GitLab warns of critical security flaw which could allow hacker takeovers
GitLab users urged to apply patch right away
GitLab has upgraded its Community and Enterprise editions to fix a critical vulnerability which allowed malicious actors to run pipeline jobs as any other platform user.
In its patch release notes, published on the GitLab website, the company said it “strongly” recommends users upgrade their installations to the latest versions immediately, adding that GitLab.com and GitLab Dedicated were already fixed.
The latest versions are 17.1.2, 17.0.4, 16.11.6, and the vulnerable versions are all between 15.8 and 16.11.6, 17.0 and 17.0.4, and 17.1 and 17.1.2.
Millions at risk
The critical flaw, discovered through the HackerOne bug bounty program, allows an attacker to trigger a pipeline as another user, under certain circumstances.
A GitLab Pipeline is a powerful feature of GitLab's Continuous Integration/Continuous Deployment (CI/CD) system. It automates the process of building, testing, and deploying code, allowing developers to ensure their software is reliable and ready for release. During the build stage, the code is compiled and transformed into an executable. In the test stage, the code’s integrity and functionality are analyzed for errors and bugs. Finally, in the deployment stage, the validated code is deployed into the desired environment.
By using a pipeline, developers can streamline the development process, automate repetitive tasks, and maintain high code quality.
The vulnerability is now tracked as CVE-2024-6385, and carries a severity score of 9.6/10 (critical).
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
GitLab is a DevOps platform with more than 30 million registered users, according to BleepingComputer. More than half of Fortune 100 companies use it for their DevOps needs, including NASA, Intel, Siemens, Goldman Sachs, and many others.
GitLab Community Edition (CE) is an open source version that is free to use, and as such is mostly used by smaller teams. It includes core features such as source code management, issue tracking, and basic continuous integration/continuous deployment (CI/CD) capabilities.
The Enterprise edition is a paid version that offers extra features, designed to support larger organizations with more complex needs. This edition includes advanced security features, enhanced CI/CD capabilities, performance monitoring, and compliance tools. It also offers enhanced support for large-scale collaboration, project management, and resource optimization.
More from TechRadar Pro
- GitLab issues patch for high severity account takeover vulnerability
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.