www.belgium.be Logo of the federal government

WARNING: CRITICAL AND HIGH-SEVERITY VULNERABILITIES FOUND IN GITLAB CE/EE AND GITLAB EE, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-221
Version: 
1.0
Affected software: 
GitLab CE/EE 8.14 prior to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2
GitLab EE versions 16.11 and above
Type: 
Code Injection and Command Injection
CVE/CVSS: 

CVE-2024-6678 / CVSS 9.9(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVE-2024-8640 / CVSS 8.5(CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Sources

Gitlab: https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/

Risks

On September 11, 2024, GitLab published security updates for a critical and a high-severity vulnerability affecting GitLab Community Edition (CE) and GitLab Enterprise Edition (EE).

CVE-2024-6678 is a critical vulnerability affecting GitLab CE/EE. Successful exploitation of this vulnerability by an attacker could lead to full system compromise with elevated privileges. Moreover, exploitation of this vulnerability could severely impact the confidentiality, Integrity and Availability of affected systems.

Meanwhile the high-severity vulnerability, CVE-2024-8640, is affecting GitLab EE. Exploitation of this vulnerability could allow an attacker to execute unauthorized commands on connected Cube servers.

Description

CVE-2024-6678 is a command injection vulnerability which could allow an attacker to trigger a pipeline as an arbitrary user  under specific conditions leading to full system compromise with privilege escalations. This vulnerability is affecting all GitLab CE/EE versions starting from 8.14 up to the patched.

CVE-2024-8640 is a vulnerability that could allow an attacker to inject malicious commands into the Product Analytics funnels YAML configuration due to incomplete input filtering. The code injection vulnerability could be exploited by an attacker to execute unauthorized commands on connected Cube servers. This vulnerability affects all GitLab EE versions from 16.11 to 17.1.7, 17.2 to 17.2.5, and 17.3 to 17.3.2.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Gitlab: https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/