GitLab recently reported a critical vulnerability in its products GitLab Community and GitLab Enterprise, which could allow attackers to run pipelines on behalf of any user.
The vulnerability, identified as CVE-2024-6385 with a CVSS rating of 9.6, affects GitLab CE/EE versions from 15.8 to 16.11.6, 17.0 to 17.0.4, and 17.1 to 17.1.2. This flaw could enable attackers to launch new pipelines as an arbitrary user, under specific conditions not yet disclosed by GitLab.
GitLab Pipes play a crucial role in the Continuous Integration/Continuous Deployment (CI/CD) system, allowing users to automate processes for building, testing, and deploying code changes.
Exploiting this vulnerability could have severe consequences, such as compromising the supply chain by introducing malicious code into the CI/CD environment and jeopardizing the organization’s repositories.
To address this issue, GitLab has released updates for GitLab Community and Enterprise versions 17.1.2, 17.0.4, and 16.11.6, aimed at eliminating the vulnerability. It is strongly advised that administrators promptly update all installations to the latest versions to mitigate any potential risks.