Critical GitLab Flaw Allows Pipeline Hijacking (CVE-2024-6385)

GitLab has disclosed a critical vulnerability in its GitLab Community and GitLab Enterprise products, allowing an attacker to execute pipelines on behalf of any user.

The vulnerability, CVE-2024-6385 (CVSS score 9.6), affects GitLab CE/EE versions from 15.8 to 16.11.6, 17.0 to 17.0.4, and 17.1 to 17.1.2. An attacker can exploit this flaw to run new pipelines as an arbitrary user under certain conditions, which GitLab has not yet revealed.

GitLab pipelines are an essential component of the Continuous Integration/Continuous Deployment (CI/CD) system, enabling users to automate processes and tasks for building, testing, and deploying code changes.

Exploiting this vulnerability could potentially lead to severe consequences, including the compromise of the supply chain if an attacker injects malicious code into CI/CD environments, thereby compromising the organization’s repositories.

The company has released updates for GitLab Community and Enterprise versions 17.1.2, 17.0.4, and 16.11.6 to address the vulnerability and strongly recommends that administrators immediately update all installations to the latest versions.