A bug in #GitLab that, according to GitLab's write up, "allows an attacker to trigger a pipeline as an arbitrary user".
Does this mean an attacker could create a pipeline job to extract secrets and then run it as another user?
GitLab won't say. They just say the attacker can #exploit this #vulnerability "under certain circumstances". Not much #transparency for something they consider a "critical" vulnerability.
Source: https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/#execute-environment-stop-actions-as-the-owner-of-the-stop-action-job
Before someone tells me thay it's open source and I can just read the source code, just stop. You're missing the point. The point is that people who write up announcements like this should be communitating to other server operators what the actual risk is. Do I need to shut down the CI runner until I can get someone out of bed to patch this? How can I find exploitation in the logs or be completely confident my server wasn't exploited?
#security #infosec #cyber #cybersecurity