About the Vulnerability
Introduction
GitLab is an open-source repository management project. It uses Git for code management and provides Git-based web services.
Summary
On July 11, 2024, Sangfor FarSight Labs received notification of the authentication bypass vulnerability (CVE-2024-6385) in GitLab, classified as critical (CVSS Score 9.6) by GitLab.
This vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE). Attackers can exploit this vulnerability to trigger a pipeline as another user, causing sensitive information leak and server compromise.
Affected Versions
15.8 ≤ GitLab CE/EE ≤ 16.11.5
17.0 ≤ GitLab CE/EE ≤ 17.0.3
17.1 ≤ GitLab CE/EE ≤ 17.1.1
Solutions
Remediation Solutions
Check the Component Version
View your GitLab version at https://your GitLab instance address/help, for example, https://your.gitlab.com/help.
Official Solution
GitLab has released the latest version of CE/EE to fix the vulnerability, and affected users are strongly advised to update to the latest version. Download link: https://about.gitlab.com/update
Timeline
On July 11, 2024, Sangfor FarSight Labs received notification of the GitLab authentication bypass vulnerability (CVE-2024-6385).
On July 11, 2024, Sangfor FarSight Labs released a vulnerability alert.
References
https://about.gitlab.com/releases/2024/07/10/patch-release-gitlab-17-1-2-released/
