GitLab users are facing yet another critical vulnerability in both the community and enterprise editions of the DevOps platform, sparking concerns about the security of CI/CD pipelines. This vulnerability, identified as CVE-2024-6385, allows attackers to run a pipeline in the context of any user within the GitLab system, potentially leading to unauthorized access, data breaches, and disruption of development pipelines.
With a severity rating of 9.6 out of 10 on the CVSS scale, this vulnerability affects GitLab CE/EE versions 15.8 to 16.11.6, 17.0 to 17.0.4, and 17.1 to 17.1.2. The company has urged users to promptly deploy the fix provided to address this critical issue, emphasizing the importance of upgrading to the latest version as soon as possible to mitigate the risk.
This recent vulnerability comes on the heels of a similar bug, CVE-2024-5655, disclosed on June 26, which also allowed attackers to run pipelines as arbitrary users. Despite sharing the same CVSS score of 9.8, there are nuanced differences between the two flaws. CVE-2024-5655 focused on exploitation through specific API calls, while CVE-2024-6385 poses a broader scope of potential attack vectors within the GitLab CI/CD pipeline process, presenting a more significant threat due to the range of actions attackers can perform.
Security experts speculate that GitLab may not have fully resolved CVE-2024-5655 or may have discovered another pathway for exploiting a similar vulnerability, a common occurrence in software. This vulnerability requires an attacker to have a valid user account within a specific GitLab environment, decreasing the likelihood of successful exploitation but highlighting the importance of securing user accounts to prevent insider threats.
Despite the complexity involved in exploiting this vulnerability, GitLab acknowledges that sophisticated attackers with detailed knowledge of the system could potentially breach its security measures. However, with proper configuration and active monitoring, GitLab’s security features can detect and mitigate such attempts, acting as a deterrent to less skilled attackers.
For organizations relying on GitLab for their DevOps needs, this latest vulnerability marks the third severe bug they have had to address in just over two months. In addition to the recent vulnerabilities, GitLab disclosed a critical bug in May that enabled attackers to exploit improper access control, leading to account takeovers. The Cybersecurity and Infrastructure Security Agency (CISA) promptly added this bug to its Known Exploited Vulnerabilities catalog due to extensive exploit activity following its disclosure.
Overall, the recurrence of critical vulnerabilities in GitLab underscores the ongoing challenges organizations face in securing their DevOps pipelines and highlights the importance of promptly addressing and mitigating security threats to safeguard sensitive data and code repositories.