GitLab warned right this moment {that a} important vulnerability in its product’s GitLab Group and Enterprise editions permits attackers to run pipeline jobs as another consumer.
The GitLab DevSecOps platform has over 30 million registered customers and is utilized by over 50% of Fortune 100 corporations, together with T-Cell, Goldman Sachs, Airbus, Lockheed Martin, Nvidia, and UBS.
The flaw patched in right this moment’s safety replace is tracked as CVE-2024-6385, and it obtained a CVSS base rating severity score of 9.6 out of 10.
It impacts all GitLab CE/EE variations from 15.8 to 16.11.6, 17.0 to 17.0.4, and 17.1 to 17.1.2. Beneath sure circumstances that GitLab has but to reveal, attackers can exploit it to set off a brand new pipeline as an arbitrary consumer.
GitLab pipelines are a Steady Integration/Steady Deployment (CI/CD) system characteristic that lets customers mechanically run processes and duties in parallel or sequentially to construct, take a look at, or deploy code adjustments.
The corporate launched GitLab Group and Enterprise variations 17.1.2, 17.0.4, and 16.11.6 to handle this important safety flaw and suggested all admins to improve all installations instantly.
“We strongly advocate that each one installations operating a model affected by the problems described beneath are upgraded to the most recent model as quickly as doable,” it warned. “GitLab.com and GitLab Devoted are already operating the patched model.”
Account takeover flaw actively exploited in assaults
GitLab patched an nearly an identical vulnerability (tracked as CVE-2024-5655) in late June, which may be exploited to run pipelines as different customers.
One month earlier, it mounted a high-severity vulnerability (CVE-2024-4835) that allows unauthenticated menace actors to take over accounts in cross-site scripting (XSS) assaults.
As CISA warned in Might, menace actors are additionally actively exploiting one other zero-click GitLab vulnerability (CVE-2023-7028) patched in January. This vulnerability permits unauthenticated attackers to hijack accounts through password resets.
Whereas Shadowserver discovered over 5,300 weak GitLab situations uncovered on-line in January, lower than half (1,795) are nonetheless reachable right this moment.
Attackers goal GitLab as a result of it hosts varied varieties of delicate company knowledge, together with API keys and proprietary code, resulting in important safety impression following a breach.
This consists of provide chain assaults if the menace actors insert malicious code in CI/CD (Steady Integration/Steady Deployment) environments, compromising the breached group’s repositories.