GitLab Issues Critical Security Patch for CVE-2024-6678 (CVSS 9.9), Urges Immediate Update
In a recent security advisory, GitLab announced the release of critical security patches for its Community Edition (CE) and Enterprise Edition (EE). The patches address several vulnerabilities, including one classified as ‘critical’ that could allow an attacker to execute arbitrary code.
Here’s a breakdown of the most critical vulnerabilities patched in this update.
CVE-2024-6678: Critical Pipeline Execution as Arbitrary User (CVSS 9.9)
The most severe vulnerability, CVE-2024-6678, affects all GitLab CE/EE versions starting from 8.14 up to the patched versions. This flaw allows an attacker to execute pipeline jobs as an arbitrary user under certain conditions. With a CVSS score of 9.9, this command injection vulnerability could lead to full system compromise by enabling unauthorized pipeline executions with elevated privileges.
CVE-2024-8640: Code Injection via Product Analytics (CVSS 8.5)
Another significant issue, CVE-2024-8640, was discovered in GitLab EE versions 16.11 and above. In this vulnerability, attackers could inject malicious commands into the Product Analytics funnels YAML configuration due to incomplete input filtering. This code injection vulnerability has a CVSS score of 8.5 and could be exploited by attackers to execute unauthorized commands on connected Cube servers.
CVE-2024-8635: Server-Side Request Forgery (SSRF) via Dependency Proxy (CVSS 7.7)
This SSRF vulnerability, CVE-2024-8635, affects GitLab EE versions 16.8 and later. The flaw allows attackers to craft custom Maven Dependency Proxy URLs to make unauthorized requests to internal resources. This could be leveraged for reconnaissance and further attacks on internal network resources.
CVE-2024-8124: Denial of Service via Large glm_source Parameter (CVSS 7.5)
A Denial of Service (DoS) vulnerability, CVE-2024-8124, affects GitLab CE/EE versions starting from 16.4. By sending an excessively large glm_source parameter, an attacker could cause GitLab services to become unavailable, disrupting access to essential features.
Recommendations
GitLab strongly advises all self-managed installations to immediately upgrade to the latest versions to protect against these vulnerabilities. GitLab.com users are already protected, as the platform is running the patched versions, and GitLab Dedicated customers do not need to take action. For those running affected versions, upgrading to 17.3.2, 17.2.5, or 17.1.7 is critical to maintaining the security and integrity of your GitLab environment.
For more details on these vulnerabilities and others addressed in the latest update, visit the GitLab security advisories page.
