Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution

GitLab on Wednesday issued security upgrades to address 17 security vulnerabilities, including a serious weakness that enables an attacker to perform pipeline operations as an arbitrary user.

The bug, tagged as CVE-2024-6678, has a CVSS score of 9.9 out of a maximum of 10.0

"An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances," the company said in an alert.

The vulnerability, along with three high-severity, 11 medium-severity, and two low-severity flaws, have been resolved in versions 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

It's worth mentioning that CVE-2024-6678 is the fourth such problem that GitLab has addressed over the last year following CVE-2023-5009 (CVSS score: 9.6), CVE-2024-5655 (CVSS score: 9.6), and CVE-2024-6385 (CVSS score: 9.6).

While there is no indication of active exploitation of the weaknesses, users are encouraged to install the updates as soon as feasible to guard against prospective hazards.

Earlier in May, U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that a major GitLab vulnerability (CVE-2023-7028, CVSS score: 10.0) has come under active exploitation in the wild.