On 10 July 2024, GitLab issued an advisory regarding a critical vulnerability (CVE-2024-6385) in GitLab CE/EE that had been reported to them through a bug bounty program. This vulnerability allows a threat actor to trigger a GitLab pipeline as another user under certain circumstances. A GitLab pipeline is a collection of automated processes that run in stages to build, test, and deploy code. While the specific circumstances for exploiting the vulnerability have not been revealed, the Common Vulnerability Scoring System (CVSS) metrics disclosed by GitLab indicate that this is a low-complexity (AC:L) exploit.
At this time, Arctic Wolf has not observed any active exploitation of this vulnerability nor identified a public proof of concept (PoC) exploit. However, threat actors have targeted GitLab instances in the past. In May 2024, CISA warned that threat actors have exploited CVE-2023-7028, a zero-click vulnerability in GitLab CE/EE that allows unauthenticated attackers to hijack accounts through password resets. It is possible that this new vulnerability will be similarly targeted in the near future, given the prevalence of GitLab.
Recommendation for CVE-2024-6385
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends upgrading to the latest fixed version.
| Product | Affected Version | Fixed Version |
| GitLab CE/EE | 15.8 prior to 16.11.6 | 16.11.6 |
| 17.0 prior to 17.0.4 | 17.0.4 | |
| 17.1 prior to 17.1.2 | 17.1.2 |
Note: GitLab.com and GitLab Dedicated are already running the patched version.
