Security Vulnerability Impacts All Versions of GitLab
CVE-2024-6678
Key Information:
Badges
Summary
A security issue in GitLab CE and EE has been identified that allows an attacker to trigger a pipeline as an arbitrary user under specific conditions. This vulnerability affects multiple versions, including all releases from version 8.14 up to 17.1.7, as well as from version 17.2 up to 17.2.5 and from 17.3 up to 17.3.2. The flaw highlights weaknesses in permission handling, potentially leading to unauthorized actions within the GitLab environment.
Affected Version(s)
GitLab 8.14 < 17.1.7
GitLab 17.2 < 17.2.5
GitLab 17.3 < 17.3.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
GitLab patches bug that could expose a CI/CD pipeline to supply chain attack
Security pros called this GitLab patch an urgent one because an exploited CI/CD pipeline could lead to a serious supply chain compromise.
4 months ago
The Hacker NewsCVE-2024-6678Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution
GitLab patches critical flaw (CVE-2024-6678) allowing unauthorized pipeline job execution. Update to latest version to protect your repositories
4 months ago
References
CVSS V3.1
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
- π°
First article discovered by The Hacker News
Vulnerability published
Vulnerability Reserved