GitLab

Pierluigi Paganini January 24, 2024
5379 GitLab servers vulnerable to zero-click account takeover attacks

Thousands of GitLab servers are vulnerable to zero-click account takeover attacks exploiting the flaw CVE-2023-7028. GitLab has recently released security updates to address two critical vulnerabilities impacting both the Community and Enterprise Edition. The most critical vulnerability, tracked as CVE-2023-7028 (CVSS score 10), is an account takeover via Password Reset. The flaw can be exploited […]

Pierluigi Paganini January 13, 2024
GitLab fixed a critical zero-click account hijacking flaw

GitLab addressed two critical flaws impacting both the Community and Enterprise Edition, including a critical zero-click account hijacking vulnerability GitLab has released security updates to address two critical vulnerabilities impacting both the Community and Enterprise Edition. The most critical vulnerability, tracked as CVE-2023-7028 (CVSS score 10), is an account takeover via Password Reset. The flaw […]

Pierluigi Paganini September 20, 2023
GitLab addressed critical vulnerability CVE-2023-5009

GitLab rolled out security patches to address a critical vulnerability, tracked as CVE-2023-5009, that can be exploited to run pipelines as another user. GitLab has released security patches to address a critical vulnerability, tracked as CVE-2023-5009 (CVSS score: 9.6), that allows an attacker to run pipelines as another user. The issue resides in GitLab EE and affects […]

Pierluigi Paganini August 23, 2022
GitLab fixed a critical Remote Code Execution (RCE) bug in CE and EE releases

DevOps platform GitLab fixed a critical remote code execution flaw in its GitLab Community Edition (CE) and Enterprise Edition (EE) releases. DevOps platform GitLab has released security updates to fix a critical remote code execution vulnerability, tracked as CVE-2022-2884 (CVSS 9.9), affecting its GitLab Community Edition (CE) and Enterprise Edition (EE) releases. An authenticated attacker […]

Pierluigi Paganini June 04, 2022
GitLab addressed critical account take over via SCIM email change

GitLab addresses a critical security vulnerability, tracked as CVE-2022-1680, that could be exploited by an attacker to take over users’ accounts. GitLab has fixed a critical security flaw in its GitLab Enterprise Edition (EE), tracked as CVE-2022-1680 (CVSS score 9.9), that could be exploited to take over an account. The vulnerability impacts all versions starting […]

Pierluigi Paganini April 02, 2022
Critical CVE-2022-1162 flaw in GitLab allowed threat actors to take over accounts

GitLab has addressed a critical vulnerability, tracked as CVE-2022-1162 (CVSS score of 9.1), that could allow remote attackers to take over user accounts. The CVE-2022-1162 vulnerability is related to the set of hardcoded static passwords during OmniAuth-based registration in GitLab CE/EE. “A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, […]

Pierluigi Paganini November 02, 2021
50% of internet-facing GitLab installations are still affected by a RCE flaw

Researchers warn of a now-fixed critical remote code execution (RCE) vulnerability in GitLab ‘s web interface actively exploited in the wild. Cybersecurity researchers warn of a now-patched critical remote code execution (RCE) vulnerability, tracked as CVE-2021-22205, in GitLab’s web interface that has been actively exploited in the wild. The vulnerability is an improper validation issue of […]

Pierluigi Paganini November 04, 2019
GitLab plans to ban hires in China and Russia due to espionage concerns

The popular code hosting platform GitLab is considering to block new hires from China and Russia due to espionage concerns. GitLab is a popular code hosting platform GitLab that is currently used by several major tech companies including IBM, Sony, NASA, Alibaba, Oracle, Invincea, Boeing, and SpaceX. The news was confirmed by Eric Johnson, VP […]