GitLab has released another round of updates to address security flaws in its software development platform, including a critical bug that allows an attacker to run pipeline jobs as an arbitrary user.
Tracked as CVE-2024-6385, the vulnerability has a CVSS score of 9.6 out of a maximum of 10.0.
“An issue was discovered in GitLab CE/EE versions 15.8 through 16.11.6, 17.0 through 17.0.4, and 17.1 through 17.1.2 that could allow an attacker to run the pipeline from another user under certain circumstances,” the company said in consultation on Wednesday.
It should be noted that the company fixed a similar bug late last month (CVE-2024-5655CVSS score: 9.6) which can also be weapons to launch pipelines from other users.
GitLab is also addressing a medium-severity issue (CVE-2024-5257, CVSS score: 4.9) that allows a developer user with admin_compliance_framework permissions to modify the URL for a group namespace.
All security vulnerabilities have been fixed in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 17.1.2, 17.0.4, and 16.11.6.
Disclosure is made as Citrix released Updates for a critical incorrect authentication flaw affecting NetScaler Console (formerly NetScaler ADM), NetScaler SDX, and NetScaler Agent (CVE-2024-6235, CVSS Score: 9.4) that could lead to information disclosure.
Broadcom also released patches for two medium-severity vulnerabilities in the VMware Cloud Director (CVE-2024-22277, CVSS score: 6.4) and VMware Aria Automation (CVE-2024-22280, CVSS Score: 8.5), which can be used to execute malicious code using specially crafted HTML tags and SQL queries, respectively.
CISA issues bulletins to address software flaws
These developments also follow a new bulletin issued by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) urging technology manufacturers to address flaws in the implementation of operating system (OS) commands in software that allow threat actors to remotely execute code on network edge devices.
Such flaws occur when user input is not properly cleaned and validated when commands are designed to be executed in the underlying operating system, allowing an adversary to smuggle arbitrary commands that could lead to the deployment of malware or information theft.
“OS command injection vulnerabilities have long been preventable by clearly separating user input from command content,” the agencies note. said. “Despite this finding, OS command injection vulnerabilities—many of which are the result of CWE-78 — are still the predominant group of vulnerabilities.”
This is the third alert issued by CISA and the FBI since the beginning of the year. Earlier, the authorities sent out two more warnings about the need for liquidation SQL injection (SQLi) and path traversal vulnerabilities in March and May 2024.
Last month, CISA, along with cyber security agencies from Canada and New Zealand, also issued guidance advising businesses to adopt more robust security solutions such as Zero trustSecure Service Edge (SSE), and Secure Access Service Edge (SIX) — which provide greater visibility into network activity.
“Using risk-based access control policies to make decisions through policy decision-making mechanisms, these solutions integrate security and access control, enhancing the usability and security of the organization through adaptive policies.” – author agencies noted.
