Article Details

Critical GitLab bug lets attackers run pipelines as any user. A critical vulnerability is affecting certain versions of GitLab Community and Enterprise Edition products, which could be exploited to run pipelines as any user. GitLab is a popular web-based open-source software project management and work tracking platform. It has an estimated one million active license users. The security issue addressed in the lasted update is tracked as CVE-2024-5655 and has a severity score of 9.6 out of 10. Under certain circumstances, which the vendor did not define, an attacker could leverage it to trigger a pipeline as another user. GitLab pipelines are a feature of the Continuous Integration/Continuous Deployment (CI/CD) system that enables users to automatically run processes and tasks, either in parallel or in sequence, to build, test, or deploy code changes. The vulnerability impacts all GitLab CE/EE versions from 15.8 through 16.11.4, 17.0.0 to 17.0.2, and 17.1.0 to 17.1.0. GitLab has addressed the vulnerability by releasing versions 17.1.1, 17.0.3, and 16.11.5, and recommends users to apply the updates as soon as possible. The vendor also informs that upgrading to the latest versions comes with two breaking changes that users should be aware of: The latest GitLab update also introduces security fixes for 13 other issues, the severity of three of them being rated as “high” (CVSS v3.1 score: 7.5 – 8.7). These three are summarized as follows: Resources for GitLab updates are available here, while GitLab Runner guidelines can be found on this page.