GitLab CE/EE Vulnerability Allows Attacker to Trigger Pipeline as Another User

Summary

A critical vulnerability, tracked as CVE-2024-6385, has been found in GitLab CE/EE affecting versions 15.8 prior to 16.11.6, 17.0 prior to 17.0.4, and 17.1 prior to 17.1.2. This vulnerability allows attackers to trigger a pipeline as another user under certain circumstances, potentially enabling arbitrary pipeline job execution. GitLab has issued a patch to address this critical flaw, highlighting the importance for users to update their software as soon as possible to mitigate the risk. While there is no evidence of exploitation by ransomware groups, the potential impact of this vulnerability is significant, as it could allow attackers to run malicious code, access sensitive data, and compromise software integrity. Additionally, the previous CVE-2024-5655 vulnerability highlights the need for organizations to move beyond reactive security measures and employ continuous monitoring of development tools for security risks.

News Articles

SC Media

CVE-2024-6385

Severe vulnerabilities addressed by GitLab, others

GitLab has issued a fix for the critical flaw in GitLab Community Edition and Enterprise Edition software, tracked as CVE-2024-6385, which could be leveraged for arbitrary pipeline job execution.

4 months ago

SC Media

CVE-2024-6385

GitLab patches 2nd critical pipeline vulnerability in last month

CVE-2024-6385, like another bug patched last month, could allow attackers to run pipelines as any user.

4 months ago

IT Pro

CVE-2024-6385

This critical GitLab flaw allows attackers to run pipeline jobs as other users – patch now

GitLab has patched a critical vulnerability that allows attackers to run pipeline jobs as any other user, recommending that users upgrade immediately.

4 months ago