CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
AI Score
Confidence
High
A security flaw that impacts specific versions of GitLabβs Community and Enterprise Edition products was just detected. This vulnerability can be exploited to execute pipelines under any userβs credentials.
GitLab is a web-based DevOps platform offering tools for software development, version control, and project management. Launched as an open-source project in 2011, it has become a powerful solution used globally by millions. GitLab integrates CI/CD pipelines for efficient automation of testing and deployment, supporting all stages of the software development lifecycle.
This security vulnerability, designated as CVE-2024-5655, is classified with a critical severity rating of9.6 out of 10. The vulnerability allows an attacker (under specific but unspecified conditions) to exploit the flaw and initiate a pipeline impersonating another user. The vulnerability affects all GitLab CE/EE versions from 15.8 to 16.11.4, 17.0.0 to 17.0.2, and 17.1.0.
This could lead to unauthorized actions within the system, potentially compromising sensitive data and overall system integrity. Immediate attention and remediation are crucial to prevent exploitation and ensure the security of affected GitLab instances.
GitLab has fixed the vulnerability by releasing versions 17.1.1, 17.0.3, and 16.11.5, and advises users to install these updates promptly.
βWe are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version.β
The vendor also notes that upgrading to the latest versions introduces two significant changes that users need to be aware of:
The latest GitLab update also addresses security fixes for 13 additional issues, with three of them rated as βhighβ severity (CVSS v3.1 scores: 7.5 β 8.7). These three vulnerabilities are described as follows:
You can explore GraphQL policy violations (GraphQL attacks) in the Wallarm Console β Attacks section. Read more about GraphQL attacks and graphQL attack protection.
The post CVE-2024-5655: Latest GitLab API Vulnerability Threatens Customer Data Exposure appeared first on Wallarm.
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
AI Score
Confidence
High