GitLab Patches Essential Flaw Permitting Unauthorized Pipeline Jobs


Jul 11, 2024NewsroomSoftware program Safety / Vulnerability

Software Flaws

GitLab has shipped one other spherical of updates to shut out safety flaws in its software program improvement platform, together with a crucial bug that enables an attacker to run pipeline jobs as an arbitrary person.

Tracked as CVE-2024-6385, the vulnerability carries a CVSS rating of 9.6 out of a most of 10.0.

“A difficulty was found in GitLab CE/EE affecting variations 15.8 previous to 16.11.6, 17.0 previous to 17.0.4, and 17.1 previous to 17.1.2, which permits an attacker to set off a pipeline as one other person beneath sure circumstances,” the corporate stated in a Wednesday advisory.

It is price noting that the corporate patched an analogous bug late final month (CVE-2024-5655, CVSS rating: 9.6) that may be weaponized to run pipelines as different customers.


Additionally addressed by GitLab is a medium-severity difficulty (CVE-2024-5257, CVSS rating: 4.9) that enables a Developer person with admin_compliance_framework permissions to switch the URL for a bunch namespace.

All the safety shortcomings have been mounted in GitLab Neighborhood Version (CE) and Enterprise Version (EE) variations 17.1.2, 17.0.4, and 16.11.6.

The disclosure comes as Citrix launched updates for a crucial, improper authentication flaw impacting NetScaler Console (previously NetScaler ADM), NetScaler SDX, and NetScaler Agent (CVE-2024-6235, CVSS rating: 9.4) that might lead to info disclosure.

Patches have additionally additionally launched by Broadcom for 2 medium-severity injection vulnerabilities in VMware Cloud Director (CVE-2024-22277, CVSS rating: 6.4) and VMware Aria Automation (CVE-2024-22280, CVSS rating: 8.5) that may very well be abused to execute malicious code utilizing specifically crafted HTML tags and SQL queries, respectively.

CISA Releases Bulletins to Sort out Software program Flaws

The developments additionally observe a brand new bulletin launched by the U.S. Cybersecurity and Infrastructure Safety Company (CISA) and the Federal Bureau of Investigation (FBI) urging know-how producers to weed out working system (OS) command injection flaws in software program that enable menace actors to remotely execute code on community edge units.

Such flaws come up when person enter is just not adequately sanitized and validated when setting up instructions to be executed on the underlying working system, thereby allowing an adversary to smuggle arbitrary instructions that may result in the deployment of malware or info theft.

“OS command injection vulnerabilities have lengthy been preventable by clearly separating person enter from the contents of a command,” the companies stated. “Regardless of this discovering, OS command injection vulnerabilities — lots of which end result from CWE-78 — are nonetheless a prevalent class of vulnerability.”

The alert is the third such warning issued by CISA and FBI for the reason that begin of the yr. The companies beforehand despatched out two different alerts concerning the want for eliminating SQL injection (SQLi) and path traversal vulnerabilities in March and Might 2024.


Final month, CISA, together with cybersecurity companies from Canada and New Zealand, additionally launched steerage recommending companies to undertake extra sturdy safety options — akin to Zero Belief, Safe Service Edge (SSE), and Safe Entry Service Edge (SASE) — that present better visibility of community exercise.

“Through the use of risk-based entry management insurance policies to ship selections by way of coverage choice engines, these options combine safety and entry management, strengthening a corporation’s usability and safety by way of adaptive insurance policies,” the authoring companies famous.

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.