GitLab recently rolled out urgent security patches to address multiple vulnerabilities, including a severe pipeline execution flaw.
The vulnerability, tracked as CVE-2024-6678, carries a critical severity ranking of 9.9, as it could let threat actors exploit GitLab’s CI/CD pipelines to trigger automated actions under unauthorized accounts.
The danger of this vulnerability stems from its remote execution capabilities and its potential to wreak havoc with next-to-no user interaction. Threat actors can exploit it to execute stop actions on behalf of authorized users with low-level privileges and no interaction from the victim.
GitLab’s CI/CD pipelines are essential for automating software development workflows, allowing users to streamline code integration, testing and deployment.
The flaw affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions from 8.14 up to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. All users are strongly advised to update to versions 17.3.2, 17.2.5 or 17.1.7 to mitigate the threat.
Beyond the critical vulnerability, GitLab addressed other high-severity issues in its recent rollout, including potential denial-of-service (DoS) attacks, session hijacking via compromised tokens, and unauthorized command executions.
For instance, CVE-2024-8124 could let threat actors overload systems and render GitLab instances unresponsive by sending large parameters.
Another equally relevant example is CVE-2024-8641, a medium-severity flaw that could be exploited to steal a victim’s GitLab session token and hijack its session. For this flaw to work, however, the perpetrator must obtain the target’s CI_JOB_TOKEN
beforehand.
GitLab’s security advisory lists several other issues of various severity levels, and urges users to prioritize updating to safe versions to avoid attacks leveraging these faults.
“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” the advisory says.
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsSeptember 06, 2024
September 02, 2024
August 13, 2024
July 25, 2024