GitLab released security patches for 17 vulnerabilities in GitLab CE (Community Edition) and EE (Enterprise Edition). <\/p>\n\n\n\n
One of these vulnerabilities is a critical pipeline execution flaw, tracked as CVE-2024-6678 (CVSS score of 9.9), that could allow an attacker to trigger a pipeline as an arbitrary user under certain circumstances.<\/p>\n\n\n\n
“An issue was discovered in GitLab CE\/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.” reads the company’s advisory<\/a>. “It is now mitigated in the latest release and is assigned\u00a0CVE-2024-6678<\/a>.<\/p>\n\n\n\n
GitLab also fixed a high severity issue, tracked as CVE-2024-8640<\/a> (CVSS score of 8.5), in GitLab EE. An attacker can exploit the flaw to inject commands into a connected Cube server.<\/p>\n\n\n\n
joaxcar<\/a>\u00a0reported this vulnerability through our HackerOne bug bounty program.<\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/strong><\/a><\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, GitLab CE<\/a>)\u00a0<\/strong>