October 10, 2024 at 11:19AM GitLab has issued security updates for vulnerabilities in Community and Enterprise Editions, notably a critical flaw (CVE-2024-9164) that allows unauthorized pipeline execution. Patches are available in versions 17.4.2, 17.3.5, and 17.2.9. Users are urged to upgrade promptly; dedicated customers need not take action. **Meeting Takeaways:** 1. **Security Update Release**: GitLab … Read more
September 18, 2024 at 02:43PM GitLab has released security updates for a critical SAML authentication bypass vulnerability affecting self-managed installations of GitLab CE and EE. The flaw arises from a problem in the OmniAuth-SAML and Ruby-SAML libraries, allowing attackers to gain unauthorized access. GitLab strongly recommends immediate upgrades and suggests enabling two-factor authentication as a … Read more
September 13, 2024 at 05:03AM GitLab announced patches for 17 vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE) including a critical pipeline execution bug, CVE-2024-6678, with a CVSS score of 9.9. Successful exploitation could disrupt services and inject malicious code. The vulnerabilities affect versions 8.14 to 17.3.1, and patches are available in versions … Read more
July 11, 2024 at 10:48AM GitLab has released security updates to address six vulnerabilities in GitLab CE and EE, including a critical-severity bug (CVE-2024-6385) allowing an attacker to trigger a pipeline as another user. The updates also address a medium-severity bug and four low-severity flaws. Users are advised to update their instances promptly due to … Read more
June 28, 2024 at 10:43AM GitLab released updates addressing 14 security flaws, including a critical vulnerability allowing unauthorized execution of CI/CD pipelines. The most severe flaw, CVE-2024-5655 (CVSS score: 9.6), impacts versions 15.8 to 17.1, with 17.1.1, 17.0.3, and 16.11.5 providing fixes. While there’s no active exploitation, users are urged to apply patches. Key takeaways … Read more
May 23, 2024 at 01:50PM GitLab addressed a high-severity XSS vulnerability allowing unauthenticated attackers to compromise user accounts. Additionally, six medium-severity flaws were fixed, including a CSRF issue and a denial-of-service bug. These vulnerabilities allowed for account takeovers and disruption of services. GitLab urged immediate software updates due to potential impacts on sensitive data and … Read more
May 3, 2024 at 12:22PM CISA reports an active attack targeting GitLab’s CVE-2023-7028 vulnerability, enabling bad actors to reset account passwords and take control. The severity of the bug necessitates prompt action and patching. Security experts emphasize the importance of multifactor authentication, zero-trust architecture, and privileged access management to counter the exploit and safeguard against … Read more
April 23, 2024 at 03:52PM Hackers are exploiting unpublished GitHub and GitLab comments to create convincing phishing links from legitimate open source software projects. They secretly add malware to a repository and obtain a shareable link, even if the comment is deleted. This flaw affects millions of users and can damage the credibility of the … Read more
January 25, 2024 at 11:48AM Over 5,000 unpatched GitLab servers are vulnerable to account takeover due to CVE-2023-7028. The flaw, affecting versions 16.1.0 and onwards, allows send password reset emails to unverified addresses, disclosed by a non-profit group. Patches are available in GitLab versions 16.5.6, 16.6.4, and 16.7.2, with hundreds of vulnerable servers globally. GitLab … Read more
January 24, 2024 at 01:01PM Over 5,300 GitLab instances are vulnerable to CVE-2023-7028, a zero-click account takeover flaw enabling attackers to reset passwords and take over accounts. Despite not bypassing 2FA, it poses a significant risk to unprotected accounts. ShadowServer identifies vulnerable servers in the U.S., Germany, Russia, and other countries, urging immediate patching and … Read more