GitLab has released a new round of updates to address security vulnerabilities in its software development platform, including a critical bug that allows an attacker to run pipeline jobs as an arbitrary user.
Identified as CVE-2024-6385, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0.
“An issue has been discovered in GitLab CE/EE affecting versions 15.8 before 16.11.6, 17.0 before 17.0.4, and 17.1 before 17.1.2 that allows an attacker to trigger a pipeline under the name of another user under certain circumstances,” the company said in an advisory published Wednesday.
It is worth noting that the company fixed a similar bug late last month (CVE-2024-5655, CVSS score: 9.6) that could also be weaponized to run pipelines under the names of other users.
GitLab also addressed a medium-severity issue (CVE-2024-5257, CVSS score: 4.9) that allows a developer user with admin_compliance_framework permissions to modify the URL of a group namespace.
All security vulnerabilities have been fixed in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 17.1.2, 17.0.4, and 16.11.6.
This disclosure comes as Citrix released updates for a critical, improper authentication vulnerability affecting NetScaler Console (formerly NetScaler ADM), NetScaler SDX, and NetScaler Agent (CVE-2024-6235, CVSS score: 9.4) that could lead to information disclosure.
Broadcom also released patches for two medium-severity injection vulnerabilities in VMware Cloud Director (CVE-2024-22277, CVSS score: 6.4) and VMware Aria Automation (CVE-2024-22280, CVSS score: 8.5) that could be exploited to execute malicious code using specially crafted HTML tags and SQL queries, respectively.
CISA issues bulletins to address software vulnerabilities
These developments also follow a new advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), urging technology makers to close operating system (OS) command injection vulnerabilities in software that allow threat actors to remotely execute code on network devices.
Such flaws occur when user input is not properly sanitized and validated when constructing commands to be executed on the underlying operating system, allowing an adversary to smuggle arbitrary commands that could lead to the deployment of malware or information theft.
“Operating system command injection vulnerabilities have long been preventable by clearly separating user input from the contents of a command,” the agencies said. “Despite this discovery, operating system command injection vulnerabilities, many of which stem from CWE-78, remain a widespread class of vulnerability.”
This is the third such alert issued by CISA and the FBI this year. The agencies previously issued two other alerts on the need to eliminate SQL injection (SQLi) and path traversal vulnerabilities in March and May 2024.
Last month, CISA, in collaboration with the cybersecurity agencies of Canada and New Zealand, also released guidance recommending that organizations adopt more robust security solutions, such as Zero Trust, Secure Service Edge (SSE) and Secure Access Service Edge (SASE), which provide greater visibility into network activity.
“By using risk-based access control policies to make decisions through policy decision engines, these solutions integrate security and access control, enhancing an organization’s usability and security through adaptive policies,” the author agencies noted.
News Source : thehackernews.com
Gn tech
/cdn.vox-cdn.com/uploads/chorus_asset/file/25283724/STK048_XBOX_C.jpg?w=390&resize=390,220&ssl=1 "No Xbox, No Problem – The Verge")
