GitLab Patches Critical Security Vulnerability (CVE-2024-6385), Urges Immediate Upgrade

In a security advisory released today, GitLab, the popular web-based DevOps platform, disclosed several critical vulnerabilities affecting various versions of their Community Edition (CE) and Enterprise Edition (EE) products. The most severe of these, CVE-2024-6385, carries a CVSS score of 9.6 and could allow an attacker to execute pipeline jobs as any user, potentially compromising sensitive data and systems.

Key Vulnerabilities and Impacts:

• CVE-2024-6385 (Critical): This vulnerability, impacting versions 15.8 through 17.1.1, enables attackers to impersonate other users and run arbitrary pipeline jobs, posing a significant risk to the integrity and confidentiality of projects hosted on GitLab.
• CVE-2024-5257 (Medium): This flaw grants developers with specific permissions the ability to modify group URLs, potentially leading to confusion and phishing attacks.
• CVE-2024-5470 (Low): Guest users with elevated privileges could create project-level deploy tokens, potentially granting unauthorized access to project resources.
• CVE-2024-6595 (Low): This vulnerability allows for the upload of conflicting NPM packages, which could lead to dependency confusion attacks.
• CVE-2024-2880 (Low): Users with specific administrative permissions could ban group members, disrupting collaboration.
• CVE-2024-5528 (Medium): This subdomain takeover vulnerability in GitLab Pages could allow attackers to redirect traffic to malicious websites.

Immediate Action Required:

GitLab strongly recommends that all users upgrade to the latest versions (17.1.2, 17.0.4, or 16.11.6) immediately. The company has released patches addressing these vulnerabilities and has emphasized the importance of prompt action to protect against potential exploitation.