A bug in #GitLab that, according to GitLab's write up, "allows an attacker to trigger a pipeline as an arbitrary user".
Does this mean an attacker could create a pipeline job to extract secrets and then run it as another user?
GitLab won't say. They just say the attacker can #exploit this #vulnerability "under certain circumstances". Not much #transparency for something they consider a "critical" vulnerability.
Source: https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/#execute-environment-stop-actions-as-the-owner-of-the-stop-action-job
Before someone tells me thay it's open source and I can just read the source code, just stop. You're missing the point. The point is that people who write up announcements like this should be communitating to other server operators what the actual risk is. Do I need to shut down the CI runner until I can get someone out of bed to patch this? How can I find exploitation in the logs or be completely confident my server wasn't exploited?
#security #infosec #cyber #cybersecurity
Dr. Hax
npub16v…meqha
2024-09-12 16:32:32
Author Public Key
npub16v82nr4xt62nlydtj0mtxr49r6enc5r0sl2f7cq2zwdw7q92j5gs8meqhaSeen on
wss://nos.lolPublished at
2024-09-12 16:32:32Event JSON
{
"id": "de885b718452910c571da3a92a6c3deacad4030231b6b61c75b736e8012ba830",
"pubkey": "d30ea98ea65e953f91ab93f6b30ea51eb33c506f87d49f600a139aef00aa9511",
"created_at": 1726151552,
"kind": 1,
"tags": [
[
"t",
"GitLab"
],
[
"t",
"gitlab"
],
[
"t",
"exploit"
],
[
"t",
"vulnerability"
],
[
"t",
"transparency"
],
[
"t",
"security"
],
[
"t",
"infosec"
],
[
"t",
"cyber"
],
[
"t",
"cybersecurity"
],
[
"r",
"https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/#execute-environment-stop-actions-as-the-owner-of-the-stop-action-job"
]
],
"content": "A bug in #GitLab that, according to GitLab's write up, \"allows an attacker to trigger a pipeline as an arbitrary user\".\n\nDoes this mean an attacker could create a pipeline job to extract secrets and then run it as another user?\n\nGitLab won't say. They just say the attacker can #exploit this #vulnerability \"under certain circumstances\". Not much #transparency for something they consider a \"critical\" vulnerability.\n\nSource: https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/#execute-environment-stop-actions-as-the-owner-of-the-stop-action-job\n\nBefore someone tells me thay it's open source and I can just read the source code, just stop. You're missing the point. The point is that people who write up announcements like this should be communitating to other server operators what the actual risk is. Do I need to shut down the CI runner until I can get someone out of bed to patch this? How can I find exploitation in the logs or be completely confident my server wasn't exploited?\n\n#security #infosec #cyber #cybersecurity",
"sig": "2cce4f6f3d38e901e8d01a462c6235f967e93913b14d288302646b90dbd050d89a8b11d9c7b07b128ffcac34aaa85102537f64a66287e6e7fa593bb043291e9c"
}