Subnostr

A bug in #GitLab that, according to GitLab's write up, "allows an attacker to trigger a pipeline as an arbitrary user".

Does this mean an attacker could create a pipeline job to extract secrets and then run it as another user?

GitLab won't say. They just say the attacker can #exploit this #vulnerability "under certain circumstances". Not much #transparency for something they consider a "critical" vulnerability.

Source: https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/#execute-environment-stop-actions-as-the-owner-of-the-stop-action-job

Before someone tells me thay it's open source and I can just read the source code, just stop. You're missing the point. The point is that people who write up announcements like this should be communitating to other server operators what the actual risk is. Do I need to shut down the CI runner until I can get someone out of bed to patch this? How can I find exploitation in the logs or be completely confident my server wasn't exploited?

#security #infosec #cyber #cybersecurity

Reply to this note

Please Login to reply.

Discussion

Skhron - VPS for Bitcoin, Lightning and Monero 1y ago

In similar cases I always expect the worst

Dr. Hax 1y ago

This is why I don't allow anyone to get an account on our GitLab server unless they're highly trusted.

In my case, I also don't give the CI runner access to any secrets or access to deploy anything, so I'm nit too worried, personally.

But I will still push for better transparency.

I fight for the user!

Dr. Hax 1y ago

I feel like the devs are on #nostr and saw my previous post and leveled up their game. Todays write-up is excellent.

https://about.gitlab.com/releases/2024/09/17/patch-release-gitlab-17-3-3-released/#saml-authentication-bypass

Also, glad I force all users to have 2FA.

nostr:nevent1qqsdazzmwxz99ygv2uw682f2ds774jk5qvprrd4kr36mwdhgqy46svqpzfmhxue69uhkummnw3e82efwvdhk6tczyrfsa2vw5e0f20u34wfldvcw550tx0zsd7raf8mqpgfe4mcq4223zqcyqqqqqqgz96uzp