GitLab: Kritischer Fehler lässt Angreifer Pipelines als andere Benutzer ausführen

Teilen:

GitLab warned today that a critical vulnerability in its product’s GitLab Community and Enterprise editions allows attackers to run pipeline jobs as any other user.

The GitLab DevSecOps platform has over 30 million registered users and is used by over 50% of Fortune 100 companies, including T-Mobile, Goldman Sachs, Airbus, Lockheed Martin, Nvidia, and UBS.

The flaw patched in today’s security update is tracked as CVE-2024-6385, and it received a CVSS base score severity rating of 9.6 out of 10.

It impacts all GitLab CE/EE versions from 15.8 to 16.11.6, 17.0 to 17.0.4, and 17.1 to 17.1.2. Under certain circumstances that GitLab has yet to disclose, attackers can exploit it to trigger a new pipeline as an arbitrary user.

GitLab pipelines are a Continuous Integration/Continuous Deployment (CI/CD) system feature that lets users automatically run processes and tasks in parallel or sequentially to build, test, or deploy code changes.

The company released GitLab Community and Enterprise versions 17.1.2, 17.0.4, and 16.11.6 to address this critical security flaw and advised all admins to upgrade all installations immediately.

“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” it warned. “GitLab.com and GitLab Dedicated are already running the patched version.”

Account takeover flaw actively exploited in attacks

GitLab patched an almost identical vulnerability (tracked as CVE-2024-5655) in late June, which could also be exploited to run pipelines as other users.

One month earlier, it fixed a high-severity vulnerability (CVE-2024-4835) that enables unauthenticated threat actors to take over accounts in cross-site scripting (XSS) attacks.

As CISA warned in May, threat actors are also actively exploiting another zero-click GitLab vulnerability (CVE-2023-7028) patched in January. This vulnerability allows unauthenticated attackers to hijack accounts via password resets.

While Shadowserver found over 5,300 vulnerable GitLab instances exposed online in January, less than half (1,795) are still reachable today.

Attackers target GitLab because it hosts various types of sensitive corporate data, including API keys and proprietary code, leading to significant security impact following a breach.

This includes supply chain attacks if the threat actors insert malicious code in CI/CD (Continuous Integration/Continuous Deployment) environments, compromising the breached organization’s repositories.

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
4:20 am, Juli 14, 2025
Wetter-Symbol 19°C
L: 17° | H: 20°
overcast clouds
Luftfeuchtigkeit: 75 %
Druck: 1011 mb
Wind: 7 mph SSW
Windböe: 0 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 100%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 4:59 am
Sonnenuntergang: 9:12 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 10:00 pm
Wetter-Symbol
17° | 20°°C 0 mm 0% 18 mph 76 % 1015 mb 0 mm/h
Tomorrow 10:00 pm
Wetter-Symbol
15° | 20°°C 1 mm 100% 15 mph 78 % 1016 mb 0 mm/h
Mi. Juli 16 10:00 pm
Wetter-Symbol
14° | 27°°C 0.2 mm 20% 14 mph 73 % 1017 mb 0 mm/h
Do. Juli 17 10:00 pm
Wetter-Symbol
18° | 26°°C 1 mm 100% 8 mph 80 % 1017 mb 0 mm/h
Fr. Juli 18 10:00 pm
Wetter-Symbol
19° | 30°°C 0 mm 0% 12 mph 79 % 1015 mb 0 mm/h
Today 7:00 am
Wetter-Symbol
17° | 18°°C 0 mm 0% 9 mph 76 % 1011 mb 0 mm/h
Today 10:00 am
Wetter-Symbol
20° | 20°°C 0 mm 0% 11 mph 59 % 1012 mb 0 mm/h
Today 1:00 pm
Wetter-Symbol
23° | 23°°C 0 mm 0% 15 mph 39 % 1013 mb 0 mm/h
Today 4:00 pm
Wetter-Symbol
25° | 25°°C 0 mm 0% 18 mph 28 % 1013 mb 0 mm/h
Today 7:00 pm
Wetter-Symbol
22° | 22°°C 0 mm 0% 15 mph 30 % 1013 mb 0 mm/h
Today 10:00 pm
Wetter-Symbol
19° | 19°°C 0 mm 0% 9 mph 45 % 1015 mb 0 mm/h
Tomorrow 1:00 am
Wetter-Symbol
16° | 16°°C 0 mm 0% 8 mph 61 % 1016 mb 0 mm/h
Tomorrow 4:00 am
Wetter-Symbol
15° | 15°°C 0 mm 0% 8 mph 72 % 1016 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€102,564.53
1.89%
Ethereum(ETH)
€2,571.81
1.86%
XRP(XRP)
€2.49
5.11%
Fesseln(USDT)
€0.86
0.00%
Solana(SOL)
€141.35
2.48%
USDC(USDC)
€0.86
0.00%
Dogecoin(DOGE)
€0.172665
2.02%
Shiba Inu(SHIB)
€0.000012
2.61%
Pepe(PEPE)
€0.000011
2.96%
Peanut das Eichhörnchen(PNUT)
€0.244556
5.81%
Nach oben scrollen