GitLab發布社群版及企業版更新,修補能讓任意用戶執行自動化工作Pipeline的重大漏洞
支付動態 · 2024-07-15
上週GitLab再度發布重大修補更新,處理重大層級的漏洞CVE-2024-6385,若不套用更新,攻擊者有機會冒用其他使用者的名義執行Pipeline工作流程,值得留意的是,不久前GitLab維護團隊才緩解類似型態的弱點
7月10日GitLab發布社群版(CCE)及企業版(EE)更新17.1.2、17.0.4、16.11.6版,當中總共修補6項漏洞,最值得留意的是被列為重大層級風險的CVE-2024-6385。
這項漏洞影響15.8至16.11.5版、17.0至17.0.3版,以及17.1至17.1.3版GitLab,一旦攻擊者利用這項漏洞,就有機會在特定情況下,冒用任意使用者身分執行Pipeline工作流程,CVSS風險評為9.6分。
值得留意的是,兩周前GitLab也修補類似的漏洞CVE-2024-5655,同樣能導致攻擊者冒用他人身分,執行Pipeline工作流程,危險程度也同樣達到CVSS評分9.6。當時,開發團隊也特別指出更新後可能會出現重大變更,要使用者部署前特別留意。
另一個本次修補較為嚴重的漏洞是CVE-2024-5257,為中度風險層級,CVSS風險評為4.9分。當開發人員透過名為admin_compliance_framework的角色,有可能更動用於名稱空間(namespace)群組的URL。
热门文章
Vietnam's tightening online gaming policy creates new market opportunities
Southeast Asia
1spin4win grows its Latin American presence by partnering with Fortuna Juegos
Online Game
British gambling levy rates confirmed for each vertical
Regulation
Kazakhstan plans to penalise online casino promotions
Regulation
Across 6 Cities: HUIDU Invites You to 8 World Cup Parties Redefining High-Value Social Networking
HUIDU Focus
New Jersey July Gambling Revenue Hits $606M, Sweeps Casinos Banned
Regulation
Super PAC Raises $48 Million: Sports Betting Forces Ramp Up Political Push
Regulation
Full House at GAT Expo Cartagena 2026 Academic Agenda
Online Game
Gaming & Technology Expo Makes a Powerful Entrance in CDMX
Marketing
GAT Expo Puerto Rico Will Pulse with the New Era of Gaming in the Caribbean
Marketing
Vietnam’s Controlled Gaming Shift Gains Ground, But Domestic Demand Still Lags
Southeast Asia
B2B Tech Infrastructure Gains Momentum in Philippine Gaming Sector
Southeast Asia
GGC Awards 2026 Shines in Colombo: Honoring Leaders and Innovators in the iGaming Industry
HUIDU Focus
Are you ready to maximize your earnings? Try ProPush.me Constructor!
Marketing
HUIDU Invites You to Booth T70 at iGB L!VE 2026 — Let’s Ignite London This July!
HUIDU Focus
