Important bug lets attackers run pipelines as different customers



GitLab warned at this time {that a} vital vulnerability in its product’s GitLab Group and Enterprise editions permits attackers to run pipeline jobs as every other consumer.

The GitLab DevSecOps platform has over 30 million registered customers and is utilized by over 50% of Fortune 100 corporations, together with T-Cellular, Goldman Sachs, Airbus, Lockheed Martin, Nvidia, and UBS.

The flaw patched in at this time’s safety replace is tracked as CVE-2024-6385, and it obtained a CVSS base rating severity score of 9.6 out of 10.

It impacts all GitLab CE/EE variations from 15.8 to 16.11.6, 17.0 to 17.0.4, and 17.1 to 17.1.2. Underneath sure circumstances that GitLab has but to reveal, attackers can exploit it to set off a brand new pipeline as an arbitrary consumer.

GitLab pipelines are a Steady Integration/Steady Deployment (CI/CD) system function that lets customers routinely run processes and duties in parallel or sequentially to construct, check, or deploy code modifications.

The corporate launched GitLab Group and Enterprise variations 17.1.2, 17.0.4, and 16.11.6 to handle this vital safety flaw and suggested all admins to improve all installations instantly.

“We strongly suggest that every one installations operating a model affected by the problems described under are upgraded to the most recent model as quickly as attainable,” it warned. “ and GitLab Devoted are already operating the patched model.”

Account takeover flaw actively exploited in assaults

GitLab patched an nearly an identical vulnerability (tracked as CVE-2024-5655) in late June, which is also exploited to run pipelines as different customers.

One month earlier, it fastened a high-severity vulnerability (CVE-2024-4835) that permits unauthenticated menace actors to take over accounts in cross-site scripting (XSS) assaults.

As CISA warned in Might, menace actors are additionally actively exploiting one other zero-click GitLab vulnerability (CVE-2023-7028) patched in January. This vulnerability permits unauthenticated attackers to hijack accounts by way of password resets.

Whereas Shadowserver discovered over 5,300 weak GitLab situations uncovered on-line in January, lower than half (1,795) are nonetheless reachable at this time.

Attackers goal GitLab as a result of it hosts numerous forms of delicate company information, together with API keys and proprietary code, resulting in vital safety impression following a breach.

This contains provide chain assaults if the menace actors insert malicious code in CI/CD (Steady Integration/Steady Deployment) environments, compromising the breached group’s repositories.