A critical GitLab vulnerability could allow an attacker to run a pipeline as another user.
GitLab is a popular Git repository, second only to GitHub, with millions of active users.
This week, it released new versions of its Community and Enterprise Editions.
The updates include fixes for 14 different security issues, including cross site request forgery, cross site scripting, denial of service, and more.
One of the issues is deemed of low severity according to the Common Vulnerability Scoring System, nine are of medium severity, and three are high - but there's also one critical bug with a CVSS score of 9.6 out of 10.
CVE-2024-5655 Offers Critical Threat to Code Development That critical one, CVE-2024-5655, affects GitLab versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, according to the company.
It enables an attacker to trigger a pipeline as another user, but only under circumstances which GitLab did not elaborate on.
A pipeline automates the process of building, testing, and deploying code in GitLab.
Theoretically, an attacker with the ability to run pipelines as other users can access their private repositories, and manipulate, steal, or exfiltrate sensitive code and data contained therein.
Unlike with CVE-2023-7028 - a 10 out of 10 account takeover bug known to have been exploited earlier this Spring - GitLab has thus far found no evidence of CVE-2024-5655 exploits in the wild.
A Compliance Issue, Not Just Security Issues rooted deep in the development process like CVE-2024-5655 can sometimes cause headaches beyond the simple risk they pose on paper.
The mere fact that a software or software-driven product was built using a vulnerable version of GitLab could itself be cause for concern.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 28 Jun 2024 20:50:07 +0000