GitLab releases patch for critical vulnerability enabling unauthorised running of pipeline jobs
Take action: If you are using self-hosted Gitlab CE/EE, time to update. Unless your Gitlab server is locked from internet access you need to apply ASAP. And even if it's locked from internet access, a hacker will eventually find it.
Learn More
GitLab has issued a warning about a critical vulnerability in its GitLab Community and Enterprise editions that allows attackers to run pipeline jobs as any user. This vulnerability, tracked as CVE-2024-6385 (CVSS score 9.6), impacts versions 15.8 to 16.11.6, 17.0 to 17.0.4, and 17.1 to 17.1.2.
This flaw allows attackers to exploit GitLab's CI/CD system to trigger a new pipeline as an arbitrary user under specific circumstances. GitLab has not discloses the precise conditions under which this exploitation can occur.
Affected Versions:
- GitLab CE/EE versions from 15.8 up to but not including 16.11.6.
- GitLab CE/EE versions from 17.0 up to but not including 17.0.4.
- GitLab CE/EE versions from 17.1 up to but not including 17.1.2.
GitLab has released updates to versions 17.1.2, 17.0.4, and 16.11.6 to address this flaw. The GitLab.com and GitLab Dedicated instances are already running the patched versions.
These vulnerabilities highlight the significant security risks associated with GitLab, which hosts sensitive corporate data such as API keys and proprietary code. Successful exploitation can lead to substantial security breaches, including supply chain attacks if malicious code is inserted into CI/CD environments.
GitLab administrators are urged to upgrade to the latest versions (17.1.2, 17.0.4, 16.11.6) immediately.
