Article Details

GitLab warns of critical pipeline execution vulnerability. GitLab has released critical updates to address multiple vulnerabilities, the most severe of them (CVE-2024-6678) allowing an attacker to trigger pipelines as arbitrary users under certain conditions. The release is for versions 17.3.2, 17.2.5, and 17.1.7 for both GitLab Community Edition (CE) and Enterprise Edition (EE), and patches a total of 18 security issues as part of the bi-monthly (scheduled) security updates. With a critical severity score of 9.9, the CVE-2024-6678 vulnerability could enable an attacker to execute environment stop actions as the owner of the stop action job. The severity of the flaw comes from its potential for remote exploitation, lack of user interaction, and the low privileges required for exploiting it. GitLab warns that the issue affects CE/EE versions from 8.14 up to 17.1.7, versions from 17.2 prior to 17.2.5, and versions from 17.3 prior to 17.3.2. GitLab pipelines are automated workflows used to build, test, and deploy code, part of GitLab’s CI/CD (Continuous Integration/Continuous Delivery) system. They are designed to streamline the software development process by automating repetitive tasks and ensuring that changes to the codebase are tested and deployed consistently. GitLab addressed arbitrary pipeline execution vulnerabilities multiple times in recent months, including in July 2024, to fix CVE-2024-6385, in June 2024, to fix CVE-2024-5655, and in September 2023 to patch CVE-2023-5009, all rated critical. The bulletin also lists four high-severity issues with scores between 6.7 – 8.5, that could potentially allow attackers to disrupt services, execute unauthorized commands, or compromise sensitive resources. The issues are summarized as follows: For update instructions, source code, and packages, check out GitLab’s official download portal. The latest GitLab Runner packages are available here.