GitLab has released a critical security update addressing several vulnerabilities; among them critical ones are CVE-2024-6678, CVE-2024-8640, CVE-2024-8635, and CVE-2024-8124.
GitLab recommends that all installations running affected versions be upgraded to the latest patched releases (17.3.2, 17.2.5, and 17.1.7) as soon as possible to mitigate potential security risks.
“These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action,” GitLab said.
GitLab High-Security Vulnerabilities
The most critical vulnerability, identified as CVE-2024-6678, could allow an attacker to trigger a pipeline as another user under certain circumstances. This flaw has a CVSS score of 9.6, indicating a critical severity level.
Another high-severity issue, CVE-2024-8635, is a server-side request forgery (SSRF) vulnerability affecting GitLab Enterprise Edition. It could allow an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL.
CVE-2024-8124 is a high-severity denial-of-service (DoS) vulnerability that could be triggered by sending a large glm_source parameter. This flaw affects GitLab Community and Enterprise Editions.
Another high-severity issue, CVE-2024-8640, was due to incomplete input filtering, so it was possible to inject commands into a connected Cube server in GitLab EE.
Along with this, GitLab also patched another bunch of medium & low severity flaws that can be found in the advisory.
Exploiting these vulnerabilities could lead to unauthorized access, privilege escalation, and potential compromise of sensitive data and systems. Attackers could gain control over critical infrastructure components, manipulate code, or exfiltrate private information.
To mitigate these risks, GitLab urges all users to upgrade their installations to the latest patched versions (17.3.2, 17.2.5, and 17.1.7) immediately. Delaying the application of these security fixes could leave organizations vulnerable to potential attacks.
As a widely-used Git repository management platform, any security flaws in GitLab could have far-reaching consequences for software development pipelines and organizational security.
Organizations using GitLab should prioritize upgrading to the latest patched versions and review their security practices to ensure they align with industry best practices.
Regularly monitoring for security updates, implementing multi-factor authentication, and conducting thorough security audits can help strengthen defenses against potential threats.
By proactively addressing these critical vulnerabilities and adopting a security-first approach, organizations can safeguard their software development processes, protect sensitive data, and maintain the integrity of their systems.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar