GitLab disclosed several critical vulnerabilities affecting various versions of their Community Edition (CE) and Enterprise Edition (EE) products. The most severe of these, CVE-2024-6385, carries a CVSS score of 9.6 and could allow an attacker to execute pipeline jobs as any user, potentially compromising sensitive data and systems.
Advertisements
Vulnerabilities Summary
- CVE-2024-6385 is rated as critical, impacting versions 15.8 through 17.1.1, enables attackers to impersonate other users and run arbitrary pipeline jobs, posing a significant risk to the integrity and confidentiality of projects hosted on GitLab.
- CVE-2024-5257 is rated as medium that grants developers with specific permissions the ability to modify group URLs, potentially leading to confusion and phishing attacks.
- CVE-2024-5528 is rated as medium in which the subdomain takeover vulnerability in GitLab Pages could allow attackers to redirect traffic to malicious websites.
- CVE-2024-5470 is rated as low, where Guest users with elevated privileges could create project-level deploy tokens, potentially granting unauthorized access to project resources.
- CVE-2024-6595 is rated as low allows for the upload of conflicting NPM packages, which could lead to dependency confusion attacks.
- CVE-2024-2880 is rated as low, where users with specific administrative permissions could ban group members, disrupting collaboration.
GitLab strongly recommends that all users upgrade to the latest versions (17.1.2, 17.0.4, or 16.11.6) immediately. The company has released patches addressing these vulnerabilities and has emphasized the importance of prompt action to protect against potential exploitation.
