This critical GitLab flaw allows attackers to run pipeline jobs as other users – patch now

GitLab logo and branding pictured on a laptop screen with white background.
(Image credit: Getty Images)

GitLab has patched a critical vulnerability that allows attackers to run pipeline jobs as any other user, recommending that users upgrade immediately.

A GitLab Pipeline, part of GitLab's Continuous Integration/Continuous Deployment (CI/CD) system, automates the process of building, testing, and deploying code.

Tracked as CVE-2024-6385, the flaw could lead to supply chain compromise, data breaches, or a denial of service incident, the advisory warned. The flaw was given a CVSS severity rating of 9.6 out of 10, and was discovered by "yvvdwf" through GitLabs' HackerOne bug bounty program.

CVE-2024-6385 would allow an attacker "under certain circumstances" to trigger a new pipeline, potentially access private repositories, and manipulate, steal, or exfiltrate code and data.

There's no evidence that it's been used in the wild so far, and GitLab said that GitLab.com and GitLab Dedicated are already running the patched version.

The GitLab DevSecOps platform has over 30 million registered users and is used by more than half of Fortune 100 companies, including T-Mobile, Goldman Sachs, Airbus, Lockheed Martin, Nvidia, and UBS.

The Community Edition (CE) is an open source version that's free to use, while the Enterprise Edition (EE) is a paid version with extra features.

What GitLab versions are at risk?

CVE-2024-6385 affects GitLab CE/EE versions 15.8 prior to 16.11.6, 17.0 prior to 17.0.4, and 17.1 prior to 17.1.2. The issue is resolved by updating to versions 16.11.6, 17.0.4 or 17.1.2, the company said. 

"These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately," GitLab noted in its advisory.

As its CVSS score implies, the vulnerability should be taken very seriously, according to Ray Kelly, fellow at the Synopsys Software Integrity Group.

"In today's fast-paced DevSecOps world, any mention of a vulnerability in pipeline functionality can certainly make the hairs on your neck stand up," Kelly told ITPro.

RELATED WHITEPAPER

"Once a pipeline is compromised, software can be altered with malware, backdoors, or used to steal private information from organisations. This is difficult to detect because security scans are usually conducted earlier in the SDLC process."

This latest vulnerability is similar to another GitLab flaw, CVE-2024-5655, again with a CVSS score of 9.6, that was patched late last month. This vulnerability also enabled an attacker to run pipelines as other users.

Similarly, another flaw, CVE-2023-7028, was disclosed and patched in January after being targeted by attackers. This particular vulnerability was given the maximum CVSS score of 10.

"Given recent high-profile supply chain breaches, it’s clear that organisations need to patch vulnerabilities immediately to prevent threat actors from compromising their software," Kelly said.

"Additionally, introducing security scanning within the pipeline can help detect issues before they are deployed."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.