GitLab has released a new set of updates to address security vulnerabilities in its software development platform, including a critical flaw that allows an attacker to execute pipeline jobs as an arbitrary user.
The vulnerability, identified as CVE-2024-6385, has a CVSS score of 9.6 out of 10. “An issue was discovered in GitLab CE/EE affecting versions 15.8 prior to 16.11.6, 17.0 prior to 17.0.4, and 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances,” GitLab stated in an advisory on Wednesday.
Notably, the company had addressed a similar bug last month (CVE-2024-5655, CVSS score: 9.6) that could also be exploited to run pipelines as other users.
In addition, GitLab fixed a medium-severity issue (CVE-2024-5257, CVSS score: 4.9) allowing a Developer user with admin_compliance_framework permissions to modify the URL for a group namespace.
These security flaws have been resolved in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 17.1.2, 17.0.4, and 16.11.6.
This disclosure coincides with Citrix releasing updates for a critical improper authentication flaw affecting NetScaler Console (formerly NetScaler ADM), NetScaler SDX, and NetScaler Agent (CVE-2024-6235, CVSS score: 9.4), which could lead to information disclosure.
Broadcom has also issued patches for two medium-severity injection vulnerabilities in VMware Cloud Director (CVE-2024-22277, CVSS score: 6.4) and VMware Aria Automation (CVE-2024-22280, CVSS score: 8.5). These vulnerabilities could be exploited to execute malicious code using specially crafted HTML tags and SQL queries.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a bulletin urging technology manufacturers to eliminate operating system (OS) command injection flaws. These flaws allow threat actors to remotely execute code on network edge devices by exploiting inadequately sanitized and validated user input.
“OS command injection vulnerabilities have long been preventable by clearly separating user input from the contents of a command,” the agencies noted. “Despite this finding, OS command injection vulnerabilities — many of which result from CWE-78 — are still a prevalent class of vulnerability.”
This alert is the third issued by CISA and the FBI this year, following similar warnings about SQL injection (SQLi) and path traversal vulnerabilities in March and May 2024.
Last month, CISA, along with cybersecurity agencies from Canada and New Zealand, also recommended businesses adopt robust security solutions such as Zero Trust, Secure Service Edge (SSE), and Secure Access Service Edge (SASE). These solutions provide greater visibility of network activity and integrate security and access control, thereby enhancing an organization’s security through adaptive policies.