GitLab CE/EE Vulnerability Allows Attacker to Trigger Pipeline as Another User
CVE-2024-6385
Key Information
- Vendor
- Gitlab
- Status
- Gitlab
- Vendor
- CVE Published:
- 11 July 2024
Badges
Summary
A critical vulnerability, tracked as CVE-2024-6385, has been found in GitLab CE/EE affecting versions 15.8 prior to 16.11.6, 17.0 prior to 17.0.4, and 17.1 prior to 17.1.2. This vulnerability allows attackers to trigger a pipeline as another user under certain circumstances, potentially enabling arbitrary pipeline job execution. GitLab has issued a patch to address this critical flaw, highlighting the importance for users to update their software as soon as possible to mitigate the risk. While there is no evidence of exploitation by ransomware groups, the potential impact of this vulnerability is significant, as it could allow attackers to run malicious code, access sensitive data, and compromise software integrity. Additionally, the previous CVE-2024-5655 vulnerability highlights the need for organizations to move beyond reactive security measures and employ continuous monitoring of development tools for security risks.
Affected Version(s)
GitLab < 16.11.6
GitLab < 17.0.4
GitLab < 17.1.2
News Articles
GitLab patches 2nd critical pipeline vulnerability in last month
CVE-2024-6385, like another bug patched last month, could allow attackers to run pipelines as any user.
1 week ago
Severe vulnerabilities addressed by GitLab, others
GitLab has issued a fix for the critical flaw in GitLab Community Edition and Enterprise Edition software, tracked as CVE-2024-6385, which could be leveraged for arbitrary pipeline job execution.
5 months ago
GitLab patches 2nd critical pipeline vulnerability in last month
CVE-2024-6385, like another bug patched last month, could allow attackers to run pipelines as any user.
5 months ago
Refferences
CVSS V3.1
Timeline
- 👾
Exploit known to exist
First article discovered by IT Pro
Vulnerability published
Vulnerability Reserved