Security Vulnerability Impacts All Versions of GitLab

Summary

The vulnerability CVE-2024-6678 affects all versions of GitLab, with a critical flaw having a CVSS score of 9.9 that could allow an attacker to trigger a pipeline as an arbitrary user, leading to privileged escalation, data exfiltration, and a software supply chain compromise. While the vulnerability has not been observed in the wild, it bears strong similarities to recent high-profile attacks and tactics used by advanced persistent threat (APT) groups and cybercriminal gangs. Security professionals emphasize the urgency of patching this vulnerability, as exploiting the pipeline permissions could lead to widespread compromise of production software and access to all of the company’s source code, introduction of malicious code, and the compromise of the underlying operating system. Additionally, it is noted that a compromised account from one organization could be used to access another, posing a supply chain infection risk. The vulnerability affects nearly 30,000 companies worldwide using GitLab, and security teams are advised to ensure timely patching and encourage counterparties to do the same.

News Articles

SC Media

CVE-2024-6678

GitLab patches bug that could expose a CI/CD pipeline to supply chain attack

Security pros called this GitLab patch an urgent one because an exploited CI/CD pipeline could lead to a serious supply chain compromise.

1 month ago