On Wednesday, GitLab released security updates to address 17 vulnerabilities, including a critical flaw that allows an attacker to run pipeline jobs as an arbitrary user.
The issue tracked as CVE-2024-6678 has a CVSS score of 9.9 out of a maximum of 10.0
“An issue has been discovered in GitLab CE/EE that affects all versions from 8.14 to 17.1.7, from 17.2 to 17.2.5, and from 17.3 to 17.3.2, which allows an attacker to run the pipeline as an arbitrary user under certain circumstances “, the company said in the notice.
The vulnerability, along with three high-severe bugs, 11 medium-severe bugs, and two bugs, have been fixed in versions 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). ).
It should be noted that CVE-2024-6678 is the fourth such flaw that GitLab has fixed in the last year, following CVE-2023-5009 (CVSS score: 9.6), CVE-2024-5655 (CVSS score: 9.6), and CVE-2024-6385 (CVSS score: 9.6).
Although there is no evidence of active use of the flaws, users are encouraged to apply patches as soon as possible to reduce potential threats.
Earlier this May, the US Cybersecurity and Infrastructure Security Agency (CISA) revealed that GitLab Critical Vulnerability (CVE-2023-7028, CVSS Score: 10.0) was actively being exploited in the wild.
