GitLab on Wednesday launched safety updates to deal with 17 safety vulnerabilities, together with a essential flaw that permits an attacker to run pipeline jobs as an arbitrary consumer.
The problem, tracked as CVE-2024-6678, carries a CVSS ranking of 9.9 out of a most of 10.0
“A topic was once came upon in GitLab CE/EE affecting all variations ranging from 8.14 previous to 17.1.7, ranging from 17.2 previous to 17.2.5, and ranging from 17.3 previous to 17.3.2, which permits an attacker to cause a pipeline as an arbitrary consumer beneath sure instances,” the corporate stated in an alert.
The vulnerability, at the side of 3 high-severity, 11 medium-severity, and two low-severity insects, were addressed in variations 17.3.2, 17.2.5, 17.1.7 for GitLab Neighborhood Version (CE) and Endeavor Version (EE).
It is value noting that CVE-2024-6678 is the fourth such flaw that GitLab has patched over the last yr after CVE-2023-5009 (CVSS ranking: 9.6), CVE-2024-5655 (CVSS ranking: 9.6), and CVE-2024-6385 (CVSS ranking: 9.6).
Whilst there is not any proof of energetic exploitation of the issues, customers are really helpful to use the patches once imaginable to mitigate towards attainable threats.
Previous this Might, U.S. Cybersecurity and Infrastructure Safety Company (CISA) printed {that a} essential GitLab vulnerability (CVE-2023-7028, CVSS ranking: 10.0) had come beneath energetic exploitation within the wild.