Home Security GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Jobs

GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Jobs

by


Jul 11, 2024NewsroomSoftware Security / Vulnerability

GitLab has shipped another round of updates to close out security flaws in its software development platform, including a critical bug that allows an attacker to run pipeline jobs as an arbitrary user.

Tracked as CVE-2024-6385, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0.

“An issue was discovered in GitLab CE/EE affecting versions 15.8 prior to 16.11.6, 17.0 prior to 17.0.4, and 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances,” the company said in a Wednesday advisory.

It’s worth noting that the company patched a similar bug late last month (CVE-2024-5655, CVSS score: 9.6) that could also be weaponized to run pipelines as other users.

Cybersecurity

Also addressed by GitLab is a medium-severity issue (CVE-2024-5257, CVSS score: 4.9) that allows a Developer user with admin_compliance_framework permissions to modify the URL for a group namespace.

All the security shortcomings have been fixed in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 17.1.2, 17.0.4, and 16.11.6.

The disclosure comes as Citrix released updates for a critical, improper authentication flaw impacting NetScaler Console (formerly NetScaler ADM), NetScaler SDX, and NetScaler Agent (CVE-2024-6235, CVSS score: 9.4) that could result in information disclosure.

Patches have also also released by Broadcom for two medium-severity injection vulnerabilities in VMware Cloud Director (CVE-2024-22277, CVSS score: 6.4) and VMware Aria Automation (CVE-2024-22280, CVSS score: 8.5) that could be abused to execute malicious code using specially crafted HTML tags and SQL queries, respectively.

CISA Releases Bulletins to Tackle Software Flaws

The developments also follow a new bulletin released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) urging technology manufacturers to weed out operating system (OS) command injection flaws in software that allow threat actors to remotely execute code on network edge devices.

Such flaws arise when user input is not adequately sanitized and validated when constructing commands to be executed on the underlying operating system, thereby permitting an adversary to smuggle arbitrary commands that can lead to the deployment of malware or information theft.

“OS command injection vulnerabilities have long been preventable by clearly separating user input from the contents of a command,” the agencies said. “Despite this finding, OS command injection vulnerabilities — many of which result from CWE-78 — are still a prevalent class of vulnerability.”

The alert is the third such caution issued by CISA and FBI since the start of the year. The agencies previously sent out two other alerts about the need for eliminating SQL injection (SQLi) and path traversal vulnerabilities in March and May 2024.

Cybersecurity

Last month, CISA, along with cybersecurity agencies from Canada and New Zealand, also released guidance recommending businesses to adopt more robust security solutions — such as Zero Trust, Secure Service Edge (SSE), and Secure Access Service Edge (SASE) — that provide greater visibility of network activity.

“By using risk-based access control policies to deliver decisions through policy decision engines, these solutions integrate security and access control, strengthening an organization’s usability and security through adaptive policies,” the authoring agencies noted.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex