GitLab: Critical bug lets attackers run pipelines as other users

GitLab: Critical bug lets attackers run pipelines as other users

July 10, 2024 at 04:08PM

GitLab addressed a critical vulnerability that allowed attackers to run pipeline jobs as other users in its Community and Enterprise editions. This flaw (CVE-2024-6385) had a severity rating of 9.6/10 and affected versions 15.8 to 17.1.2, impacting over 30 million users, including Fortune 100 companies. GitLab released updates and urged immediate installation. Additionally, previous vulnerabilities (CVE-2024-5655, CVE-2024-4835, CVE-2023-7028) have been patched, with ongoing attacks noted. The platform’s security impact, particularly in managing sensitive data, is significant.

Key Takeaways from the Meeting Notes:

– GitLab disclosed a critical vulnerability in its GitLab Community and Enterprise editions, allowing attackers to run pipeline jobs as any other user. This flaw, tracked as CVE-2024-6385, has a severity rating of 9.6 out of 10 and impacts specific versions of GitLab CE/EE.

– The company has released patched versions 17.1.2, 17.0.4, and 16.11.6, and strongly advised all admins to upgrade their installations immediately.

– GitLab has also addressed similar flaws in the past, such as CVE-2024-5655 and CVE-2024-4835, indicating an ongoing trend of vulnerabilities in the platform.

– Threat actors actively exploit vulnerabilities in GitLab, and CISA has warned about specific vulnerabilities, such as CVE-2023-7028.

– Vulnerable GitLab instances expose sensitive corporate data, making them attractive targets for attackers aiming to hijack accounts and compromise repositories.

Overall, the meeting notes highlight the critical nature of the vulnerabilities in GitLab and the urgent need for organizations to update their installations to the latest patched versions to mitigate the associated security risks.

Full Article