GitLab warns of critical pipeline execution vulnerability

Share:

GitLab has released critical updates to address multiple vulnerabilities, the most severe of them (CVE-2024-6678) allowing an attacker to trigger pipelines as arbitrary users under certain conditions.

The release is for versions 17.3.2, 17.2.5, and 17.1.7 for both GitLab Community Edition (CE) and Enterprise Edition (EE), and patches a total of 18 security issues as part of the bi-monthly (scheduled) security updates.

With a critical severity score of 9.9, the CVE-2024-6678 vulnerability could enable an attacker to execute environment stop actions as the owner of the stop action job.

The severity of the flaw comes from its potential for remote exploitation, lack of user interaction, and the low privileges required for exploiting it.

GitLab warns that the issue affects CE/EE versions from 8.14 up to 17.1.7, versions from 17.2 prior to 17.2.5, and versions from 17.3 prior to 17.3.2.

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. – GitLab

GitLab pipelines are automated workflows used to build, test, and deploy code, part of GitLab’s CI/CD (Continuous Integration/Continuous Delivery) system.

They are designed to streamline the software development process by automating repetitive tasks and ensuring that changes to the codebase are tested and deployed consistently.

GitLab addressed arbitrary pipeline execution vulnerabilities multiple times in recent months, including in July 2024, to fix CVE-2024-6385, in June 2024, to fix CVE-2024-5655, and in September 2023 to patch CVE-2023-5009, all rated critical.

The bulletin also lists four high-severity issues with scores between 6.7 – 8.5, that could potentially allow attackers to disrupt services, execute unauthorized commands, or compromise sensitive resources. The issues are summarized as follows:

  • CVE-2024-8640: Due to improper input filtering, attackers could inject commands into a connected Cube server via YAML configuration, potentially compromising data integrity. Impacts GitLab EE starting from 16.11.
  • CVE-2024-8635: Attackers could exploit a Server-Side Request Forgery (SSRF) vulnerability by crafting a custom Maven Dependency Proxy URL to make requests to internal resources, compromising internal infrastructure. Affects GitLab EE starting from 16.8.
  • CVE-2024-8124: Attackers could trigger a DoS attack by sending a large ‘glm_source’ parameter, overwhelming the system and making it unavailable. Impacts GitLab CE/EE starting from 16.4.
  • CVE-2024-8641: Attackers could exploit a CI_JOB_TOKEN to gain access to a victim’s GitLab session token, allowing them to hijack a session. Affects GitLab CE/EE starting from 13.7.

For update instructions, source code, and packages, check out GitLab’s official download portal. The latest GitLab Runner packages are available here.

Bill Toulas

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
11:59 pm, Jun 30, 2025
weather icon 24°C
L: 23° | H: 25°
clear sky
Humidity: 67 %
Pressure: 1015 mb
Wind: 2 mph
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 0%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:46 am
Sunset: 9:21 pm
DailyHourly
Daily ForecastHourly Forecast
Tomorrow 10:00 pm
weather icon
23° | 25°°C 0 mm 0% 11 mph 67 % 1015 mb 0 mm/h
Wed Jul 02 10:00 pm
weather icon
19° | 26°°C 0 mm 0% 12 mph 75 % 1024 mb 0 mm/h
Thu Jul 03 10:00 pm
weather icon
14° | 26°°C 0 mm 0% 7 mph 53 % 1029 mb 0 mm/h
Fri Jul 04 10:00 pm
weather icon
16° | 28°°C 0 mm 0% 10 mph 47 % 1028 mb 0 mm/h
Sat Jul 05 10:00 pm
weather icon
16° | 21°°C 1 mm 100% 12 mph 90 % 1019 mb 0 mm/h
Tomorrow 1:00 am
weather icon
22° | 24°°C 0 mm 0% 3 mph 67 % 1015 mb 0 mm/h
Tomorrow 4:00 am
weather icon
21° | 23°°C 0 mm 0% 3 mph 66 % 1015 mb 0 mm/h
Tomorrow 7:00 am
weather icon
22° | 23°°C 0 mm 0% 5 mph 63 % 1014 mb 0 mm/h
Tomorrow 10:00 am
weather icon
28° | 28°°C 0 mm 0% 3 mph 44 % 1014 mb 0 mm/h
Tomorrow 1:00 pm
weather icon
30° | 30°°C 0 mm 0% 6 mph 32 % 1014 mb 0 mm/h
Tomorrow 4:00 pm
weather icon
34° | 34°°C 0 mm 0% 8 mph 26 % 1013 mb 0 mm/h
Tomorrow 7:00 pm
weather icon
32° | 32°°C 0 mm 0% 11 mph 31 % 1013 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
25° | 25°°C 0 mm 0% 8 mph 46 % 1015 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€91,726.36
0.08%
Ethereum(ETH)
€2,141.69
2.99%
Tether(USDT)
€0.85
0.00%
XRP(XRP)
€1.95
4.59%
Solana(SOL)
€134.28
4.10%
USDC(USDC)
€0.85
0.00%
Dogecoin(DOGE)
€0.142338
1.58%
Shiba Inu(SHIB)
€0.000010
0.00%
Pepe(PEPE)
€0.000009
2.69%
Scroll to Top