Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

New Critical GitLab Vulnerability Exposed: A Threat to DevOps Pipeline Security


GitLab has released a security update addressing eight critical vulnerabilities, including one rated as high severity (9.6 out of 10) due to its potential impact on DevOps pipeline security.

  • GitLab has released a security update for its Community Edition and Enterprise Edition platforms, addressing eight security flaws.
  • The latest vulnerability, CVE-2024-9164, carries a CVSS score of 9.6 out of 10 and allows running pipelines on arbitrary branches.
  • GitLab has addressed seven other security flaws, including four high-severity vulnerabilities.
  • Users are advised to update their instances to the latest version and apply all security patches promptly to secure against potential threats.



    • GitLab has recently released a security update for its Community Edition (CE) and Enterprise Edition (EE) platforms, addressing eight security flaws, including a critical bug that could allow running Continuous Integration and Continuous Delivery (CI/CD) pipelines on arbitrary branches. The vulnerability, tracked as CVE-2024-9164, carries a CVSS score of 9.6 out of 10, indicating a high level of severity.

    This latest development is the latest wrinkle in what appears to be a steady stream of pipeline-related vulnerabilities that have been disclosed by GitLab in recent months. Last month, the company addressed another critical flaw (CVE-2024-6678, CVSS score: 9.9) that could allow an attacker to run pipeline jobs as an arbitrary user. Prior to that, it also patched three other similar shortcomings – CVE-2023-5009 (CVSS score: 9.6), CVE-2024-5655 (CVSS score: 9.6), and CVE-2024-6385 (CVSS score: 9.6).

    The GitLab advisory highlights the importance of keeping up-to-date with the latest security patches, as users are recommended to update their instances to the latest version to safeguard against potential threats. This is especially crucial for organizations that rely heavily on DevOps pipelines, which can be vulnerable to exploits if not properly secured.

    One of the most critical vulnerabilities addressed by GitLab is CVE-2024-9164, which carries a CVSS score of 9.6 out of 10. According to the advisory, this issue allows running pipelines on arbitrary branches, which can have significant security implications for organizations that rely on DevOps pipelines. The vulnerability affects all versions of GitLab EE starting from 12.5 prior to 17.2.9, as well as versions starting from 17.3, prior to 17.3.5, and starting from 17.4, prior to 17.4.2.

    In addition to CVE-2024-9164, GitLab has also addressed seven other security flaws, including four that are rated high in severity. These vulnerabilities include CVE-2024-8970 (CVSS score: 8.2), which allows an attacker to trigger a pipeline as another user under certain circumstances; CVE-2024-8977 (CVSS score: 8.2), which allows SSRF attacks in GitLab EE instances with Product Analytics Dashboard configured and enabled; CVE-2024-9631 (CVSS score: 7.5), which causes slowness when viewing diffs of merge requests with conflicts; CVE-2024-6530 (CVSS score: 7.3), which results in HTML injection in OAuth page when authorizing a new application due to a cross-site scripting issue.

    While there is no evidence of active exploitation of the vulnerability, users are advised to take proactive measures to secure their GitLab instances against potential threats. This can be achieved by updating their instances to the latest version and ensuring that all security patches are applied promptly.

    In conclusion, the new critical GitLab vulnerability exposed highlights the importance of keeping up-to-date with the latest security patches and taking proactive measures to secure DevOps pipelines. Organizations that rely on CI/CD pipelines must prioritize security and take immediate action to address this vulnerability and prevent potential exploits.

    GitLab has released a security update addressing eight critical vulnerabilities, including one rated as high severity (9.6 out of 10) due to its potential impact on DevOps pipeline security.



    Related Information:

  • https://thehackernews.com/2024/10/new-critical-gitlab-vulnerability-could.html

  • https://nvd.nist.gov/vuln/detail/CVE-2024-9164

  • https://www.cvedetails.com/cve/CVE-2024-9164/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-6678

  • https://www.cvedetails.com/cve/CVE-2024-6678/

  • https://nvd.nist.gov/vuln/detail/CVE-2023-5009

  • https://www.cvedetails.com/cve/CVE-2023-5009/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-5655

  • https://www.cvedetails.com/cve/CVE-2024-5655/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-6385

  • https://www.cvedetails.com/cve/CVE-2024-6385/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-8970

  • https://www.cvedetails.com/cve/CVE-2024-8970/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-8977

  • https://www.cvedetails.com/cve/CVE-2024-8977/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-9631

  • https://www.cvedetails.com/cve/CVE-2024-9631/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-6530

  • https://www.cvedetails.com/cve/CVE-2024-6530/


    • Published: Fri Oct 11 03:59:34 2024 by llama3.2 3B Q4_K_M


         


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us