'GitLab Warns Of Critical Pipeline Execution Vulnerability' - Bleeping Computer
'GitLab Warns Of Critical Pipeline Execution Vulnerability' - Bleeping Computer
The severity of the flaw comes from its potential for remote exploitation, lack of user interaction, and the low privileges required for exploiting it.GitLab has released critical updates to address multiple vulnerabilities, the most severe of them (CVE-2024-6678) allowing an attacker to trigger pipelines as arbitrary users under certain conditions.
GitLab 已發佈重要更新以解決多個漏洞,其中最嚴重的漏洞(CVE-2024-6678)允許攻擊者在特定條件下以任意用戶身份觸發管道。
The release is for versions 17.3.2, 17.2.5, and 17.1.7 for both GitLab Community Edition (CE) and Enterprise Edition (EE), and patches a total of 18 security issues as part of the bi-monthly (scheduled) security updates.
該版本適用於GitLab社區版(CE)和企業版(EE)的17.3.2、17.2.5和17.1.7版本,作爲每兩個月(預定)安全更新的一部分,共修補了18個安全問題。
With a critical severity score of 9.9, the CVE-2024-6678 vulnerability could enable an attacker to execute environment stop actions as the owner of the stop action job.
CVE-2024-6678 漏洞的嚴重性分數爲 9.9,可讓攻擊者以停止操作任務的所有者的身份執行環境停止操作。
The severity of the flaw comes from its potential for remote exploitation, lack of user interaction, and the low privileges required for exploiting it.
該漏洞的嚴重性來自於其可能被遠程利用、缺乏用戶交互以及利用該漏洞所需的低權限。
GitLab warns that the issue affects CE/EE versions from 8.14 up to 17.1.7, versions from 17.2 prior to 17.2.5, and versions from 17.3 prior to 17.3.2.
GitLab 警告說,該問題影響 8.14 至 17.1.7 的 CE/EE 版本、17.2.5 之前的 17.2 版本以及 17.3.2 之前的 17.3 版本。
GitLab pipelines are automated workflows used to build, test, and deploy code, part of GitLab's CI/CD (Continuous Integration/Continuous Delivery) system.
GitLab 管道是用於構建、測試和部署代碼的自動化工作流程,是 GitLab 的 CI/CD(持續集成/持續交付)系統的一部分。
They are designed to streamline the software development process by automating repetitive tasks and ensuring that changes to the codebase are tested and deployed consistently.
它們旨在通過自動執行重複任務並確保對代碼庫的更改進行一致的測試和部署來簡化軟件開發流程。
GitLab addressed arbitrary pipeline execution vulnerabilities multiple times in recent months, including in July 2024, to fix CVE-2024-6385, in June 2024, to fix CVE-2024-5655, and in September 2023 to patch CVE-2023-5009, all rated critical.
最近幾個月,GitLab 多次修復任意管道執行漏洞,包括在 2024 年 7 月修復 CVE-2024-6385,在 2024 年 6 月修復 CVE-2024-5655,以及 2023 年 9 月修復 CVE-2023-5009,這些漏洞都被評爲嚴重。
The bulletin also lists four high-severity issues with scores between 6.7 – 8.5, that could potentially allow attackers to disrupt services, execute unauthorized commands, or compromise sensitive resources. The issues are summarized as follows:
該公告還列出了四個分數介於 6.7 到 8.5 之間的高嚴重性問題,這些問題可能允許攻擊者中斷服務、執行未經授權的命令或破壞敏感資源。這些問題概述如下:
- CVE-2024-8640: Due to improper input filtering, attackers could inject commands into a connected Cube server via YAML configuration, potentially compromising data integrity. Impacts GitLab EE starting from 16.11.
- CVE-2024-8635: Attackers could exploit a Server-Side Request Forgery (SSRF) vulnerability by crafting a custom Maven Dependency Proxy URL to make requests to internal resources, compromising internal infrastructure. Affects GitLab EE starting from 16.8.
- CVE-2024-8124: Attackers could trigger a DoS attack by sending a large 'glm_source' parameter, overwhelming the system and making it unavailable. Impacts GitLab CE/EE starting from 16.4.
- CVE-2024-8641: Attackers could exploit a CI_JOB_TOKEN to gain access to a victim's GitLab session token, allowing them to hijack a session. Affects GitLab CE/EE starting from 13.7.
- CVE-2024-8640:由於輸入過濾不當,攻擊者可以通過 YAML 配置向連接的 Cube 服務器注入命令,這可能會損害數據完整性。從 16.11 開始影響 GitLab EE。
- CVE-2024-8635:攻擊者可以通過製作自定義 Maven 依賴代理 URL 來利用服務器端請求僞造 (SSRF) 漏洞,向內部資源發出請求,從而危及內部基礎架構。從 16.8 開始影響 GitLab EE。
- CVE-2024-8124:攻擊者可以通過發送一個大型的 「glm_source」 參數來觸發 DoS 攻擊,使系統不堪重負並使其不可用。從 16.4 版本開始影響 GitLab CE/EE。
- CVE-2024-8641:攻擊者可以利用 CI_JOB_TOKEN 來獲得對受害者的 GitLab 會話令牌的訪問權限,從而允許他們劫持會話。從 13.7 開始影響 GitLab CE/EE。
For update instructions, source code, and packages, check out GitLab's official download portal. The latest GitLab Runner packages are available here.
有關更新說明、源代碼和軟件包,請訪問 GitLab 的官方下載門戶。最新的 GitLab Runner 軟件包可在此處獲取。
譯文內容由第三人軟體翻譯。
