'GitLab Warns Of Critical Pipeline Execution Vulnerability' - Bleeping Computer
'GitLab Warns Of Critical Pipeline Execution Vulnerability' - Bleeping Computer
The severity of the flaw comes from its potential for remote exploitation, lack of user interaction, and the low privileges required for exploiting it.GitLab has released critical updates to address multiple vulnerabilities, the most severe of them (CVE-2024-6678) allowing an attacker to trigger pipelines as arbitrary users under certain conditions.
GitLab已發佈關鍵更新以解決多個漏洞,其中最嚴重的是(CVE-2024-6678),在某些條件下允許攻擊者以任意用戶身份觸發流水線。
The release is for versions 17.3.2, 17.2.5, and 17.1.7 for both GitLab Community Edition (CE) and Enterprise Edition (EE), and patches a total of 18 security issues as part of the bi-monthly (scheduled) security updates.
該發佈適用於GitLab社區版(CE)和企業版(EE)的17.3.2、17.2.5和17.1.7版本,並作爲每兩個月一次的安全更新的一部分修復了共計18個安全問題。
With a critical severity score of 9.9, the CVE-2024-6678 vulnerability could enable an attacker to execute environment stop actions as the owner of the stop action job.
CVE-2024-6678漏洞的關鍵嚴重程度評分爲9.9,可能使攻擊者以停止操作作業的所有者的身份執行環境停止操作。
The severity of the flaw comes from its potential for remote exploitation, lack of user interaction, and the low privileges required for exploiting it.
該漏洞的嚴重性來源於其遠程利用的可能性、缺乏用戶交互以及利用它所需的低權限。
GitLab warns that the issue affects CE/EE versions from 8.14 up to 17.1.7, versions from 17.2 prior to 17.2.5, and versions from 17.3 prior to 17.3.2.
GitLab警告稱,該問題影響CE/EE的8.14至17.1.7版本,以及17.2.5之前的17.2版本和17.3.2之前的17.3版本。
GitLab pipelines are automated workflows used to build, test, and deploy code, part of GitLab's CI/CD (Continuous Integration/Continuous Delivery) system.
GitLab流水線是用於構建、測試和部署代碼的自動化工作流程,是GitLab的CI/CD(持續集成/持續交付)系統的一部分。
They are designed to streamline the software development process by automating repetitive tasks and ensuring that changes to the codebase are tested and deployed consistently.
它們旨在通過自動化重複的任務並確保對代碼庫的更改進行一致的測試和部署,來簡化軟件開發過程。
GitLab addressed arbitrary pipeline execution vulnerabilities multiple times in recent months, including in July 2024, to fix CVE-2024-6385, in June 2024, to fix CVE-2024-5655, and in September 2023 to patch CVE-2023-5009, all rated critical.
GitLab最近多次解決了任意流水線執行漏洞,包括在2024年7月解決CVE-2024-6385,在2024年6月解決CVE-2024-5655,並在2023年9月修補CVE-2023-5009,所有這些漏洞均被評爲關鍵。
The bulletin also lists four high-severity issues with scores between 6.7 – 8.5, that could potentially allow attackers to disrupt services, execute unauthorized commands, or compromise sensitive resources. The issues are summarized as follows:
該公告還列出了四個嚴重問題,評分在6.7 - 8.5之間,可能允許攻擊者干擾服務,執行未經授權的命令,或者危及敏感資源。這些問題總結如下:
- CVE-2024-8640: Due to improper input filtering, attackers could inject commands into a connected Cube server via YAML configuration, potentially compromising data integrity. Impacts GitLab EE starting from 16.11.
- CVE-2024-8635: Attackers could exploit a Server-Side Request Forgery (SSRF) vulnerability by crafting a custom Maven Dependency Proxy URL to make requests to internal resources, compromising internal infrastructure. Affects GitLab EE starting from 16.8.
- CVE-2024-8124: Attackers could trigger a DoS attack by sending a large 'glm_source' parameter, overwhelming the system and making it unavailable. Impacts GitLab CE/EE starting from 16.4.
- CVE-2024-8641: Attackers could exploit a CI_JOB_TOKEN to gain access to a victim's GitLab session token, allowing them to hijack a session. Affects GitLab CE/EE starting from 13.7.
- CVE-2024-8640: 由於輸入過濾不當,攻擊者可以通過YAML配置向連接的Cube服務器注入命令,從而可能危及數據完整性。影響從16.11開始的GitLab EE。
- CVE-2024-8635: 攻擊者可以利用Server-Side Request Forgery (SSRF)漏洞,通過製作自定義Maven依賴代理URL來對內部資源發出請求,從而危害內部基礎設施。影響從16.8開始的GitLab EE。
- CVE-2024-8124: 攻擊者可以通過發送大量'glm_source'參數觸發DoS攻擊,使系統不堪重負並導致不可用。影響從16.4開始的GitLab CE/EE。
- CVE-2024-8641: 攻擊者可以利用CI_JOB_TOKEN來獲取受害者的GitLab會話令牌,從而允許他們劫持會話。影響從13.7開始的GitLab CE/EE。
For update instructions, source code, and packages, check out GitLab's official download portal. The latest GitLab Runner packages are available here.
有關更新說明、源代碼和軟件包,請訪問GitLab官方下載門戶網站。最新的GitLab Runner軟件包可在此處找到。
