GitLab has updated its Community and Enterprise editions to fix a critical vulnerability that allowed malicious actors to run pipeline jobs as any other user of the platform.
In the patch release notes, posted on GitLab's website, the company said it “strongly” recommends users update their installations to the latest versions immediately, adding that GitLab.com and GitLab Dedicated were already fixed.
The latest versions are 17.1.2, 17.0.4, 16.11.6, and the vulnerable versions are all between 15.8 and 16.11.6, 17.0 and 17.0.4, and 17.1 and 17.1.2.
Millions at risk
The critical flaw, discovered through the HackerOne bug bounty program, allows an attacker to activate a pipeline as another user, under certain circumstances.
GitLab Pipeline is a powerful feature of GitLab's Continuous Integration/Continuous Deployment (CI/CD) system. It automates the process of building, testing, and deploying code, allowing developers to ensure their software is reliable and ready for release. During the build stage, code is compiled and transformed into an executable. In the test stage, the code is analyzed for integrity and functionality to detect errors and flaws. Finally, in the deploy stage, the validated code is deployed to the desired environment.
By using a pipeline, developers can streamline the development process, automate repetitive tasks, and maintain high code quality.
The vulnerability is now known as CVE-2024-6385 and has a severity score of 9.6/10 (critical).
GitLab is a DevOps platform with over 30 million registered users, according to Computer beepingMore than half of the Fortune 100 companies use it for their DevOps needs, including NASA, Intel, Siemens, Goldman Sachs, and many others.
GitLab Community Edition (CE) is an open source version that is free to use and as such is primarily used by smaller teams. It includes core features such as source code management, issue tracking, and basic continuous integration/continuous deployment (CI/CD) capabilities.
The Enterprise edition is a paid version that offers additional features, designed to support larger organizations with more complex needs. This edition includes advanced security features, enhanced CI/CD capabilities, performance monitoring, and compliance tools. It also offers enhanced support for large-scale collaboration, project management, and resource optimization.
