GitLab Fixes Critical Vulnerability Permitting Unauthorized Pipeline Tasks
A new set of updates has been released by GitLab to address security vulnerabilities in its software development platform, including a significant flaw that enables unauthorized execution of pipeline tasks by an intruder.
Identified as CVE-2024-6385, this vulnerability has been rated with a CVSS score of 9.6 out of a possible 10.0.
“A security loophole was found in GitLab CE/EE versions 15.8 up to 16.11.6, 17.0 up to 17.0.4, and 17.1 up to 17.1.2, allowing a bad actor to initiate a pipeline as a different user in certain situations,” indicated the company in an advisory provided on Wednesday.
It is important to mention that GitLab previously addressed a similar issue at the end of the previous month (CVE-2024-5655, CVSS score: 9.6), which also allowed user impersonation during pipeline executions.
Another issue that has been resolved by GitLab is a medium-severity problem (CVE-2024-5257, CVSS score: 4.9) that enables a Developer user with admin_compliance_framework privileges to alter the URL for a group namespace.
All these security concerns have been rectified in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 17.1.2, 17.0.4, and 16.11.6.
Meanwhile, Citrix has announced patches for a critical authentication flaw affecting NetScaler Console (formerly NetScaler ADM), NetScaler SDX, and NetScaler Agent (CVE-2024-6235, CVSS score: 9.4), leading to potential information leakage.
Broadcom has also released patches for two medium-severity injection vulnerabilities in VMware Cloud Director (CVE-2024-22277, CVSS score: 6.4) and VMware Aria Automation (CVE-2024-22280, CVSS score: 8.5), which could be exploited for executing malicious code using meticulously crafted HTML tags and SQL queries, respectively.
CISA Issues Alerts to Address Software Vulnerabilities
These developments come on the heels of a recent bulletin published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), urging technology manufacturers to eliminate operating system (OS) command injection flaws present in software that permit threat actors to remotely execute code on network edge devices.
Such vulnerabilities emerge when input provided by users is not adequately cleaned and verified when creating commands to be run on the underlying OS, thereby allowing malicious commands to be slipped in, resulting in the installation of malware or data pilfering.
“OS command injection vulnerabilities have always been preventable by maintaining a clear separation between user input and command content,” as stated by the agencies in their announcement. “Despite this fact, OS command injection vulnerabilities—many stemming from CWE-78—persist as a common vulnerability class.”
This alert marks the third advisory issued by CISA and FBI since the inception of the year. Prior to this, the agencies had released alerts regarding the importance of eliminating SQL injection (SQLi) and path traversal vulnerabilities in March and May 2024, respectively.
Last month, CISA, alongside cybersecurity agencies from Canada and New Zealand, issued guidance recommending organizations to adopt more robust security solutions such as Zero Trust, Secure Service Edge (SSE), and Secure Access Service Edge (SASE) that offer enhanced visibility into network activities.
“Utilizing risk-based access control policies to make decisions via policy engines, these solutions merge security aspects with access management, reinforcing an organization’s usability and security through adaptive policies,” noted the collaborating agencies in their statement, which you can read about here.
About Author
