GitLab has released corrective updates for their platform, addressing vulnerabilities in versions 17.3.2, 17.2.5, and 17.1.7. A total of 17 vulnerabilities were fixed, with one being classified as critical (rated 9.9 out of 10), 3 as high, 11 as moderate, and 2 as low. The critical vulnerability, known as CVE-2024-6678, allows an attacker to execute code in the continuous integration conveyor (Pipeline Jobs) under a different user’s account, potentially granting unauthorized access to internal repositories and closed projects.
The information regarding this critical vulnerability was reported to GitLab through their bug bounty program on HackerOne. They have a policy to disclose specific details of the vulnerability 30 days after the release of the patch.