July 11, 2024Press releaseSoftware security/vulnerabilities

GitLab has released another round of updates to fix security vulnerabilities in its software development platform, including a critical bug that allows an attacker to run pipeline jobs as any user.

The vulnerability is tracked as CVE-2024-6385 and has a CVSS score of 9.6 out of a maximum of 10.0.

“An issue has been discovered in GitLab CE/EE affecting versions 15.8 before 16.11.6, 17.0 before 17.0.4, and 17.1 before 17.1.2 that allows an attacker to trigger a pipeline as another user under certain circumstances,” the company said in a statement Wednesday.

It is worth noting that late last month the company patched a similar bug (CVE-2024-5655, CVSS score: 9.6), which could also be weaponized to run pipelines as other users.

Internet security

GitLab also fixes a moderate severity issue (CVE-2024-5257, CVSS score: 4.9) that allows a developer user with admin_compliance_framework privileges to change the URL for a group namespace.

All security issues have been fixed in versions 17.1.2, 17.0.4, and 16.11.6 of GitLab Community Edition (CE) and Enterprise Edition (EE).

The disclosure came after Citrix released updates for a critical improper authentication flaw affecting NetScaler Console (formerly NetScaler ADM), NetScaler SDX, and NetScaler Agent (CVE-2024-6235, CVSS score: 9.4) that could lead to information disclosure.

Broadcom has also released patches for two medium-severity injection vulnerabilities in VMware Cloud Director (CVE-2024-22277, CVSS score: 6.4) and VMware Aria Automation (CVE-2024-22280, CVSS score: 8.5) that could be abused to execute malicious code using specially crafted HTML tags or SQL queries, respectively.

CISA publishes bulletins to fix software bugs

The developments also follow a new bulletin from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) urging technology manufacturers to address operating system (OS) command entry flaws in software that allow threat actors to remotely execute code on devices at the network edge.

Such flaws arise when user input is not adequately sanitized and validated when constructing commands to be executed on the underlying operating system. This allows an attacker to inject arbitrary commands that can lead to malware distribution or information theft.

“OS command injection vulnerabilities have long been preventable by clearly separating user input from the content of a command,” the authorities said. “Despite these findings, OS command injection vulnerabilities – many of which result from CWE-78 – are still a widespread class of vulnerabilities.”

The warning is the third such warning from CISA and the FBI since the beginning of the year. The authorities had previously issued two other warnings in March and May 2024 to fix SQL injection (SQLi) and path traversal vulnerabilities.

Internet security

Last month, CISA, along with cybersecurity agencies from Canada and New Zealand, also released guidelines recommending that organizations adopt more robust security solutions – such as Zero Trust, Secure Service Edge (SSE) and Secure Access Service Edge (SASE) – that provide greater visibility into network activity.

“By using risk-based access control policies to deliver decisions through policy decision engines, these solutions integrate security and access control, strengthening an organization’s usability and security through adaptive policies,” the agencies noted.

Did you find this article interesting? Follow us on Þjórsárdalur and LinkedIn to read more exclusive content we publish.

Leave a Reply

Your email address will not be published. Required fields are marked *