Unauthorized Pipeline Jobs Flaw Patched By GitLab
Recent media reports have shed light on GitLab rolling out another round of updates. These GitLab security updates are for the pipeline jobs security flaw with the software. In this article, we’ll focus on understanding what the security flaw actually is and what the updates cover. Let’s begin!
GitLab Security Updates: CVE-2024-6385
The most recent GitLab security updates pertain to a vulnerability being tracked as CVE-2024-6385. It currently has a critical vulnerability severity score (CVSS) of 9.6 making it require prompt fixes.
As of now, the company has issued an advisory that provides further details. In the advisory statement, it’s mentioned that the GitLab security flaw was discovered in multiple versions that include:
- Versions 15.8 prior to 16.11.6, 17.0 prior to 17.0.
- Versions 17.1 prior to 17.1.2
The flaw, if exploited, allows threat actors in certain circumstances, to trigger pipelines like an ordinary user. It’s worth mentioning here that GitLab has patched a similar vulnerability known as CVE-2024-5655 with a CVSS score of 9.6. This vulnerability can also allow hackers to run pipelines.
CISA’s Bulletin To Tackle Software Flaws
The GitLab security updates for the vulnerability are an initiative that follows a new bulletin released by the United States Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
In the bulletin, the security agencies have urged technology manufacturers to weed out operating system (OS) command injection flaws. When such flaws are exploited, threat actors are able to execute arbitrary code on the compromised devices.
The underlying cause for the prevalence of such flaws is that the user input is not adequately sanitized and validated when commands are being constructed. This lack of authentication is what enables threat actors to execute arbitrary commands, leading to malware downloads.
It’s worth mentioning here that this alert is the third of its kind to be put forth by the agencies. In the previous two, directives pertaining to the elimination of SQL injection (SQLi) and path traversal vulnerabilities were issued.
In addition, these security agencies, alongside others from Canada and New Zealand, have urged the use of robust security solutions to tackle such threats. Commenting on the such solutions, it was stated that:
“By using risk-based access control policies to deliver decisions through policy decision engines, these solutions integrate security and access control, strengthening an organization’s usability and security through adaptive policies.”
GitLab Security Flaw Patches
Providing a much-needed fix for a critical flaw, GitLab has rolled out an update that addresses the vulnerability and keeps it from being exploited. Apart from catering to CVE-2024-6385, GitLab has also addressed other security issues that include:
- A medium-severity vulnerability tracked as CVE-2024-5257 allows developers with admin_compliance_framework permission to change group URLs.
- A low-severity issue tracked as CVE-2024-5470 where users with admin_push_rules permission could create project-level deploy tokens.
- A package registry vulnerability tracked as CVE-2024-6595 is related to manifest confusion within the NPM packages.
- A low-severity flaw tracked as CVE-2024-2880 enables users with admin_group_member permission to ban group members.
- A subdomain takeover vulnerability that is tracked as CVE-2024-5528 and is evident in GitLab Pages.
In addition to the GitLab security updates, the company has recommended that users upgrade to the latest patch for their supported versions. They also mentioned that details pertaining to the vulnerabilities will be made public 30 days after the release of the patch as it can help limit potential exploits.
Conclusion
GitLab security updates pertaining to CVE-2024-6385 vulnerability underscore the importance of timely updates in cybersecurity. With a critical CVSS score of 9.6, this flaw could allow unauthorized pipeline execution.
Users are urged to update to the latest versions to mitigate risks and enhance security. The incident serves as a stark reminder as to why individuals and organizational users should implement proactive cybersecurity solutions to safeguard against threats.
The source for this piece includes articles in The Hacker News and Security Week.