GitLab warns of critical security flaw which could allow hacker takeovers

Pls share this post


Listen to this article

GitLab has upgraded its Community and Enterprise editions to fix a critical vulnerability which allowed malicious actors to run pipeline jobs as any other platform user. 

In its patch release notes, published on the GitLab website, the company said it “strongly” recommends users upgrade their installations to the latest versions immediately, adding that GitLab.com and GitLab Dedicated were already fixed.

The latest versions are 17.1.2, 17.0.4, 16.11.6, and the vulnerable versions are all between 15.8 and 16.11.6, 17.0 and 17.0.4, and 17.1 and 17.1.2.

Millions at risk

The critical flaw, discovered through the HackerOne bug bounty program, allows an attacker to trigger a pipeline as another user, under certain circumstances. 

READ ALSO  Getting ChatGPT to run on a NAS is actually worth exploring — tech enthusiast puts an Nvidia RTX GPU in a 12-bay NAS powered by an AMD EPYC CPU, and the results are surprising

A GitLab Pipeline is a powerful feature of GitLab’s Continuous Integration/Continuous Deployment (CI/CD) system. It automates the process of building, testing, and deploying code, allowing developers to ensure their software is reliable and ready for release. During the build stage, the code is compiled and transformed into an executable. In the test stage, the code’s integrity and functionality are analyzed for errors and bugs. Finally, in the deployment stage, the validated code is deployed into the desired environment.

By using a pipeline, developers can streamline the development process, automate repetitive tasks, and maintain high code quality. 

The vulnerability is now tracked as CVE-2024-6385, and carries a severity score of 9.6/10 (critical).

READ ALSO  Microsoft says AI at work is here to stay — now we just need to work out how best to use it

GitLab is a DevOps platform with more than 30 million registered users, according to BleepingComputer. More than half of Fortune 100 companies use it for their DevOps needs, including NASA, Intel, Siemens, Goldman Sachs, and many others. 

GitLab Community Edition (CE) is an open source version that is free to use, and as such is mostly used by smaller teams. It includes core features such as source code management, issue tracking, and basic continuous integration/continuous deployment (CI/CD) capabilities. 

The Enterprise edition is a paid version that offers extra features, designed to support larger organizations with more complex needs. This edition includes advanced security features, enhanced CI/CD capabilities, performance monitoring, and compliance tools. It also offers enhanced support for large-scale collaboration, project management, and resource optimization.

READ ALSO 
This is the chip that could feature in the world's largest SSD — Kioxia launches 2Tb NAND chip and key partner Pure Storage may use it in its 150TB SSD DirectFlash modules

More from TechRadar Pro

Source



Pls share this post
Previous articleWhat is UEM? Unified endpoint management explained
Next article
Nvidia promises up to 700% return on investment on GPU doing AI inference work as world’s most valuable company continues journey towards $4 trillion market cap