Latest Cyber Security News

You are here: Home / General Cyber Security News / GitLab Releases Patch for Critical CI/CD Pipeline Vulnerability and 13 Others
June 28, 2024

GitLab has produced security updates to deal with 14 security flaws, including one particular critical vulnerability that could be exploited to run constant integration and continual deployment (CI/CD) pipelines as any consumer.

The weaknesses, which influence GitLab Local community Version (CE) and Organization Version (EE), have been dealt with in variations 17.1.1, 17..3, and 16.11.5.

The most significant of the vulnerabilities is CVE-2024-5655 (CVSS score: 9.6), which could permit a malicious actor to bring about a pipeline as an additional user beneath specified situations.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


It impacts the next variations of CE and EE –

  • 17.1 prior to 17.1.1
  • 17. prior to 17..3, and
  • 15.8 prior to 16.11.5

GitLab claimed the repair introduces two breaking variations as a final result of which GraphQL authentication utilizing CI_Occupation_TOKEN is disabled by default and pipelines will no longer operate immediately when a merge request is re-focused just after its past goal branch is merged.

Cybersecurity

Some of the other essential flaws preset as aspect of the latest release are listed below –

  • CVE-2024-4901 (CVSS rating: 8.7) – A saved XSS vulnerability could be imported from a undertaking with malicious commit notes
  • CVE-2024-4994 (CVSS score: 8.1) – A CSRF attack on GitLab’s GraphQL API top to the execution of arbitrary GraphQL mutations
  • CVE-2024-6323 (CVSS rating: 7.5) – An authorization flaw in the world wide research attribute that will allow for leakage of sensitive data from a non-public repository in just a general public challenge
  • CVE-2024-2177 (CVSS score: 6.8) – A cross window forgery vulnerability that allows an attacker to abuse the OAuth authentication circulation through a crafted payload

Though there is no evidence of active exploitation of the flaws, buyers are advised to utilize the patches to mitigate towards opportunity threats.

Discovered this posting intriguing? Comply with us on Twitter  and LinkedIn to go through more exclusive material we article.


Some parts of this write-up are sourced from:
thehackernews.com

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *