Recently, GitLab issued an urgent security advisory regarding a critical vulnerability, CVE-2024-6678, which impacts both GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw, with a CVSS score of 9.9, allows attackers to execute pipeline jobs as arbitrary users, potentially leading to full system compromise. GitLab has released patches addressing this vulnerability in versions 17.3.2, 17.2.5, and 17.1.7, strongly urging users to update immediately.
Vulnerability Breakdown: CVE-2024-6678 (CVSS 9.9)
The most critical flaw, CVE-2024-6678, affects GitLab versions 8.14 through the unpatched versions before 17.3.2, 17.2.5, and 17.1.7. This vulnerability allows malicious actors to trigger pipeline jobs as arbitrary users. By exploiting this weakness, attackers can potentially execute arbitrary code with elevated privileges, granting them unauthorized access to sensitive resources and system components.
Given the nature of this vulnerability, which involves continuous integration (CI) pipelines, the risk is significant. Pipeline jobs can often interact with key systems, deployment environments, and sensitive data. By gaining the ability to execute jobs under another user’s identity, attackers can circumvent normal access controls, leading to severe consequences such as data theft, system manipulation, and more.
This marks the fourth major vulnerability GitLab has addressed in the past year. Previously, GitLab tackled three other critical issues: CVE-2023-5009, CVE-2024-5655, and CVE-2024-6385, each with a high CVSS score of 9.6.
While there is currently no evidence that these vulnerabilities are being actively exploited, it is crucial for users to apply the latest patches as soon as possible. Taking swift action will help protect your systems from potential threats and ensure that your data remains secure.
Other Notable Vulnerabilities Patched
In addition to CVE-2024-6678, the update addresses other significant vulnerabilities:
CVE-2024-8640 (CVSS 8.5) – A code injection vulnerability that allows attackers to inject malicious commands into the Product Analytics YAML configuration in GitLab EE. This flaw poses a serious threat to systems that rely on Product Analytics.
CVE-2024-8635 (CVSS 7.7) – A Server-Side Request Forgery (SSRF) vulnerability that enables attackers to exploit the Dependency Proxy by crafting custom URLs. This issue could be used for reconnaissance or to launch more complex attacks on internal networks.
CVE-2024-8124 (CVSS 7.5) – A Denial of Service (DoS) vulnerability that can render GitLab services unavailable by sending excessively large “glm_source” parameters, disrupting essential features.
Mitigation and Recommendations:
GitLab has advised all self-hosted instances to update to the latest versions immediately to mitigate the risk. GitLab.com users are already protected, as the platform has automatically implemented the fixes. Administrators of self-managed instances should upgrade to the patched versions (17.3.2, 17.2.5, or 17.1.7) to secure their environments. Failure to update could result in attackers exploiting these vulnerabilities to compromise system integrity, steal sensitive information, or disrupt services.
Instantly Fix Risks with SanerNow Patch Management
SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.
