Hello,
For your awareness at 1:00PM CT, we distributed a Security Bulletin to targeted customers regarding a critical arbitrary branch pipeline vulnerability in GitLab EE.
Bulletin Distribution:
This security bulletin was issued to a targeted list of customers based on the possibility that the customer may have this product in their environment. Although we couldn't verify the specific version or program, we sent it as a precaution to ensure our customers are aware of the threat and its potential risk.
Threat Intelligence Response:
- Analyzed the vulnerability to assess the potential impact to Arctic Wolf customers and provided recommendations to patch affected products.
- Published a Security Bulletin to customers with new details.
- We are actively monitoring all intelligence sources for any new details that may come out regarding the exploitation of this vulnerability.
Summary of Bulletin:
- On October 9, 2024, GitLab released patches for a critical vulnerability affecting various versions of GitLab EE, identified as CVE-2024-9164.
- This flaw allows a remote attacker to run pipelines on arbitrary branches within a repository, which could potentially lead to code execution.
- We are recommending that customers upgrade to the latest fixed versions.