CVE-2024-6678
published 2024-09-12CVE-2024-6678: An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3…
PriorityP356high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.99%
78.2th percentile
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 17.3.5-2 (sid) | gitlab 17.3.5-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 17.2 < 17.2.5 | 17.2.5 |
| gitlab | gitlab | >= 17.2.0 < 17.2.5 | 17.2.5 |
| gitlab | gitlab | >= 17.3 < 17.3.2 | 17.3.2 |
| gitlab | gitlab | >= 17.3.0 < 17.3.2 | 17.3.2 |
| gitlab | gitlab | >= 8.14 < 17.1.7 | 17.1.7 |
| gitlab | gitlab | >= 8.14.0 < 17.1.7 | 17.1.7 |
| gitlab | gitlab_ce | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian9.9CRITICAL
vendor_redhat9.9CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
gitlab: Arbitrary Pipeline Trigger in GitLab
vendor_redhat·2024-09-12·CVSS 9.9
CVE-2024-6678 [CRITICAL] CWE-290 gitlab: Arbitrary Pipeline Trigger in GitLab
gitlab: Arbitrary Pipeline Trigger in GitLab
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.
A flaw was found in GitLab CE/EE. This vulnerability allows an attacker to trigger a pipeline as an arbitrary user via certain circumstances.
Statement: Red Hat does not provide GitLab Community Edition (CE) or Enterprise Edition (EE). No Red Hat products are vulnerable to this CVE.
GitLab
CVE-2024-6678: An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting fr
vendor_gitlab·2024-09-12·CVSS 9.9
CVE-2024-6678 [CRITICAL] CWE-290 CVE-2024-6678: An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting fr
CVE-2024-6678: An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.
Debian
CVE-2024-6678: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 8.1...
vendor_debian·2024·CVSS 9.9
CVE-2024-6678 [CRITICAL] CVE-2024-6678: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 8.1...
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.
Scope: local
sid: resolved (fixed in 17.3.5-2)
GHSA
GHSA-ph8h-4mq7-vw5v: An issue was discovered in GitLab CE/EE affecting all versions starting from 8
ghsa_unreviewed·2024-09-12
CVE-2024-6678 [CRITICAL] CWE-290 GHSA-ph8h-4mq7-vw5v: An issue was discovered in GitLab CE/EE affecting all versions starting from 8
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.
OSV
CVE-2024-6678: An issue was discovered in GitLab CE/EE affecting all versions starting from 8
osv·2024-09-12·CVSS 8.8
CVE-2024-6678 [HIGH] CVE-2024-6678: An issue was discovered in GitLab CE/EE affecting all versions starting from 8
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
GitLab warns of critical arbitrary branch pipeline execution flaw
blogs_bleepingcomputer·2024-10-10·CVSS 7.3
CVE-2024-9164 [HIGH] GitLab warns of critical arbitrary branch pipeline execution flaw
## GitLab warns of critical arbitrary branch pipeline execution flaw
## Bill Toulas
GitLab has released security updates to address multiple flaws in Community Edition (CE) and Enterprise Edition (EE), including a critical arbitrary branch pipeline execution flaw.
The vulnerability, which is tracked as CVE-2024-9164 , allows unauthorized users to trigger Continuous Integration/Continuous Delivery (CI/CD) pipelines on any branch of a repository.
CI/CD pipelines are automated processes that perform tasks such as building, testing, and deploying code, normally available only to users with appropriate permissions.
An attacker capable of bypassing branch protections could potentially perform code execution or gain access to sensitive information.
The issue, which has received a CVSS v3.1
Bleepingcomputer
GitLab warns of critical pipeline execution vulnerability
blogs_bleepingcomputer·2024-09-12·CVSS 8.2
CVE-2024-6678 [HIGH] GitLab warns of critical pipeline execution vulnerability
## GitLab warns of critical pipeline execution vulnerability
## Bill Toulas
GitLab has released critical updates to address multiple vulnerabilities, the most severe of them (CVE-2024-6678) allowing an attacker to trigger pipelines as arbitrary users under certain conditions.
The release is for versions 17.3.2, 17.2.5, and 17.1.7 for both GitLab Community Edition (CE) and Enterprise Edition (EE), and patches a total of 18 security issues as part of the bi-monthly (scheduled) security updates.
With a critical severity score of 9.9, the CVE-2024-6678 vulnerability could enable an attacker to execute environment stop actions as the owner of the stop action job.
The severity of the flaw comes from its potential for remote exploitation, lack of user interaction, and the low privileges requ
2024-09-12
Published