GitLab security vulnerabilities: Attackers can manipulate software development
GitLab Community Edition and Enterprise Edition are vulnerable. The developers recommend a quick update.
The developers have closed a total of six security vulnerabilities in current GitLab versions. After successful attacks, attackers can manipulate the development of software, among other things.
Patch now!
The GitLab developers list information on the closed vulnerabilities in a warning message. Specifically, GitLab Community Edition and Enterprise Edition are at risk. The most dangerous is a "critical" vulnerability (CVE-2024-6385) that allows attackers to trigger pipeline jobs on behalf of another user under certain, unspecified circumstances. Pipelines are used by developers to automate certain steps such as builds and tests.
The remaining vulnerabilities are classified as "medium" and "low". Attackers can carry out subdomain takeover attacks at these points, among other things. GitLab assures that it has closed the gaps in versions 16.11.6, 17.0.4 and 17.1.2. Even if there is no mention of ongoing attacks in the warning message, the developers advise a quick update.
(des)