CVE-2024-6385
📋 TL;DR
This vulnerability in GitLab allows an attacker to trigger CI/CD pipelines as another user under specific conditions, potentially executing unauthorized code or accessing sensitive data. It affects GitLab Community Edition (CE) and Enterprise Edition (EE) installations across multiple recent versions. Organizations using affected GitLab instances for development pipelines are at risk.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
An attacker could execute arbitrary code in CI/CD pipelines with elevated privileges, potentially gaining access to source code, secrets, credentials, or deploying malicious artifacts to production environments.
Likely Case
Attackers could trigger pipelines to exfiltrate sensitive data, modify code repositories, or disrupt development workflows by running unauthorized jobs.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized pipeline executions that can be detected and rolled back before causing significant damage.
🎯 Exploit Status
Exploitation requires some level of access to trigger pipelines, but specific conditions make unauthorized execution possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.11.6, 17.0.4, 17.1.2
Vendor Advisory: https://about.gitlab.com/releases/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 16.11.6, 17.0.4, or 17.1.2 depending on your current version. 3. Restart GitLab services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict pipeline triggers
allLimit who can trigger pipelines and review pipeline configurations
🧯 If You Can't Patch
- Implement strict access controls on pipeline triggers and review all pipeline configurations
- Monitor pipeline execution logs for unauthorized activity and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via admin interface or command line: gitlab-rake gitlab:env:infoCheck Version:
sudo gitlab-rake gitlab:env:info | grep VersionVerify Fix Applied:
Verify version is 16.11.6, 17.0.4, or 17.1.2 or higher📡 Detection & Monitoring
Log Indicators:
- Unauthorized pipeline triggers
- Pipelines triggered by unexpected users
- Unusual pipeline execution patterns
Network Indicators:
- Unusual API calls to pipeline endpoints
- Suspicious webhook activity
SIEM Query:
source="gitlab" AND (event="pipeline_created" OR event="pipeline_started") AND user NOT IN [authorized_users]