Security News

Over 5,300 GitLab servers exposed to zero-click account takeover attacks
2024-01-24 17:55

Over 5,300 internet-exposed GitLab instances are vulnerable to CVE-2023-7028, a zero-click account takeover flaw GitLab warned about earlier this month. The critical flaw allows attackers to send password reset emails for a targeted account to an attacker-controlled email address, allowing the threat actor to change the password and take over the account.

Patch time: Critical GitLab vulnerability exposes 2FA-less users to account takeovers
2024-01-15 17:36

Attackers targeting vulnerable self-managed GitLab instances could use a specially crafted HTTP request to send a password reset email to an attacker-controlled, unverified email address. Users with 2FA enabled aren't vulnerable to account takeover, unless the attacker also had control of the 2FA authenticator, but a password reset could still be achieved.

Week in review: GitLab account takeover flaw, attackers exploiting Ivanti Connect Secure zero-days
2024-01-14 07:24

Social engineer reveals effective tricks for real-world intrusionsIn this Help Net Security interview, Jayson E. Street, Chief Adversarial Officer at Secure Yeti, discusses intriguing aspects of social engineering and unconventional methods for gathering target information. Understanding zero-trust design philosophy and principlesIn this Help Net Security interview, Phil Vachon, Head of Infrastructure in the Office of the CTO at Bloomberg, discusses the varying definitions of zero trust among security professionals and companies, emphasizing its broad design philosophy.

GitLab warns of critical zero-click account hijacking vulnerability
2024-01-12 17:54

GitLab has released security updates for both the Community and Enterprise Edition to address two critical vulnerabilities, one of them allowing account hijacking with no user interaction. The most critical security issue GitLab patched has the maximum severity score and is being tracked as CVE-2023-7028.

Urgent: GitLab Releases Patch for Critical Vulnerabilities - Update ASAP
2024-01-12 13:03

GitLab has released security updates to address two critical vulnerabilities, including one that could be exploited to take over accounts without requiring any user interaction. Tracked...

Critical GitLab flaw allows account takeover without user interaction, patch quickly! (CVE-2023-7028)
2024-01-12 11:04

A critical vulnerability in GitLab CE/EE can be easily exploited by attackers to reset GitLab user account passwords.Users who have two-factor authentication enabled on their account are safe from account takeover.

GitLab fixes critical vulnerability, patch now! (CVE-2023-5009)
2023-09-22 10:29

GitLab has fixed a critical vulnerability in the Enterprise Edition and Community Edition of its widely used DevOps platform. "Scan execution policy allows configuring built-in scanners for GitLab projects, such as static analysis and vulnerability scanning. These scanners are running in dedicated pipelines with a predefined set of permissions," Alex Ilgayev, head of security research at Cycode told Help Net Security.

GitLab Releases Urgent Security Patches for Critical Vulnerability
2023-09-20 07:18

GitLab has shipped security patches to resolve a critical flaw that allows an attacker to run pipelines as another user. The issue, tracked as CVE-2023-5009 (CVSS score: 9.6), impacts all versions...

GitLab urges users to install security updates for critical pipeline flaw
2023-09-19 17:06

GitLab has released security updates to address a critical severity vulnerability that allows attackers to run pipelines as other users via scheduled security scan policies. The flaw was assigned CVE-2023-4998 and impacts GitLab Community Edition and Enterprise Edition versions 13.12 through 16.2.7 and versions 16.3 through 16.3.4.

New LABRAT Campaign Exploits GitLab Flaw for Cryptojacking and Proxyjacking Activities
2023-08-17 14:26

A new, financially motivated operation dubbed LABRAT has been observed weaponizing a now-patched critical flaw in GitLab as part of a cryptojacking and proxyjacking campaign. Proxyjacking allows the attacker to rent the compromised host out to a proxy network, making it possible to monetize the unused bandwidth.