October 20, 2024 at 10:50AM The Internet Archive suffered a security breach on its Zendesk support platform, leading to the exposure of over 800,000 support tickets and a stolen user database of 33 million individuals. Despite prior warnings about exposed GitLab tokens, security measures were not implemented, allowing the breach to occur for notoriety among … Read more
October 11, 2024 at 03:27AM GitLab has released security updates for its Community and Enterprise Editions, addressing eight vulnerabilities, including a critical one (CVE-2024-9164) with a CVSS score of 9.6, allowing unauthorized CI/CD pipeline execution. Users are urged to update their instances to mitigate potential threats, as ongoing vulnerabilities have recently been disclosed. **Meeting Takeaways … Read more
September 19, 2024 at 05:16PM Organizations using self-hosted GitLab instances with SAML-based authentication are advised to urgently update to the latest versions due to a severe bug (CVE-2024-45409) allowing attackers to bypass authentication checks and gain unauthorized access. GitLab has already updated managed instances but urges self-managed installations to patch immediately to mitigate the vulnerability. … Read more
September 19, 2024 at 01:36AM GitLab released patches to address a critical flaw in both Community and Enterprise Editions, rooted in the ruby-saml library, allowing an authentication bypass. The vulnerability affects single sign-on security, prompting the update of dependencies and urging self-managed installations to enable two-factor authentication as a mitigation. Threat indicators suggest active exploitation … Read more
September 12, 2024 at 01:12PM GitLab released security updates addressing 17 vulnerabilities, including a critical flaw (CVE-2024-6678) enabling an attacker to run pipeline jobs as an arbitrary user. This is the fourth flaw patched in the past year. Users are urged to apply the patches immediately. There is no evidence of active exploitation, but caution … Read more
September 12, 2024 at 10:50AM GitLab has released critical updates to address multiple vulnerabilities, including the most severe CVE-2024-6678, allowing an attacker to trigger pipelines as arbitrary users. The release encompasses versions 17.3.2, 17.2.5, and 17.1.7 for both CE and EE, and addresses a total of 18 security issues. GitLab urges immediate upgrading to the … Read more
July 12, 2024 at 04:34PM GitLab recently disclosed a critical vulnerability, CVE-2024-6385, impacting its DevOps platform, allowing attackers to run pipelines within users’ contexts. With a severity rating of 9.6 on the CVSS scale, the bug affects GitLab versions 15.8 to 17.1. Users were strongly urged to upgrade as soon as possible. This follows a … Read more
June 27, 2024 at 10:57AM A critical vulnerability affecting certain versions of GitLab allows running pipelines as any user, with a severity score of 9.6 out of 10. It impacts versions from 15.8 through 16.11.4, 17.0.0 to 17.0.2, and 17.1.0 to 17.1.0, with updates to versions 17.1.1, 17.0.3, and 16.11.5 available. Two breaking changes and … Read more
May 2, 2024 at 10:25AM CISA is mandating federal agencies to patch a critical vulnerability in GitLab to prevent active exploitation by attackers. The vulnerability, CVE-2023-7028, allows unauthorized account takeovers and poses a risk of software supply chain attacks. GitLab has released fixed versions, and those with two-factor authentication are safe. Currently, around 2,149 GitLab … Read more
May 2, 2024 at 02:54AM The U.S. Cybersecurity and Infrastructure Security Agency has added a critical flaw in GitLab to its Known Exploited Vulnerabilities catalog due to active exploitation. Tracked as CVE-2023-7028, the vulnerability could facilitate account takeover and has been addressed in several GitLab versions. Federal agencies are required to apply the latest fixes … Read more