVE-2024-5655) allows an attacker to run a pipeline as another user. This affects versions 15.8 to 16.11.5 and 17.0 to 17.1.1. The updates address 14 security issues, with one critical, 9 medium, and 3 high severity. Exploiting this vulnerability poses a compliance risk and potential revenue loss.
Summary:
– GitLab recently released new versions of its Community and Enterprise Editions, which include fixes for 14 different security issues, one of which is a critical vulnerability known as CVE-2024-5655.
– The CVE-2024-5655 vulnerability affects GitLab versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1.
– This critical vulnerability enables an attacker to trigger a pipeline as another user, potentially allowing unauthorized access to private repositories, and manipulation, theft, or exfiltration of sensitive code and data.
– Although GitLab has not found evidence of the exploitation of CVE-2024-5655, there is a possibility of it being exploited in the future.
– Beyond security risks, the CVE-2024-5655 vulnerability poses a significant compliance risk, potentially impacting companies seeking to comply with US government requirements, particularly in relation to enforcing multi-factor authentication and conditional access controls.
Please let me know if you need more details or have any specific questions!