Better Security, Together

GitLab has released critical patches for its Community Edition (CE) and Enterprise Edition (EE), addressing critical and multiple high-severity vulnerabilities. These vulnerabilities present significant risks, including the ability to run unauthorized pipelines, user impersonation, and exposure to Server-Side Request Forgery (SSRF) attacks.

The critical vulnerability, CVE-2024-9164 (CVSS Score 9.6), allows unauthorized pipelines to run on arbitrary branches. This issue could lead to unauthorized code execution or deployment, posing a risk to sensitive environments. Another high-severity vulnerability, identified as CVE-2024-8970 (CVSS Score 8.2), enables attackers to impersonate users and trigger pipelines under their credentials, which can result in unauthorized actions affecting system integrity and confidentiality. Additionally, CVE-2024-8977 (CVSS Score 8.2), an SSRF vulnerability, allows attackers to make unauthorized requests from the server, potentially exposing internal services or data.

Other notable vulnerabilities include CVE-2024-9631 (CVSS Score 7.5), which affects the viewing of diffs in merge requests with conflicts, potentially slowing down operations and leading to denial-of-service attacks, and CVE-2024-6530 (CVSS Score 7.3), an HTML injection vulnerability that could be exploited for cross-site scripting (XSS) attacks in GitLab’s OAuth page.

Microsoft has addressed 118 vulnerabilities in its latest security update, including five zero-day vulnerabilities and three critical Remote Code Execution (RCE) flaws. Notably, two zero-day vulnerabilities are currently being actively exploited in the wild. The first, CVE-2024-43572, is a Remote Code Execution vulnerability within the Microsoft Management Console, with a CVSS score of 7.8. The second, CVE-2024-43573, is a spoofing vulnerability in the Windows MSHTML platform, carrying a CVSS score of 6.5. Both vulnerabilities have garnered significant attention due to their active exploitation.

In addition to these, three other vulnerabilities were publicly known but not actively exploited at the time of the update. These include CVE-2024-43583, a privilege escalation flaw in Winlogon (CVSS 7.8), CVE-2024-20659, a security bypass vulnerability in Windows Hyper-V (CVSS 7.1), and CVE-2024-6197, a high-severity RCE vulnerability in Open-Source Curl (CVSS 8.8). These flaws also pose considerable risks and require prompt attention.

Among the most critical fixes is CVE-2024-43468, a remote code execution vulnerability in Microsoft Configuration Manager. With a CVSS score of 9.8, this flaw could allow unauthorized users to execute arbitrary commands on vulnerable systems, making it one of the highest-risk vulnerabilities addressed in this patch cycle.