GitLab update addresses pipeline execution vulnerability

GitLab has released critical security updates to address multiple vulnerabilities, including a high-severity flaw that could allow attackers to run pipeline jobs as arbitrary users.

The company strongly recommends all GitLab installations be upgraded immediately to the latest versions: 17.1.2, 17.0.4, or 16.11.6 for both Community Edition (CE) and Enterprise Edition (EE).

The most critical vulnerability (CVE-2024-6385) affects GitLab versions 15.8 to 17.1.1. With a CVSS score of 9.6, this flaw could enable an attacker to trigger a pipeline as another user under certain circumstances. The issue was reported through GitLab’s HackerOne bug bounty program by a user known as yvvdwf.

In addition to the critical flaw, GitLab addressed several other security issues:

• A medium-severity vulnerability (CVE-2024-5257) allowing developers with admin_compliance_framework permission to change group URLs.
• A low-severity issue (CVE-2024-5470) where users with admin_push_rules permission could create project-level deploy tokens.
• A package registry vulnerability (CVE-2024-6595) related to manifest confusion in NPM packages.
• A low-severity flaw (CVE-2024-2880) enabling users with admin_group_member permission to ban group members.
• A subdomain takeover vulnerability (CVE-2024-5528) in GitLab Pages.

GitLab.com and GitLab Dedicated are already running the patched versions. The company emphasises the importance of maintaining good security hygiene and recommends that all customers upgrade to the latest patch release for their supported version.

These security fixes are part of GitLab’s scheduled release cycle, which includes patch releases twice a month on the second and fourth Wednesdays. For high-severity vulnerabilities, GitLab also issues ad-hoc critical patches.

The company states that issues detailing each vulnerability will be made public on their issue tracker 30 days after the release in which they were patched. This approach allows users time to upgrade before potential exploit details become widely available.

In addition to the security fixes, the latest releases include various bug fixes and improvements across different GitLab components, such as Git, MailRoom, CI/CD pipelines, and Redis integration.

Ray Kelly, fellow at the Synopsys Software Integrity Group, said:

“In today’s fast-paced DevSecOps world, any mention of a vulnerability in pipeline functionality can certainly make the hairs on your neck stand up. Once a pipeline is compromised, software can be altered with malware, backdoors, or used to steal private information from organisations.

This is difficult to detect because security scans are usually conducted earlier in the SDLC process. Given recent high-profile supply chain breaches, it’s clear that organisations need to patch vulnerabilities immediately to prevent threat actors from compromising their software. 

Additionally, introducing security scanning within the pipeline can help detect issues before they are deployed.”

As always, users are advised to follow best practices in securing their GitLab instances and to upgrade as soon as possible to mitigate potential risks.

(Photo by Mark Boss)

See also: Judge dismisses majority of GitHub Copilot copyright claims

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: bug, coding, cyber security, cybersecurity, development, devops, devsecops, git, gitlab, hacking, programming, security, vulnerability