GitLab on Wednesday released security updates to address 17 security vulnerabilities, including a critical flaw that allows an attacker to run pipeline jobs as an arbitrary user.
The issue, tracked as CVE-2024-6678, carries a CVSS score of 9.9 out of a maximum of 10.0
“An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances,” the company said in an alert.
The vulnerability, along with three high-severity, 11 medium-severity, and two low-severity bugs, have been addressed in versions 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
It’s worth noting that CVE-2024-6678 is the fourth such flaw that GitLab has patched over the past year after CVE-2023-5009 (CVSS score: 9.6), CVE-2024-5655 (CVSS score: 9.6), and CVE-2024-6385 (CVSS score: 9.6).
While there is no evidence of active exploitation of the flaws, users are recommended to apply the patches as soon as possible to mitigate against potential threats.
Earlier this May, U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that a critical GitLab vulnerability (CVE-2023-7028, CVSS score: 10.0) had come under active exploitation in the wild.
