GitLab has upgraded its Community and Enterprise editions to fix a critical vulnerability which allowed malicious actors to run pipeline jobs as any other platform user.
In its patch release notes, published on the GitLab website, the company said it “strongly” recommends users upgrade their installations to the latest versions immediately, adding that GitLab.com and GitLab Dedicated were already fixed.
The latest versions are 17.1.2, 17.0.4, 16.11.6, and the vulnerable versions are all between 15.8 and 16.11.6, 17.0 and 17.0.4, and 17.1 and 17.1.2.
Millions at risk
The critical flaw, discovered through the HackerOne bug bounty program, allows an attacker to trigger a pipeline as another user, under certain circumstances.
A GitLab Pipeline is a powerful feature of GitLab’s Continuous Integration/Continuous Deployment (CI/CD) system. It automates the process of building, testing, and deploying code, allowing developers to ensure their software is reliable and ready for release. During the build stage, the code is compiled and transformed into an executable. In the test stage, the code’s integrity and functionality are analyzed for errors and bugs. Finally, in the deployment stage, the validated code is deployed into the desired environment.
By using a pipeline, developers can streamline the development process, automate repetitive tasks, and maintain high code quality.
The vulnerability is now tracked as CVE-2024-6385, and carries a severity score of 9.6/10 (critical).
GitLab is a DevOps platform with more than 30 million registered users, according to BleepingComputer. More than half of Fortune 100 companies use it for their DevOps needs, including NASA, Intel, Siemens, Goldman Sachs, and many others.
GitLab Community Edition (CE) is an open source version that is free to use, and as such is mostly used by smaller teams. It includes core features such as source code management, issue tracking, and basic continuous integration/continuous deployment (CI/CD) capabilities.
The Enterprise edition is a paid version that offers extra features, designed to support larger organizations with more complex needs. This edition includes advanced security features, enhanced CI/CD capabilities, performance monitoring, and compliance tools. It also offers enhanced support for large-scale collaboration, project management, and resource optimization.
