CVE-2024-6678: 
GitLab vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-6678) was discovered in GitLab CE/EE affecting all versions from 8.14 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. The vulnerability allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances (GitLab Release, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. This indicates that the vulnerability requires low attack complexity, can be exploited remotely, requires low privileges, and no user interaction. The vulnerability is classified as CWE-290 (Authentication Bypass by Spoofing) (NVD, GitLab Release).

The vulnerability could allow attackers to execute pipeline actions as arbitrary users, potentially leading to unauthorized access, data exposure, and system compromise. The high severity ratings across confidentiality, integrity, and availability indicate significant potential impact to affected systems (GitLab Release).

GitLab has released patches to address this vulnerability. Organizations are strongly recommended to upgrade to the fixed versions: 17.1.7, 17.2.5, or 17.3.2. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).