GitLab released a security update on Wednesday to address 17 security vulnerabilities, including a critical flaw that could allow attackers to run pipeline jobs as any user.
The issue, tracked as CVE-2024-6678, has a CVSS score of 9.9 out of a maximum of 10.0.
“An issue was discovered in GitLab CE/EE affecting all versions from 8.14 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. This issue could allow an attacker to trigger pipelines as any user under certain circumstances,” the company said in its alert.
The vulnerability, along with three high severity, 11 medium severity, and two low severity bugs, have been fixed in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 17.3.2, 17.2.5, and 17.1.7.
It’s worth noting that CVE-2024-6678 is the fourth vulnerability GitLab has fixed in the past year, following CVE-2023-5009 (CVSS Score: 9.6), CVE-2024-5655 (CVSS Score: 9.6), and CVE-2024-6385 (CVSS Score: 9.6).
While there is no evidence that the flaws are being actively exploited in the wild, users are advised to apply the patch as soon as possible to mitigate any potential threat.
In early May of this year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that a critical vulnerability in GitLab (CVE-2023-7028, CVSS score: 10.0) was being exploited in the wild.
