CVE-2024-6678

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 8.14 through 17.1.7 GitLab CE/EE versions 17.2 through 17.2.5 GitLab CE/EE versions 17.3 through 17.3.2

Description An issue was discovered in GitLab CE/EE that allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances. This is an authentication bypass vulnerability that can be exploited by an attacker to execute pipeline jobs as arbitrary users, posing a severe risk to development environments. The vulnerability is being actively exploited, and it is estimated that millions of users are affected.

Recommendations For GitLab CE/EE versions 8.14 through 17.1.7, update to version 17.1.7 or later. For GitLab CE/EE versions 17.2 through 17.2.5, update to version 17.2.5 or later. For GitLab CE/EE versions 17.3 through 17.3.2, update to version 17.3.2 or later. As a temporary workaround, consider restricting access to pipeline jobs to minimize the risk of exploitation.