High-severity GitLab flaw lets attackers take over accounts


GitLab patched a high-severity vulnerability that unauthenticated attackers could exploit to take over user accounts in cross-site scripting (XSS) attacks.

The security flaw (tracked as CVE-2024-4835) is an XSS weakness in the VS code editor (Web IDE) that lets threat actors steal restricted information using maliciously crafted pages.

While they can exploit this vulnerability in attacks that don’t require authentication, user interaction is still needed, increasing the attacks’ complexity.

“Today, we are releasing versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE),” GitLab said.

“These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.”

On Wednesday, the company also fixed six other medium-severity security flaws, including a Cross-Site Request Forgery (CSRF) via the Kubernetes Agent Server (CVE-2023-7045) and a denial-of-service bug that can let attackers disrupt the loading of GitLab web resources (CVE-2024-2874).

Vulnerability Severity
1-click account takeover via XSS leveraging the VS code editor (Web IDE) High
A DOS vulnerability in the ‘description’ field of the runner Medium
CSRF via K8s cluster-integration Medium
Using Set Pipeline Status of a Commit API incorrectly creates a new pipeline Medium
Redos on wiki render API/Page Medium
Resource exhaustion and denial of service with test_report API calls Medium
Guest user can view dependency lists of private projects through job artifacts Medium

Older account hijacking bug actively exploited in attacks

GitLab is a popular target since it’s known to host various types of sensitive data, including API keys and proprietary code.

Hence, hijacked GitLab accounts can have a significant impact, including supply chain attacks, if the attackers insert malicious code in CI/CD (Continuous Integration/Continuous Deployment) environments, compromising an organization’s repositories.

As CISA warned earlier this month, threat actors are now actively exploiting another zero-click account hijacking vulnerability patched by GitLab in January.

Tracked as CVE-2023-7028, this maximum severity security flaw allows unauthenticated attackers to take over GitLab accounts via password resets.

Even though Shadowserver discovered over 5,300 vulnerable GitLab instances exposed online in January, less than half (2,084) are still reachable at the moment.

​CISA added CVE-2023-7028 to its Known Exploited Vulnerabilities Catalog on May 1, ordering U.S. federal agencies to secure their systems within three weeks by May 22.



Source link