Wednesday , December 18 2024

CVE-2024-11274
GitLab Patch Release for CE and EE

infosecbulletin 6 days ago Vulnerabilities

GitLab has released a critical security update for several versions of its platform, including versions 17.6.2, 17.5.4, and 17.4.6 for both Community and Enterprise Editions. This update fixes vulnerabilities that could result in account takeovers, denial of service attacks, and data leaks.

CVE-2024-11274 (CVSS 8.7) is a critical vulnerability that permits the injection of Network Error Logging (NEL) headers in Kubernetes proxy responses, risking user session data exfiltration. This could allow attackers to steal session data and access accounts without permission.

CISA released best practices to secure Microsoft 365 Cloud environments

By infosecbulletin / Wednesday , December 18 2024
CISA has issued Binding Operational Directive (BOD) 25-01, requiring federal civilian agencies to improve the security of their Microsoft 365...
Read More
CISA released best practices to secure Microsoft 365 Cloud environments

Data breach! Ireland fines Meta $264 million, Australia $50m

By infosecbulletin / Wednesday , December 18 2024
The Irish Data Protection Commission fined Meta €251 million ($263.6 million) for GDPR violations related to a 2018 data breach...
Read More
Data breach! Ireland fines Meta $264 million, Australia $50m

Over 25K SonicWall VPN Firewalls exposed to critical flaws

By infosecbulletin / Wednesday , December 18 2024
More than 25,000 SonicWall SSL VPN devices are vulnerable to critical flaws, with 20,000 running outdated SonicOS/OSX firmware that is...
Read More
Over 25K SonicWall VPN Firewalls exposed to critical flaws

AI-made nude images incident, one school, 50 female victim

By infosecbulletin / Tuesday , December 17 2024
Nearly half of the high school’s female students were victimized in AI based deepfake the images and videos. The students...
Read More
AI-made nude images incident, one school, 50 female victim

Over 4 lac files ‘leaked’: Telecom Namibia hit by major cyberattack

By infosecbulletin / Monday , December 16 2024
Telecom Namibia experienced a cyber incident that leaked customer data. The company is working with local and international cybersecurity experts...
Read More
Over 4 lac files ‘leaked’: Telecom Namibia hit by major cyberattack

HSBC sued by ASIC: customers allegedly scammed of $23 million

By infosecbulletin / Monday , December 16 2024
HSBC Bank Australia Limited did not sufficiently safeguard customers from scams that resulted in millions of dollars being lost, as...
Read More
HSBC sued by ASIC: customers allegedly scammed of $23 million

Sophos Thwarts Global Firewall Attack promptly, Protects Thousands from Data Theft

By infosecbulletin / Sunday , December 15 2024
On 10Th December, 2024 The US Department of Justice said in a press release that a Chinese-born man named Guang...
Read More
Sophos Thwarts Global Firewall Attack promptly, Protects Thousands from Data Theft

Android malware attack Indian banks: Infected 419 devices

By infosecbulletin / Saturday , December 14 2024
Researchers discovered a new Android banking trojan aimed at Indian users. This malware pretends to be essential utility services to...
Read More
Android malware attack Indian banks: Infected 419 devices

Indian-American OpenAI whistleblower Suchir Balaji found dead in San Francisco

By infosecbulletin / Saturday , December 14 2024
A whistleblower from OpenAI, Suchir Balaji, an Indian-American ex-researcher at OpenAI who criticized the company's practices, was found dead in...
Read More
Indian-American OpenAI whistleblower Suchir Balaji found dead in San Francisco

Canadian company exposed unprotected almost 5 million records

By infosecbulletin / Saturday , December 14 2024
Cybersecurity expert, Jeremiah Fowler discovered an unsecured database containing almost 5 million records reportedly relating to Care1 — a Canadian...
Read More
Canadian company exposed unprotected almost 5 million records

CVE-2024-8233 (CVSS 7.5) allows attackers to perform denial of service attacks by repeatedly sending unauthenticated requests for diff-files. All GitLab versions from 9.4 are affected, making it urgent for users to update.

The update also addresses several medium and low-severity vulnerabilities, including:

CI_JOB_TOKEN Exploitation:
Attackers could potentially use stolen CI_JOB_TOKENs to gain access to user sessions.

Open Redirects and Path Traversal:
These vulnerabilities can be used for phishing and data leaks.

Cross-Site Scripting (XSS) and HTML Injection:
Improper output encoding and other vulnerabilities can allow XSS attacks if Content Security Policy (CSP) is not enabled.

Information Leaks:
Unauthorized users could access sensitive information, like project names and incident details.

GitLab urges all users to update to the latest versions immediately to address security risks. The company thanks security researchers for reporting these vulnerabilities through its HackerOne bug bounty program.

Check Also

windows

New Windows zero-day: Exposes credentials, Gets unofficial patch

A newly found zero-day vulnerability lets attackers steal NTLM credentials by manipulating targets into opening …

Leave a Reply

Your email address will not be published. Required fields are marked *

Mail: [email protected]
© Copyright 2024, All Rights Reserved InfoSecBulletin