Post by sabbirislam258 on Feb 14, 2024 8:38:03 GMT
GitLab, a leading software development management platform provider, announced on January 11, 2024 that it has released a critical security update to address three vulnerabilities. The update versions are named 16.7.2, 16.6.4, 16.5.6 and are intended for GitLab Community Edition (CE) and Enterprise Edition (EE). List of vulnerabilities and fixes During 2023, the GitLab user community identified several issues of varying severity. All of them have been successfully fixed in the latest update versions. Password reset problem Vulnerable versions: 16.1 to 16.7.2 Impact on users: All authentication mechanisms were vulnerable. Users with two-factor authentication enabled were vulnerable to password resets, but not to account hijacking.
Actions for users: Update GitLab to the patched version, enable two-factor Armenia Telemarketing Data authentication for all accounts. CODEOWNERS approval removal bypass Vulnerable versions: 15.3 to 16.7.2 Impact on users: Ability to bypass removal of CODEOWNERS approval. User Action: Update GitLab to the patched version. Abusing the Slack/Mattermost integration Vulnerable versions: 8.13 to 16.7.2 Impact: Users may be able to execute commands on behalf of another user due to incorrect authorization checks. User Action: Update GitLab to the patched version. Creating workspaces in a different root namespace Vulnerable versions: Before 16.7.2 Impact on Users: Attackers can create workspaces in one group associated with an agent from another group.
User Action: Update GitLab to the patched version. The commit signature check ignores headers after the signature Vulnerable versions: 12.2 to 16.7.2 Impact on Users: Changing the metadata of signed commits. User Action: Update GitLab to the patched version. These vulnerabilities are already fixed in the latest version of GitLab. Users are advised to install the update as soon as possible and take other security measures mentioned in the message. Non-security patches Version 16.7.2 Removed dummy tags from resources. Fixed cross database connections on HookData::ProjectBuilder. Fixed Sidekiq configuration specification errors. Protected internal event CLI specifications from instability. Apollo Boards is enabled by default. Added missing ci_sources_pipelines indexes for self-hosting. Temporarily fixed gems associated with Faraday. Version 16.6.4 Merged branch ci-clean-mocked-tags into 16-6-stable.
Actions for users: Update GitLab to the patched version, enable two-factor Armenia Telemarketing Data authentication for all accounts. CODEOWNERS approval removal bypass Vulnerable versions: 15.3 to 16.7.2 Impact on users: Ability to bypass removal of CODEOWNERS approval. User Action: Update GitLab to the patched version. Abusing the Slack/Mattermost integration Vulnerable versions: 8.13 to 16.7.2 Impact: Users may be able to execute commands on behalf of another user due to incorrect authorization checks. User Action: Update GitLab to the patched version. Creating workspaces in a different root namespace Vulnerable versions: Before 16.7.2 Impact on Users: Attackers can create workspaces in one group associated with an agent from another group.
User Action: Update GitLab to the patched version. The commit signature check ignores headers after the signature Vulnerable versions: 12.2 to 16.7.2 Impact on Users: Changing the metadata of signed commits. User Action: Update GitLab to the patched version. These vulnerabilities are already fixed in the latest version of GitLab. Users are advised to install the update as soon as possible and take other security measures mentioned in the message. Non-security patches Version 16.7.2 Removed dummy tags from resources. Fixed cross database connections on HookData::ProjectBuilder. Fixed Sidekiq configuration specification errors. Protected internal event CLI specifications from instability. Apollo Boards is enabled by default. Added missing ci_sources_pipelines indexes for self-hosting. Temporarily fixed gems associated with Faraday. Version 16.6.4 Merged branch ci-clean-mocked-tags into 16-6-stable.