GitLab issued a warning today about a critical vulnerability in its GitLab Community and Enterprise editions that allows attackers to execute pipeline jobs as any user.
The GitLab DevSecOps platform, which boasts over 30 million registered users, is utilized by more than 50% of Fortune 100 companies, including T-Mobile, Goldman Sachs, Airbus, Lockheed Martin, Nvidia, and UBS.
The flaw, addressed in today’s security update, is identified as CVE-2024-6385 and has been assigned a CVSS base score severity rating of 9.6 out of 10.
This vulnerability affects all GitLab CE/EE versions from 15.8 to 16.11.6, 17.0 to 17.0.4, and 17.1 to 17.1.2. Under specific, undisclosed conditions, attackers can exploit this flaw to initiate a new pipeline as an arbitrary user.
GitLab pipelines are a feature of the Continuous Integration/Continuous Deployment (CI/CD) system that enables users to automatically execute processes and tasks in parallel or sequentially to build, test, or deploy code changes.
To mitigate this critical security issue, GitLab has released Community and Enterprise versions 17.1.2, 17.0.4, and 16.11.6, urging all administrators to upgrade their installations immediately.
The company stated, ‘We strongly recommend that all installations running a version affected by the issues described below be upgraded to the latest version as soon as possible.’ GitLab.com and GitLab Dedicated are already operating on the patched version.
Account takeover flaw actively exploited in attacks
GitLab addressed a nearly identical vulnerability (CVE-2024-5655) in late June, which could also be exploited to run pipelines as other users.
A month earlier, it fixed a high-severity vulnerability (CVE-2024-4835) that allowed unauthenticated attackers to hijack accounts via cross-site scripting (XSS) attacks. In May, CISA warned that threat actors were actively exploiting another zero-click GitLab vulnerability (CVE-2023-7028) patched in January, which enables unauthenticated attackers to take over accounts through password resets.
Although Shadowserver detected over 5,300 vulnerable GitLab instances exposed online in January, fewer than half (1,795) remain reachable today.
Attackers frequently target GitLab due to its hosting of sensitive corporate data, such as API keys and proprietary code, leading to significant security repercussions following a breach.
This includes the potential for supply chain attacks if malicious code is inserted into CI/CD (Continuous Integration/Continuous Deployment) environments, compromising the organization’s repositories.
Source: BleepingComputer, Sergiu Gatlan