GitLab: Account takeover possible after 1-click attack
Several security vulnerabilities in GitLab jeopardize systems. Versions equipped against possible attacks are available for download.
(Image: Thapana_Studio/Shutterstock.com)
Attackers can use a vulnerability in GitLab Community Edition and Enterprise Edition to gain access to data with which they can gain control over accounts.
So far, there are no reports of ongoing attacks, but admins should still update the development environment quickly. After all, attacks in this area can have far-reaching consequences: If malicious code enters the code of a developed application unnoticed and is later made available for download, every downloader will catch the Trojan. If the malicious code compromises a program library, any software equipped with it is infected. This is known as a supply chain attack.
Most dangerous security vulnerability
The developers have closed a total of seven vulnerabilities in versions 16.10.6, 16.11.3 and 17.0.1. In a post, they write that one vulnerability (CVE-2024-4835) is classified as"high" threat level.
To expose this XSS vulnerability, attackers must lure victims to a website they have prepared in order to exfiltrate sensitive user information as part of a one-click attack. This then leads to an account takeover by the attackers.
Further dangers
The remaining vulnerabilities are rated"medium". DoS attacks can occur at these points, among other things. In addition, access to information that is actually isolated is conceivable.
Back in April of this year, the GitLab developers closed security vulnerabilities that attackers could use to compromise accounts. Since the beginning of May 2024, the US authority CISA has been warning of attacks on another GitLab vulnerability (CVE-2023-7028) and has ordered federal authorities to close the vulnerability by May 22, 2024.
(des)
