A major vulnerability exists in some versions of GitLab Community and Enterprise Edition products, which might be exploited to run pipelines as any user.
GitLab is a prominent web-based open-source software project management and task tracking tool. There are an estimated one million active license users.
Understanding the Critical GitLab Vulnerability: CVE-2024-5655
The security problem resolved in the most recent update is identified as CVE-2024-5655 and has a severity level of 9.6 out of 10. Under some conditions, which the vendor did not specify, an attacker might exploit it to execute a pipeline as another user.
GitLab pipelines are a component of the Continuous Integration/Continuous Deployment (CI/CD) system that allows users to build, test, and deploy code changes by running processes and tasks automatically, either in parallel or sequentially.
The vulnerability affects all GitLab CE/EE versions, including 15.8 through 16.11.4, 17.0.0 to 17.0.2, and 17.1.0 to 17.1.0.
GitLab has resolved the vulnerability by releasing versions 17.1.1, 17.0.3, and 16.11.5, and users are encouraged to install the patches as soon as possible.
What Is CVE-2024-5655?
The vulnerability allows an attacker to trigger a pipeline as any user within the GitLab environment. In other words, an unauthorized individual can execute code within a project’s pipeline, even if they don’t have the necessary permissions. This could lead to several serious consequences:
Unauthorized Access to Sensitive Code: An attacker gains access to private repositories and sensitive code by exploiting this vulnerability. This compromises the confidentiality of intellectual property, proprietary algorithms, and other valuable assets stored in GitLab.
Data Leakage: The ability to run pipelines as any user means that an attacker can potentially leak data, including credentials, API keys, and configuration files. This information leakage could have severe implications for an organization’s security posture.
Malicious Code Execution: An attacker could inject malicious code into pipelines, leading to unintended actions. For instance, they might introduce backdoors, modify code, or execute arbitrary commands.
Affected Versions
The vulnerability impacts specific versions of GitLab:
- GitLab versions starting from 15.8 prior to 16.11.5
- GitLab versions starting from 17.0 prior to 17.0.3
- GitLab versions starting from 17.1 prior to 17.1.1
Gitlab’s response
GitLab promptly addressed this issue by releasing updates that fix the vulnerability:
Upgrade GitLab: Update your GitLab installation to a patched version. GitLab has provided patches for the affected releases, so ensure you apply them promptly.
Review Permissions: Audit user permissions within your GitLab projects. Limit pipeline execution rights to authorized users only.
Monitor Pipelines: Keep an eye on pipeline activity. Unusual or unexpected pipeline runs should be investigated promptly.