New GitLab Vulnerability Enables Unauthorized Pipeline Execution

GitLab recently released a security advisory warning of a critical vulnerability impacting its GitLab Community and Enterprise editions that would let threat actors run unauthorized pipeline jobs.

The flaw, tracked as CVE-2024-6385, has a CVSS severity score of 9.6 out of 10 and was flagged as critical. It affects all GitLab Community and Enterprise versions 15.8 through 16.11.6, 17.0 to 17.0.4, and 17.1 to 17.1.2.

Vulnerability Lets Attackers Trigger Unauthorized Pipeline Actions

Further details of the vulnerability are yet to be disclosed; however, it is known that perpetrators could weaponize it to execute a new pipeline under the guise of any user.

GitLab pipelines are integral to the automation of software development, including building, testing, and deploying applications. They can streamline the development process dramatically by automating repetitive tasks, reducing human error and speeding up the delivery of software to end users.

Exploiting Pipelines Could Have Severe Implications

The implications of the recent vulnerability are notably severe, considering that pipelines handle everything from code compilation to running tests and deployment to production. Attackers could weaponize this flaw to inject malicious code, alter the build process, access sensitive information stored in the environment variables, or disrupt service by deploying corrupted updates to production environments.

Furthermore, the fact that threat actors could exploit the vulnerability to trigger unauthorized pipeline actions as any user complicates security protocols, as it may bypass typical safeguards that rely on user identity verification, such as audit logs and role-based access controls.

GitLab Released Patched Versions of Affected Products

Fortunately, GitLab quickly addressed the situation and released patched versions of its product’s Community and Enterprise editions, specifically versions 17.1.2, 17.0.4, and 16.11.6.

"We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible," reads GitLab’s security advisory. "GitLab.com and GitLab Dedicated are already running the patched version."