GitLab warns of critical security flaw that could allow hacker takeovers
GitLab has upgraded the Community and Enterprise editions to fix a critical vulnerability that allowed attackers to execute pipeline tasks as any other platform user.
In the patch release notes, published on the GitLab website, the company said it “strongly” recommends users to immediately upgrade their installations to the latest versions, adding that GitLab.com and GitLab Dedicated had already been fixed.
The latest versions are 17.1.2, 17.0.4, 16.11.6 and the vulnerable versions are all between 15.8 and 16.11.6, 17.0 and 17.0.4 and 17.1 and 17.1.2.
Millions of people at risk
The critical vulnerability, discovered through the HackerOne bug bounty program, allows an attacker to activate a pipeline as another user under certain circumstances.
A GitLab Pipeline is a powerful feature of GitLab’s Continuous Integration/Continuous Deployment (CI/CD) system. It automates the process of building, testing, and deploying code, allowing developers to ensure that their software is reliable and ready for release. During the build phase, code is compiled and converted into an executable file. In the testing phase, the integrity and functionality of the code are analyzed for errors and bugs. Finally, in the deployment phase, the validated code is deployed to the desired environment.
By using a pipeline, developers can streamline the development process, automate repetitive tasks, and maintain high code quality.
The vulnerability is now registered as CVE-2024-6385 and has a severity score of 9.6/10 (critical).
GitLab is a DevOps platform with over 30 million registered users, according to BleepingComputerMore than half of the Fortune 100 companies use it for their DevOps needs, including NASA, Intel, Siemens, Goldman Sachs, and many others.
GitLab Community Edition (CE) is an open source version that is free to use and as such is mainly used by smaller teams. It includes core features such as source code management, issue tracking, and basic continuous integration/continuous deployment (CI/CD) capabilities.
The Enterprise edition is a paid version that offers additional features, designed to support larger organizations with more complex needs. This edition includes advanced security features, enhanced CI/CD capabilities, performance monitoring, and compliance tools. It also offers enhanced support for large-scale collaboration, project management, and resource optimization.