GitLab has released critical updates to address multiple vulnerabilities, the most severe of them (CVE-2024-6678) allowing an attacker to trigger pipelines as arbitrary users under certain conditions.

The release is for versions 17.3.2, 17.2.5, and 17.1.7 for both GitLab Community Edition (CE) and Enterprise Edition (EE), and patches a total of 18 security issues as part of the bi-monthly (scheduled) security updates.

With a critical severity score of 9.9, the CVE-2024-6678 vulnerability could enable an attacker to execute environment stop actions as the owner of the stop action job.

The severity of the flaw comes from its potential for remote exploitation, lack of user interaction, and the low privileges required for exploiting it.

GitLab warns that the issue affects CE/EE versions from 8.14 up to 17.1.7, versions from 17.2 prior to 17.2.5, and versions from 17.3 prior to 17.3.2.

GitLab pipelines are automated workflows used to build, test, and deploy code, part of GitLab's CI/CD (Continuous Integration/Continuous Delivery) system.

They are designed to streamline the software development process by automating repetitive tasks and ensuring that changes to the codebase are tested and deployed consistently.

GitLab addressed arbitrary pipeline execution vulnerabilities multiple times in recent months, including in July 2024, to fix CVE-2024-6385, in June 2024, to fix CVE-2024-5655, and in September 2023 to patch CVE-2023-5009, all rated critical.

The bulletin also lists four high-severity issues with scores between 6.7 – 8.5, that could potentially allow attackers to disrupt services, execute unauthorized commands, or compromise sensitive resources. The issues are summarized as follows:

• CVE-2024-8640: Due to improper input filtering, attackers could inject commands into a connected Cube server via YAML configuration, potentially compromising data integrity. Impacts GitLab EE starting from 16.11.
• CVE-2024-8635: Attackers could exploit a Server-Side Request Forgery (SSRF) vulnerability by crafting a custom Maven Dependency Proxy URL to make requests to internal resources, compromising internal infrastructure. Affects GitLab EE starting from 16.8.
• CVE-2024-8124: Attackers could trigger a DoS attack by sending a large 'glm_source' parameter, overwhelming the system and making it unavailable. Impacts GitLab CE/EE starting from 16.4.
• CVE-2024-8641: Attackers could exploit a CI_JOB_TOKEN to gain access to a victim's GitLab session token, allowing them to hijack a session. Affects GitLab CE/EE starting from 13.7.

For update instructions, source code, and packages, check out GitLab's official download portal. The latest GitLab Runner packages are available here.