Security Vulnerability Impacts All Versions of GitLab
Summary
The vulnerability CVE-2024-6678 affects all versions of GitLab, with a critical flaw having a CVSS score of 9.9 that could allow an attacker to trigger a pipeline as an arbitrary user, leading to privileged escalation, data exfiltration, and a software supply chain compromise. While the vulnerability has not been observed in the wild, it bears strong similarities to recent high-profile attacks and tactics used by advanced persistent threat (APT) groups and cybercriminal gangs. Security professionals emphasize the urgency of patching this vulnerability, as exploiting the pipeline permissions could lead to widespread compromise of production software and access to all of the company’s source code, introduction of malicious code, and the compromise of the underlying operating system. Additionally, it is noted that a compromised account from one organization could be used to access another, posing a supply chain infection risk. The vulnerability affects nearly 30,000 companies worldwide using GitLab, and security teams are advised to ensure timely patching and encourage counterparties to do the same.
Affected Version(s)
GitLab < 17.1.7
GitLab < 17.2.5
GitLab < 17.3.2
News Articles
GitLab patches bug that could expose a CI/CD pipeline to supply chain attack
Security pros called this GitLab patch an urgent one because an exploited CI/CD pipeline could lead to a serious supply chain compromise.
2 months ago
The Hacker News CVE-2024-6678Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution
GitLab patches critical flaw (CVE-2024-6678) allowing unauthorized pipeline job execution. Update to latest version to protect your repositories
2 months ago
CVSS V3.1
Timeline
First article discovered by The Hacker News
Vulnerability published.
Vulnerability Reserved.