Manage Tickers

Has my stock been accused of fraud?Join over 160k users who know.

Ticker Price Change($) Change(%) Shares Volume Prev Close Open Gain($) Gain(%)
Ticker Status Jurisdiction Filing Date CP Start CP End CP Loss Deadline
Ticker Case Name Status CP Start CP End Deadline Settlement Amt
Ticker Name Date Analyst Firm Up/Down Target ($) Rating Change Rating Current
Analyst Rating Guide

News

Back

'Critical GitLab Bug Lets Attackers Run Pipelines As Any User' - Bleeping Computer

Author: Benzinga Newsdesk | June 27, 2024 10:55am

https://www.bleepingcomputer.com/news/security/critical-gitlab-bug-lets-attackers-run-pipelines-as-any-user/

A critical vulnerability is affecting certain versions of GitLab Community and Enterprise Edition products, which could be exploited to run pipelines as any user.

GitLab is a popular web-based open-source software project management and work tracking platform. It has an estimated one million active license users.

The security issue addressed in the lasted update is tracked as CVE-2024-5655 and has a severity score of 9.6 out of 10. Under certain circumstances, which the vendor did not define, an attacker could leverage it to trigger a pipeline as another user.

GitLab pipelines are a feature of the Continuous Integration/Continuous Deployment (CI/CD) system that enables users to automatically run processes and tasks, either in parallel or in sequence, to build, test, or deploy code changes.

The vulnerability impacts all GitLab CE/EE versions from 15.8 through 16.11.4, 17.0.0 to 17.0.2, and 17.1.0 to 17.1.0.

"We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible" - GitLab

GitLab has addressed the vulnerability by releasing versions 17.1.1, 17.0.3, and 16.11.5, and recommends users to apply the updates as soon as possible.

The vendor also informs that upgrading to the latest versions comes with two breaking changes that users should be aware of:

  1. Pipelines will no longer run automatically when a merge request is re-targeted after its previous target branch is merged. Users must manually start the pipeline to execute CI for their changes.
  2. CI_JOB_TOKEN is now disabled by default for GraphQL authentication starting from version 17.0.0, with this change backported to versions 17.0.3 and 16.11.5. To access the GraphQL API, users need to configure one of the supported token types for authentication.

The latest GitLab update also introduces security fixes for 13 other issues, the severity of three of them being rated as "high" (CVSS v3.1 score: 7.5 – 8.7). These three are summarized as follows:

  • CVE-2024-4901: Stored XSS vulnerability allowing malicious commit notes from imported projects to inject scripts, potentially leading to unauthorized actions and data exposure.
  • CVE-2024-4994: A CSRF vulnerability in the GraphQL API allowing attackers to execute arbitrary GraphQL mutations by tricking authenticated users into making unwanted requests, potentially leading to data manipulation and unauthorized operations.
  • CVE-2024-6323: Authorization flaw in GitLab's global search feature allowing attackers to view search results from private repositories within public projects, potentially leading to information leaks and unauthorized access to sensitive data.

Resources for GitLab updates are available here, while GitLab Runner guidelines can be found on this page.

Posted In: GTLB


CORE & Plaid

CORE Finalist

CLASS ACTION DEADLINES - JOIN NOW!

07/01/2024 Globe Life Inc. f/k/a Torchmark Corporation (GL)
07/01/2024 Equinix, Inc. (EQIX)
07/02/2024 Intel Corporation (INTC)
07/05/2024 AXT, Inc. (AXTI)
07/05/2024 Altimmune, Inc. (ALT)
07/09/2024 Li Auto Inc. (LI)
07/12/2024 Inari Medical, Inc. (NARI)
07/12/2024 Sprout Social, Inc. (SPT)
07/15/2024 UnitedHealth Group Inc. (UNH)
07/16/2024 Teladoc Health, Inc. (TDOC)

NEW CASE INVESTIGATION

Ooma Inc (OOMA) AnaptysBio Inc (ANAB)
CORE Finalist