GitLab has issued a critical security update due to vulnerabilities that expose user accounts. This update affects multiple versions, including Community Edition (CE) and Enterprise Edition (EE). The severe flaws could lead to unauthorized access, denial of service, and information disclosure, prompting immediate action from users.
GitLab’s critical update: Addressing vulnerabilities exposing user accounts
Among the highlighted vulnerabilities is CVE-2024-11274, which carries a CVSS score of 8.7. This flaw enables attackers to inject Network Error Logging (NEL) headers into Kubernetes proxy responses, potentially allowing session data exfiltration. As a result, attackers could gain unauthorized access to user accounts by intercepting session data. Another critical issue, CVE-2024-8233, scores 7.5 on the CVSS scale and allows for denial of service attacks through the sending of unauthenticated requests for diff-files, affecting all GitLab versions from 9.4.
The update also addresses medium and low-severity vulnerabilities. One such issue involves the potential exploitation of the CI_JOB_TOKEN, which attackers could use to access user sessions. Moreover, vulnerabilities related to open redirects and path traversal pose risks for phishing attacks and information leakage. Cross-Site Scripting (XSS) risks arise from improper output encoding, which could lead to attacks if the Content Security Policy (CSP) is not in place. Additionally, unauthorized users might gain access to sensitive information, such as branch names in private projects and details about incidents.
GitLab has urged users to update to the latest versions immediately to mitigate these security risks. The company has acknowledged the role of security researchers in identifying these vulnerabilities through its HackerOne bug bounty program.
Byte Federal data breach linked to GitLab vulnerabilities
On December 12, 2024, Byte Federal Inc. filed a notice of data breach, revealing that an unauthorized party accessed its servers by exploiting a vulnerability in GitLab. This breach is believed to have impacted around 58,000 individuals, exposing sensitive information, including names, birthdates, addresses, email addresses, and government-issued IDs.
Byte Federal, a Bitcoin ATM operator based in Venice, Florida, learned of the incident on November 18, 2024. The company took immediate action to secure its servers by shutting down its platform, isolating the unauthorized access, and conducting an investigation with third-party cybersecurity experts. It is still unclear how long the unauthorized party had access to the sensitive data.
The awareness and notification process for affected individuals commenced with data breach letters sent out on December 12. These letters provide details on the compromised information, which may also include Social Security numbers, transaction activity, and photographs. Byte Federal continues to review compromised files to assess the precise extent of the data leak.
Preventive measures include resetting all customer accounts and updating passwords in an effort to protect against potential identity theft and fraud. Byte Federal’s efforts highlight the ongoing challenges businesses face with data security and the importance of swift incident response following a breach.
Featured image credit: GitLab
