Jump to content
  • Sign Up
×
×
  • Create New...
New feature: 1 Vote = 0.10€ for server Owner!

Patch GitLab vuln without delay, users warned

Pelican Press

By Pelican Press,
in World News

 Share

Recommended Posts

  • Diamond Member
Pelican Press Warlord

Pelican Press 0

Posted
  • Diamond Member
Posted



Patch GitLab vuln without delay, users warned

The US Cybersecurity and Infrastructure Security Agency (CISA) has this week added a vulnerability that was first disclosed in January in the

This is the hidden content, please
open source platform to its
This is the hidden content, please
(KEV) catalogue, prompting a flurry of warnings urging users of the service to apply available patches immediately.

Tracked as

This is the hidden content, please
and discovered through GitLab’s HackerOne-run bug bounty programme,
This is the hidden content, please
.

It’s an improper access control vulnerability that enables an attacker to trigger a password reset email to an unverified email, leading to account takeover. CISA said it was unknown, at the time of publication, if it had been used as a factor in any ransomware attacks.

The addition of a vulnerability to the KEV catalogue obliges US government bodies to patch it immediately if affected – they have until later in May to do so – but also serves as a useful guide, and a timely warning, to enterprises and other organisations about what new vulnerabilities are most impactful, and therefore valuable to cyber ********** and other threat actors.

CVE-2023-7028 affects all versions of GitLab C/EE from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. Users should update to versions 16.7.2, 16.6.4 and 16.5.6 immediately.

“We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards,” wrote GitLab’s Greg Meyers

This is the hidden content, please
. “As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version.”

Beyond applying the fix, organisations may wish to consider enabling multi-factor authentication (MFA) across their GitLab accounts, and rotate all secrets stored in GitLab, including credentials and account passwords, application programming interface tokens and certificates.

This is the hidden content, please
.

Adam Pilton, cyber security consultant at 

This is the hidden content, please
, and a former cyber ****** investigator at Dorset Police, said: “This is a concerning vulnerability as the potential impact of exploitation can be far and wide, with not only the victim’s business being impacted, but potentially those working closely with them.

“The positive news is that there is a patch available addressing this vulnerability, and I would urge everyone affected to apply this as soon as possible. 

“I would like to highlight the hero of the story, and once again it is MFA,” he said. “Those users that have implemented MFA would have been protected from any cyber ********* that wanted to access their account, as the additional authentication required would have prevented successful login.

“We must learn lessons from every *******, and the lessons learnt from this vulnerability are to enable MFA, ensure you maintain regular patching and make sure that you demand strong cyber security measures within your supply chain,” said Pilton.

Delayed patching

Of concern to other members of the security community was the fact that although CVE-2023-7028 was patched in January 2024, there are still significant numbers of vulnerable GitLab instances in the wild –

This is the hidden content, please
, over 300 in the US, China and Russia, over 200 in Germany, 70 in France, and 40 in the ***.

“The exploit also raises the issue of patching, which we know continues to be a big challenge for many organisations,” said

This is the hidden content, please
strategy vice-president Sylvain Cortes. “The fact is, a patch was released for this flaw on 11 January, yet over a thousand GitLab setups still remain exposed online.

“The priority for teams is to make sure they’re on top of the issues they need to fix first. Severity ratings are important, but security teams should prioritise the vulnerabilities that pose the most risk to their environment.”





This is the hidden content, please

#Patch #GitLab #vuln #delay #users #warned

This is the hidden content, please

0

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Vote for the server

    To vote for this server you must login.

    Jim Carrey Flirting GIF

  • Recently Browsing   0 members

    • No registered users viewing this page.

Important Information

Privacy Notice: We utilize cookies to optimize your browsing experience and analyze website traffic. By consenting, you acknowledge and agree to our Cookie Policy, ensuring your privacy preferences are respected.

  I accept