GitLab has released critical security patches for its Community Edition (CE) and Enterprise Edition (EE) that could allow an attacker to execute arbitrary code.
Vulnerability details
CVE-2024-6678 with a CVSS score of 9.9, affects all GitLab CE/EE versions starting from 8.14 up to the patched versions. This flaw allows an attacker to execute pipeline jobs as an arbitrary user under certain conditions. This command injection vulnerability could lead to full system compromise by enabling unauthorized pipeline executions with elevated privileges.
CVE-2024-8640 with a CVSS score of 8.5 , was discovered in GitLab EE versions 16.11 and above. In this vulnerability, attackers could inject malicious commands into the Product Analytics funnels YAML configuration due to incomplete input filtering. This code injection vulnerability could be exploited by attackers to execute unauthorized commands on connected Cube servers.
CVE-2024-8635 with a CVSS score of 7.7, affects GitLab EE versions 16.8 and later. The flaw allows attackers to craft custom Maven Dependency Proxy URLs to make unauthorized requests to internal resources. This could be leveraged for reconnaissance and further attacks on internal network resources.
CVE-2024-8124 with a CVSS score of 7.5, affects GitLab CE/EE versions starting from 16.4. By sending an excessively large glm_source parameter, an attacker could cause GitLab services to become unavailable, disrupting access to essential features.
GitLab strongly advises all self-managed installations to immediately upgrade to the latest versions to protect against these vulnerabilities. GitLab.com users are already protected, as the platform is running the patched versions, and GitLab Dedicated customers do not need to take action. For those running affected versions, upgrading to 17.3.2, 17.2.5, or 17.1.7 is critical to maintaining the security and integrity of your GitLab environment.
