GitLab Patches Critical Vulnerability Allowing Unauthorized Pipeline Jobs
Introduction
GitLab has released a new series of updates to address critical security flaws in its software development platform. Among these, a severe vulnerability tracked as CVE-2024-6385 has been identified, allowing attackers to run pipeline jobs as arbitrary users. This blog will detail the nature of these vulnerabilities, their impact, and the steps GitLab has taken to mitigate them.
Critical Vulnerability: CVE-2024-6385
The critical vulnerability CVE-2024-6385, assigned a CVSS score of 9.6, affects GitLab CE/EE versions 15.8 before 16.11.6, 17.0 before 17.0.4, and 17.1 before 17.1.2. This flaw permits attackers to trigger a pipeline as another user under specific conditions. GitLab disclosed this issue in a recent advisory, underscoring the potential security risks it poses.
Interestingly, this vulnerability is similar to another high-severity flaw (CVE-2024-5655, CVSS score: 9.6) patched by GitLab late last month, which also allowed unauthorized execution of pipeline jobs.
Additional Security Fixes
In addition to the critical vulnerability, GitLab has addressed a medium-severity issue (CVE-2024-5257, CVSS score: 4.9). This flaw enables a Developer user with admin_compliance_framework permissions to alter the URL for a group namespace. These vulnerabilities have been resolved in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 17.1.2, 17.0.4, and 16.11.6.
Other Significant Security Updates
Coinciding with GitLab's updates, Citrix has patched a critical improper authentication flaw affecting NetScaler Console, NetScaler SDX, and NetScaler Agent (CVE-2024-6235, CVSS score: 9.4). This vulnerability could lead to information disclosure.
Additionally, Broadcom has released fixes for two medium-severity injection vulnerabilities in VMware Cloud Director (CVE-2024-22277, CVSS score: 6.4) and VMware Aria Automation (CVE-2024-22280, CVSS score: 8.5). These flaws could be exploited to execute malicious code via specially crafted HTML tags and SQL queries, respectively.
CISA's Ongoing Efforts to Address Software Flaws
The US Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), has issued a new bulletin urging technology manufacturers to eliminate operating system (OS) command injection flaws. These vulnerabilities, which allow remote code execution on network edge devices, have been a persistent issue due to inadequate sanitization and validation of user input.
This latest advisory follows two earlier warnings from CISA and the FBI this year, emphasizing the need to address SQL injection (SQLi) and path traversal vulnerabilities. These efforts highlight the agencies' commitment to strengthening cybersecurity practices across the industry.
Recommendations for Enhanced Security
Last month, CISA, alongside cybersecurity agencies from Canada and New Zealand, recommended businesses adopt robust security solutions such as Zero Trust, Secure Service Edge (SSE), and Secure Access Service Edge (SASE). These frameworks enhance network activity visibility and integrate security and access control through adaptive policies.Conclusion
The latest security updates from GitLab and other major technology firms underscore the critical importance of timely patching and vigilant cybersecurity practices. As vulnerabilities like CVE-2024-6385 demonstrate, even minor flaws can have significant security implications. Organizations need to remain aware of the newest threats and implement thorough security strategies to safeguard their digital assets.
About Foresiet!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Protect your brand, reputation, data, and systems with Foresiet's Integrated Digital Risk Platform. 24/7/365 threat monitoring for total peace of mind.
Dec. 11, 2024, 6:29 p.m.
Nov. 29, 2024, 5:43 p.m.