CVE-2024-6385

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 15.8 through 16.11.6 GitLab CE/EE versions 17.0 through 17.0.4 GitLab CE/EE versions 17.1 through 17.1.2

Description: An issue was discovered in GitLab CE/EE, which allows an attacker to trigger a pipeline as another user under certain circumstances. This is related to improper access control, allowing an attacker to run pipeline jobs with the rights of any other user. Over 30 million users, including Fortune 100 companies, are potentially affected. The vulnerability enables attackers to impersonate other users and run arbitrary pipeline jobs, posing a significant risk.

Recommendations: For GitLab CE/EE versions 15.8 through 16.11.6, update to version 16.11.6 or later. For GitLab CE/EE versions 17.0 through 17.0.4, update to version 17.0.4 or later. For GitLab CE/EE versions 17.1 through 17.1.2, update to version 17.1.2 or later. To update, run the following commands:

sudo apt-get update sudo apt-get install gitlab-ce=17.1.2-ce.0

sudo apt-get update sudo apt-get install gitlab-ee=17.1.2-ee.0 As a temporary workaround, consider restricting access to pipeline jobs to minimize the risk of exploitation.