Security News

GitLab: Critical bug lets attackers run pipelines as other users
2024-07-10 20:08

GitLab warned today that a critical vulnerability in its product's GitLab Community and Enterprise editions allows attackers to run pipeline jobs as any other user. Under certain circumstances that GitLab has yet to disclose, attackers can exploit it to trigger a new pipeline as an arbitrary user.

GitLab Releases Patch for Critical CI/CD Pipeline Vulnerability and 13 Others
2024-06-28 14:18

GitLab has released security updates to address 14 security flaws, including one critical vulnerability that could be exploited to run continuous integration and continuous deployment (CI/CD)...

Critical GitLab bug lets attackers run pipelines as any user
2024-06-27 14:53

A critical vulnerability is affecting certain versions of GitLab Community and Enterprise Edition products, which could be exploited to run pipelines as any user. GitLab pipelines are a feature of the Continuous Integration/Continuous Deployment system that enables users to automatically run processes and tasks, either in parallel or in sequence, to build, test, or deploy code changes.

High-severity GitLab flaw lets attackers take over accounts
2024-05-23 17:43

GitLab patched a high-severity vulnerability that unauthenticated attackers could exploit to take over user accounts in cross-site scripting attacks. "Today, we are releasing versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition and Enterprise Edition," GitLab said.

Federal frenzy to patch gaping GitLab account takeover hole
2024-05-02 14:15

Your profile can be used to present content that appears more relevant based on your possible interests, such as by adapting the order in which content is shown to you, so that it is even easier for you to find content that matches your interests. Content presented to you on this service can be based on your content personalisation profiles, which can reflect your activity on this or other services, possible interests and personal aspects.

CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability
2024-05-02 06:15

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw impacting GitLab to its Known Exploited Vulnerabilities (KEV) catalog, owing to active exploitation in...

CISA says GitLab account takeover bug is actively exploited in attacks
2024-05-01 16:29

CISA warned today that attackers are actively exploiting a maximum-severity GitLab vulnerability that allows them to take over accounts via password resets. The CVE-2023-7028 bug impacts GitLab Community and Enterprise editions, and GitLab fixed it in 16.7.2, 16.5.6, and 16.6.4 and backported patches to versions 16.1.6, 16.2.9, and 16.3.7.

GitLab affected by GitHub-style CDN flaw allowing malware hosting
2024-04-22 15:05

BleepingComputer recently reported how a GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with Microsoft repositories, making the files appear trustworthy. While most of the malware-associated activity was based around the Microsoft GitHub URLs, this "Flaw" could be abused with any public repository on GitHub or GitLab, allowing threat actors to create very convincing lures.

URGENT: Upgrade GitLab - Critical Workspace Creation Flaw Allows File Overwrite
2024-01-30 16:18

GitLab once again released fixes to address a critical security flaw in its Community Edition (CE) and Enterprise Edition (EE) that could be exploited to write arbitrary files while creating...

Self-managed GitLab installations should be patched again (CVE-2024-0402)
2024-01-30 11:51

Less than two weeks after having plugged a security hole that allows account takeover without user interaction, GitLab Inc. has patched a critical vulnerability in GitLab CE/EE again and is urging users to update their installations immediately.GitLab Inc. operates GitLab.com and develops GitLab Community Edition and Enterprise Edition, a widely used software development platform with built-in version control, issue tracking, code review, etc.