GitLab, a widely-used DevSecOps platform with over 30 million users, recently disclosed a critical vulnerability affecting its GitLab Community and Enterprise editions.
Tracked as CVE-2024-6385 and scoring 9.6 out of 10 on the CVSS severity scale, this flaw allows attackers to execute pipeline jobs impersonating any user. This vulnerability impacts versions ranging from 15.8 to 17.1.2 of GitLab CE/EE.
GitLab’s pipeline feature, integral to Continuous Integration/Continuous Deployment (CI/CD) processes, automates tasks like code building and testing.
The security update, released in versions 17.1.2, 17.0.4, and 16.11.6, aims to mitigate these risks by urging immediate upgrades for all affected installations, emphasizing heightened security measures on GitLab.com and GitLab Dedicated.
This isn’t the first time GitLab has faced critical security challenges. Earlier in June, a similar vulnerability (CVE-2024-5655) was patched, enabling unauthorized pipeline execution.
Additionally, a high-severity flaw (CVE-2024-4835) resolved in May allowed account takeovers via XSS attacks, underscoring ongoing security concerns despite previous fixes.
Government agencies like CISA have also noted active exploitation of GitLab vulnerabilities, including a zero-click flaw (CVE-2023-7028) that facilitates account hijacking through password resets.
Shadowserver’s findings in January highlighted thousands of exposed GitLab instances online, posing risks of data breaches and supply chain compromises due to the platform’s hosting of sensitive corporate data like API keys and proprietary code.
In response to these threats, GitLab continues to advocate for prompt updates and vigilance among administrators to safeguard against potential exploits.
The frequency and severity of these vulnerabilities underscore the critical importance of robust security practices in managing CI/CD environments and protecting organizational assets from cyber threats.
