Gitlab patches bug that could expose a CI/CD pipeline to supply chain attack
GitLab addressed 17 vulnerabilities, including a critical flaw (CVE-2024-6678) with a CVSS score of 9.9, potentially allowing data exfiltration and software supply chain compromises across multiple versions.
Read original article
GitLab has addressed 17 vulnerabilities, including a critical flaw (CVE-2024-6678) with a CVSS score of 9.9 that could allow attackers to trigger a CI/CD pipeline as arbitrary users. This could lead to privileged escalation, data exfiltration, and potential software supply chain compromises. The vulnerability affects all versions of GitLab CE/EE from 8.14 to prior versions of 17.1.7, 17.2 to prior versions of 17.2.5, and 17.3 to prior versions of 17.3.2. Although this flaw has not yet been exploited in the wild, it shares similarities with tactics used by advanced persistent threat (APT) groups, raising concerns about long-term access and data manipulation. Experts warn that if exploited, attackers could access source code, introduce malicious code, and compromise underlying operating systems. The risk is heightened if accounts are shared between GitLab instances, potentially allowing attackers from one organization to access another. Security teams are advised to not only patch their systems but also ensure that their partners are secure to mitigate the risk of supply chain infections.
- GitLab patched 17 vulnerabilities, including a critical flaw with a CVSS score of 9.9.
- The vulnerability could allow attackers to trigger CI/CD pipelines, leading to data exfiltration and software supply chain compromises.
- It affects multiple versions of GitLab CE/EE, emphasizing the need for timely updates.
- Experts highlight the risk of shared accounts between organizations, increasing vulnerability to attacks.
- Security teams must ensure their partners are also patched to prevent supply chain infections.
Related
The Wild West of Proof of Concept Exploit Code (PoC)
CVE-2024-6387 is a serious unauthenticated remote code execution vulnerability in OpenSSH, with complex exploitation requiring knowledge of system architecture. The exploit code contains malicious elements, emphasizing risks of untrusted code.
Critical Bug in Docker Engine Allowed Attackers to Bypass Authorization Plugins
A critical vulnerability in Docker Engine allows attackers to bypass authorization, risking unauthorized access to containers. Organizations are urged to apply patches and enhance security measures to mitigate these risks.
Number of incidents affecting GitHub, Bitbucket, Gitlab and Jira is rising
Incidents on major development platforms like GitHub, Bitbucket, GitLab, and Jira are rising, with GitHub up 21% in 2023, highlighting security challenges and the need for better collaboration in DevSecOps.
Chrome update fixes 38 security issues, including active vulnerability
Google released a Chrome update addressing 38 vulnerabilities, including a critical 0-day exploit (CVE-2024-7971). Users are urged to update immediately to mitigate risks across all platforms.
Exploiting CI / CD Pipelines for fun and profit
A severe exploit chain can occur from publicly exposed .git directories, allowing unauthorized server access. Regular audits and secure configurations are essential to prevent such vulnerabilities in deployment pipelines.
1 comments* The GitLab issue 404s
* The hackerone link is behind a login.
* The third link describes how to leverage a class of vulnerabilities, but isn't specific to what this one is. (It's a broad CWE about spoofing.)
Does anyone have a link that actually talks about what this vulnerability is? Even GitLab's patch notes [0] are useless.
[0]: https://about.gitlab.com/releases/2024/09/11/patch-release-g...
Related
The Wild West of Proof of Concept Exploit Code (PoC)
CVE-2024-6387 is a serious unauthenticated remote code execution vulnerability in OpenSSH, with complex exploitation requiring knowledge of system architecture. The exploit code contains malicious elements, emphasizing risks of untrusted code.
Critical Bug in Docker Engine Allowed Attackers to Bypass Authorization Plugins
A critical vulnerability in Docker Engine allows attackers to bypass authorization, risking unauthorized access to containers. Organizations are urged to apply patches and enhance security measures to mitigate these risks.
Number of incidents affecting GitHub, Bitbucket, Gitlab and Jira is rising
Incidents on major development platforms like GitHub, Bitbucket, GitLab, and Jira are rising, with GitHub up 21% in 2023, highlighting security challenges and the need for better collaboration in DevSecOps.
Chrome update fixes 38 security issues, including active vulnerability
Google released a Chrome update addressing 38 vulnerabilities, including a critical 0-day exploit (CVE-2024-7971). Users are urged to update immediately to mitigate risks across all platforms.
Exploiting CI / CD Pipelines for fun and profit
A severe exploit chain can occur from publicly exposed .git directories, allowing unauthorized server access. Regular audits and secure configurations are essential to prevent such vulnerabilities in deployment pipelines.