Critical GitLab Bug CVE-2024-5655: Potential Pipeline Attack

CVE-2024-5655 (CVSS 9.6)-This could permit a malicious actor to trigger a pipeline as another user under certain circumstances.

• June 29,2024

  CVE-2024-5655 (CVSS 9.6)- This could permit a malicious actor to trigger a pipeline
  as another user under certain circumstances.

In GitLab, a pipeline automates the processes of building, testing, and deploying code. If an attacker gains the ability to run pipelines as other users, they could access private repositories, allowing them to manipulate, steal, or exfiltrate sensitive code and data. Such an exploit could severely compromise the integrity and security of critical projects and data, leading to significant disruptions.
It impacts the following versions of CE and EE –

• GitLab CE/EE 17.1 before 17.1.1
• GitLab CE/EE 17.0 before 17.0.3
• GitLab CE/EE 15.8 before 16.11.5

Organizations must patch the GitLab pipeline vulnerability immediately to avert significant security risks. If exploited, this vulnerability can grant unauthorized access to private repositories, allowing attackers to manipulate, steal, or exfiltrate sensitive code and data, similar to the Mercedes-Benz data leak last year. Such breaches can compromise the confidentiality, integrity, and availability of critical projects, leading to severe security incidents. Prompt patching helps protect against these threats, ensuring sensitive information remains secure and operational integrity is maintained.

Moreover, addressing this vulnerability is crucial for regulatory and compliance purposes. To sell software and products to the US Government, companies must comply with the Self-Attestation Form requirements, as outlined in Section III, Item 1c of the Secure Software Development Attestation Form. Failure to address this vulnerability could create a compliance gap, jeopardizing existing and future contracts, and impacting revenue. Timely patching ensures adherence to these security standards, maintaining regulatory compliance, and protecting the organization’s reputation and financial stability.

The implications of the GitLab pipeline vulnerability are profound and potentially devastating for organizations. If a company fails to comply with the Self-Attestation Form requirement for doing business with the US Government, there can indeed be financial penalties and consequences. These penalties can vary depending on the specific regulations and contractual terms involved. Typically, non-compliance could result in fines imposed by regulatory bodies, contractual penalties from the government agency or department involved, and potentially even the loss of eligibility for future contracts or business opportunities with the government. The exact fine amounts and penalties would be outlined in the applicable laws, regulations, or contract terms that govern the requirement.

The vulnerability in GitLab pipelines was discovered by hacker1, and as of now, the proof of concept (POC) has not been publicly disclosed. However, it is widely acknowledged that under certain conditions, this vulnerability could potentially grant full control of the pipeline to a threat actor. The specific conditions under which the vulnerability can be exploited are not yet fully understood or publicly known, highlighting the critical nature of addressing and understanding the vulnerability promptly to prevent potential exploitation and its consequences.

Based on the provided information by Gitlab, this vulnerability CVE-2024-5655 (CVSS 9.6) stems from a flaw in how merge requests are automatically retargeted to different branches upon merging. This functionality inadvertently triggered pipeline executions without manual initiation, potentially leading to unauthorized access or unintended operations associated with the merged branches. In practical terms, this assumed vulnerability could have allowed attackers to force pipelines to execute unexpectedly or gain unauthorized access to GraphQL endpoints. Attackers could have leveraged these weaknesses to extract sensitive data, manipulate pipelines, or perform unauthorized actions through the GraphQL API

According to the Ponemon Institute, 60% of breach victims stated that their breach occurred due to an unpatched known vulnerability where the patch was not applied. As updates are released, including the latest version addressing vulnerability CVE-2024-5655 (CVSS 9.6), GitLab strongly recommends organizations implement these patches as soon as possible.

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing, and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know Your Risk. Contact BreachLock today!