DevOps platform GitLab recently released patches for seven vulnerabilities, including a very serious flaw that allowed threat actors to take over people’s accounts.
As retrieved by BleepingComputerThe highlight of the security advisory is an XSS weakness in the VS Code Editor (Web IDE), which threat actors can exploit via malicious pages. Although the attackers can exploit the flaw without authentication, the bug still requires interaction with the victim, making exploiting the bug a little more complex.
The bug is being tracked as CVE-2024-4835 and is currently awaiting a severity rating.
Targeted at GitLab users
“Today we are releasing versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE),” GitLab said. “These versions include important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.”
Stealing people’s GitLab accounts can have major consequences, BleepingComputer reports. For example, threat actors could use the accounts to inject malware into CI/CD (Continuous Integration/Continuous Deployment) environments, compromising the victim organization’s repositories.
As a result, GitLab accounts are generally considered a popular target among hackers. Earlier this month, CISA warned about a very serious zero-click account hijacking flaw that hackers are exploiting in the wild. This flaw is tracked as CVE-2023-7028 and was patched in January this year.
When CISA adds vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, it usually means threat actors can use them to attack federal agencies. At the time of writing, approximately 2,000 endpoints were still vulnerable to hackers.
In addition to the . which threat actors can exploit to prevent users from loading GitLab web resources. This vulnerability is tracked as CVE-2024-2874.