Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution

Avatar
GitLab on Wednesday released security updates to address 17 security vulnerabilities, including a critical flaw that allows an attacker to run pipeline jobs as an arbitrary user. The issue, tracked as CVE-2024-6678, carries a CVSS score of 9.9 out of a maximum of 10.0 “An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to

GitLab on Wednesday released security updates to address 17 security vulnerabilities, including a critical flaw that allows an attacker to run pipeline jobs as an arbitrary user.

The issue, tracked as CVE-2024-6678, carries a CVSS score of 9.9 out of a maximum of 10.0

“An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances,” the company said in an alert.

The vulnerability, along with three high-severity, 11 medium-severity, and two low-severity bugs, have been addressed in versions 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

It’s worth noting that CVE-2024-6678 is the fourth such flaw that GitLab has patched over the past year after CVE-2023-5009 (CVSS score: 9.6), CVE-2024-5655 (CVSS score: 9.6), and CVE-2024-6385 (CVSS score: 9.6).

While there is no evidence of active exploitation of the flaws, users are recommended to apply the patches as soon as possible to mitigate against potential threats.

Earlier this May, U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that a critical GitLab vulnerability (CVE-2023-7028, CVSS score: 10.0) had come under active exploitation in the wild.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

WordPress Mandates Two-Factor Authentication for Plugin and Theme Developers

Next Post

New Android Malware ‘Ajina.Banker’ Steals Financial Data and Bypasses 2FA via Telegram

Related Posts

Gamers Tricked Into Downloading Lua-Based Malware via Fake Cheating Script Engines

Users searching for game cheats are being tricked into downloading a Lua-based malware that is capable of establishing persistence on infected systems and delivering additional payloads. "These attacks capitalize on the popularity of Lua gaming engine supplements within the student gamer community," Morphisec researcher Shmuel Uzan said in a new report published today, adding "this malware
Avatar
Read More

AlphV claims to have ‘unseized’ its darkweb domain from the FBI. What’s happening?

Shortly after the AlphV/Blackcat ransomware gang’s website was replaced on Tuesday by a splashpage announcing it had been seized by the FBI, the law enforcement message was itself replaced by another missive from the criminals claiming to have “unseized” the page and brought it back under their control.
Siva Ramakrishnan
Read More