Security gaps: Developers equip Gitlab against unauthorized access
Several software vulnerabilities threaten the Community Edition and the Enterprise Edition of Gitlab.
(Image: JLStock/Shutterstock.com)
The Gitlab developers recommend installing the latest security patches for Gitlab Community Edition (CE) and Enterprise Edition (EE) for self-hosted instances in a timely manner. If this is not done, attackers can exploit several gaps and, among other things, gain access to areas of the development server that are actually sealed off. According to them, Gitlab.com is already secured.
Several security risks
According to a warning message, the developers have closed a total of six security vulnerabilities in the current versions 17.3.7, 17.4.4 and 17.5.2. With the exception of one vulnerability, all gaps are classified as"medium".
If attacks are successful, attackers can gain access to the Kubernetes Cluster Agent (CVE-2024-9693"high"), among other things. Unauthorized access is also possible via OAuth (CVE-2024-7404 "medium"). Information can still be leaked via other gaps (CVE-2024-10240"medium"). DoS attacks are also conceivable (no CVE number assigned yet).
Videos by heise
So far there are no reports that attackers are already exploiting vulnerabilities. Unfortunately, the developers do not provide users with any reference points by which attacks that have already taken place can be identified.
(des)
