GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Jobs

GitLab has released a new set of updates to address security vulnerabilities in its software development platform, including a critical flaw that allows an attacker to execute pipeline jobs as an arbitrary user.

The vulnerability, identified as CVE-2024-6385, has a CVSS score of 9.6 out of 10. “An issue was discovered in GitLab CE/EE affecting versions 15.8 prior to 16.11.6, 17.0 prior to 17.0.4, and 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances,” GitLab stated in an advisory on Wednesday.

Notably, the company had addressed a similar bug last month (CVE-2024-5655, CVSS score: 9.6) that could also be exploited to run pipelines as other users.

In addition, GitLab fixed a medium-severity issue (CVE-2024-5257, CVSS score: 4.9) allowing a Developer user with admin_compliance_framework permissions to modify the URL for a group namespace.

These security flaws have been resolved in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 17.1.2, 17.0.4, and 16.11.6.

This disclosure coincides with Citrix releasing updates for a critical improper authentication flaw affecting NetScaler Console (formerly NetScaler ADM), NetScaler SDX, and NetScaler Agent (CVE-2024-6235, CVSS score: 9.4), which could lead to information disclosure.

Broadcom has also issued patches for two medium-severity injection vulnerabilities in VMware Cloud Director (CVE-2024-22277, CVSS score: 6.4) and VMware Aria Automation (CVE-2024-22280, CVSS score: 8.5). These vulnerabilities could be exploited to execute malicious code using specially crafted HTML tags and SQL queries.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a bulletin urging technology manufacturers to eliminate operating system (OS) command injection flaws. These flaws allow threat actors to remotely execute code on network edge devices by exploiting inadequately sanitized and validated user input.

“OS command injection vulnerabilities have long been preventable by clearly separating user input from the contents of a command,” the agencies noted. “Despite this finding, OS command injection vulnerabilities — many of which result from CWE-78 — are still a prevalent class of vulnerability.”

This alert is the third issued by CISA and the FBI this year, following similar warnings about SQL injection (SQLi) and path traversal vulnerabilities in March and May 2024.

Last month, CISA, along with cybersecurity agencies from Canada and New Zealand, also recommended businesses adopt robust security solutions such as Zero Trust, Secure Service Edge (SSE), and Secure Access Service Edge (SASE). These solutions provide greater visibility of network activity and integrate security and access control, thereby enhancing an organization’s security through adaptive policies.

- Advertisement -

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

error: Content is protected !!

Sign Up for CXO Digital Pulse Newsletters

Sign Up for CXO Digital Pulse Newsletters to Download the Research Report

Sign Up for CXO Digital Pulse Newsletters to Download the Coffee Table Book

Sign Up for CXO Digital Pulse Newsletters to Download the Vision 2023 Research Report

Download 8 Key Insights for Manufacturing for 2023 Report

Sign Up for CISO Handbook 2023

Download India’s Cybersecurity Outlook 2023 Report

Unlock Exclusive Insights: Access the article

Download CIO VISION 2024 Report

Share your details to download the report

Share your details to download the CISO Handbook 2024