High-severity GitLab flaw lets attackers take over accounts

High-severity GitLab flaw lets attackers take over accounts

May 23, 2024 at 01:50PM

GitLab addressed a high-severity XSS vulnerability allowing unauthenticated attackers to compromise user accounts. Additionally, six medium-severity flaws were fixed, including a CSRF issue and a denial-of-service bug. These vulnerabilities allowed for account takeovers and disruption of services. GitLab urged immediate software updates due to potential impacts on sensitive data and supply chain security. CISA alerted of active exploitation of a separate account hijacking vulnerability, emphasizing the importance of system security.

Based on the meeting notes, here are the key takeaways:

1. GitLab has patched a high-severity vulnerability (CVE-2024-4835) that allowed unauthenticated attackers to exploit cross-site scripting (XSS) weakness in the VS code editor (Web IDE) to take over user accounts.
2. GitLab also released versions 17.0.1, 16.11.3, and 16.10.6 for both Community Edition (CE) and Enterprise Edition (EE) to address the security fixes and strongly recommended upgrading to these versions immediately.
3. In addition to the high-severity vulnerability, GitLab also fixed six medium-severity security flaws, including a CSRF vulnerability via the Kubernetes Agent Server and a denial-of-service bug that can disrupt the loading of GitLab web resources.
4. The meeting notes highlighted the prevalence of GitLab as a target due to its hosting of sensitive data, making hijacked GitLab accounts a significant threat, potentially leading to supply chain attacks if attackers insert malicious code in CI/CD environments.
5. CISA warned of actively exploited zero-click account hijacking vulnerability (CVE-2023-7028) and ordered U.S. federal agencies to secure their systems within three weeks.

These takeaways should provide a clear summary of the meeting notes for further action and reference.

Full Article