17 vulnerabilities, including critical CVE-2024-6678, addressed in new GitLab release
GitLab issued security updates on Wednesday, addressing 17 vulnerabilities, including a critical flaw that could allow attackers to run pipeline jobs as an arbitrary user. The flaw, identified as CVE-2024-6678, carries a CVSS score of 9.9 out of 10.0, marking it as a significant threat.
“This issue, present in GitLab CE/EE from version 8.14 up to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, allows attackers to trigger a pipeline under certain conditions,” GitLab stated in its alert.
The newly released updates, versions 17.3.2, 17.2.5, and 17.1.7, fix the critical flaw along with three high-severity, 11 medium-severity, and two low-severity vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE).
CVE-2024-6678 is the fourth high-impact vulnerability addressed by GitLab this year, following fixes for CVE-2023-5009, CVE-2024-5655, and CVE-2024-6385, all with CVSS scores of 9.6.
Though no active exploits of the flaw have been detected, GitLab advises users to apply the latest patches immediately to safeguard against potential threats.
In May, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that a separate critical GitLab vulnerability, CVE-2023-7028 (CVSS score: 10.0), had been actively exploited.
