GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Jobs
GitLab has shipped another round of updates to close out security flaws in its software development platform, including a critical bug that allows an attacker to run pipeline jobs as an arbitrary user.
Tracked as CVE-2024-6385, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0.
“An issue was discovered in GitLab CE/EE affecting versions 15.8 prior to 16.11.6, 17.0 prior to 17.0.4, and 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances,” the company said in a Wednesday advisory.
It’s worth noting that the company patched a similar bug late last month (CVE-2024-5655, CVSS score: 9.6) that could also be weaponized to run pipelines as other users.
Also addressed by GitLab is a medium-severity issue (CVE-2024-5257, CVSS score: 4.9) that allows a Developer user with admin_compliance_framework permissions to modify the URL for a group namespace.
All the security shortcomings have been fixed in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 17.1.2, 17.0.4, and 16.11.6.
The disclosure comes as Citrix released updates for a critical, improper authentication flaw impacting NetScaler Console (formerly NetScaler ADM), NetScaler SDX, and NetScaler Agent (CVE-2024-6235, CVSS score: 9.4) that could result in information disclosure.
Patches have also also released by Broadcom for two medium-severity injection vulnerabilities in VMware Cloud Director (CVE-2024-22277, CVSS score: 6.4) and VMware Aria Automation (CVE-2024-22280, CVSS score: 8.5) that could be abused to execute malicious code using specially crafted HTML tags and SQL queries, respectively.
CISA Releases Bulletins to Tackle Software Flaws
The developments also follow a new bulletin released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) urging technology manufacturers to weed out operating system (OS) command injection flaws in software that allow threat actors to remotely execute code on network edge devices.
Such flaws arise when user input is not adequately sanitized and validated when constructing commands to be executed on the underlying operating system, thereby permitting an adversary to smuggle arbitrary commands that can lead to the deployment of malware or information theft.
“OS command injection vulnerabilities have long been preventable by clearly separating user input from the contents of a command,” the agencies said. “Despite this finding, OS command injection vulnerabilities — many of which result from CWE-78 — are still a prevalent class of vulnerability.”
The alert is the third such caution issued by CISA and FBI since the start of the year. The agencies previously sent out two other alerts about the need for eliminating SQL injection (SQLi) and path traversal vulnerabilities in March and May 2024.
Last month, CISA, along with cybersecurity agencies from Canada and New Zealand, also released guidance recommending businesses to adopt more robust security solutions — such as Zero Trust, Secure Service Edge (SSE), and Secure Access Service Edge (SASE) — that provide greater visibility of network activity.
“By using risk-based access control policies to deliver decisions through policy decision engines, these solutions integrate security and access control, strengthening an organization’s usability and security through adaptive policies,” the authoring agencies noted.