GitLab has issued a critical security alert regarding a severe vulnerability in its GitLab Community and Enterprise editions, potentially allowing attackers to execute pipeline jobs as other users. With over 30 million registered users and adoption by more than 50% of Fortune 100 companies, including T-Mobile, Goldman Sachs, Airbus, Lockheed Martin, Nvidia, and UBS, this vulnerability poses a significant threat.

The vulnerability, tracked as CVE-2024-6385, has been assigned a CVSS base score of 9.6 out of 10, indicating its high severity. It affects all GitLab CE/EE versions from 15.8 to 16.11.6, 17.0 to 17.0.4, and 17.1 to 17.1.2. Under certain conditions, which GitLab has not yet fully disclosed, attackers can exploit this flaw to trigger new pipeline jobs as any user.

GitLab pipelines are an essential feature of the Continuous Integration/Continuous Deployment (CI/CD) system, enabling users to automate the execution of tasks and processes to build, test, or deploy code changes efficiently. The ability to run these pipelines as arbitrary users significantly elevates the risk of unauthorized access and potential breaches.

Mitigation

In response to this critical vulnerability, GitLab has released patched versions for both its Community and Enterprise editions: 17.1.2, 17.0.4, and 16.11.6. GitLab strongly advises all administrators to upgrade their installations immediately to these latest versions to mitigate the risk of exploitation.

“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” GitLab emphasized. The company assured that GitLab.com and GitLab Dedicated instances are already operating on the patched versions.

This recent alert follows the patching of a nearly identical vulnerability (CVE-2024-5655) in late June, which also allowed the execution of pipelines as other users. Additionally, in May, GitLab addressed a high-severity vulnerability (CVE-2024-4835) that enabled unauthenticated attackers to take over accounts via cross-site scripting (XSS) attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) has also warned about the active exploitation of a zero-click GitLab vulnerability (CVE-2023-7028) patched in January. This flaw allows unauthenticated attackers to hijack accounts through password resets.

Despite efforts to secure GitLab instances, Shadowserver identified over 5,300 vulnerable GitLab instances exposed online as of January. Alarmingly, less than half (1,795) of these instances remain reachable today, highlighting ongoing risks.

Security Implications and Best Practices

GitLab is a prime target for attackers due to the sensitive corporate data it hosts, including API keys and proprietary code. A breach can lead to severe security impacts, such as supply chain attacks where malicious code is inserted into CI/CD environments, compromising the organization’s repositories.

For IT professionals, cybersecurity experts, and DevOps teams, it is crucial to prioritize these updates and implement robust security measures. Regularly updating software, monitoring for unusual activity, and employing strong authentication mechanisms can help safeguard against such vulnerabilities.