GitLab has resolved a raft of vulnerabilities – including two high-impact web security flaws – with an update to its software development platform.
A cross-site request forgery (CSRF) vulnerability in GitLab’s GraphQL API created a means for an attacker to call mutations while posing as their victim.
A second high severity vulnerability meant that the GitLab Webhook feature could be abused to perform denial-of-service (DoS) attacks.
The DoS vulnerability was discovered by researcher ‘afewgoats’ and disclosed through a GitLab bug bounty program run by HackerOne.
CVE trackers have been requested for both high impact vulnerabilities, but identifiers are yet to be assigned.
Ethical hacker ‘afewgoats’ told The Daily Swig that they’ve been working on a way to attack services that offer webhooks.
“The webhook connections usually have timeouts set, but my badly-behaving webserver can bypass them and keep the connection open for days,” afewgoats explained. “It’s only Denial of Service, but it could tie up huge amounts of memory on the victim servers.”
“So far it’s been successful against PHP, Ruby and Java targets,” they added.
The CRSF and DoS issues – as well as an array of lesser flaws – can be resolved by updating installations to the most recent version of GitLab.
The platform update also tackles 15 medium severity and two low-impact flaws, as explained in a security alert from GitLab.
These additional flaws include a clipboard DOM-based cross-site scripting (XSS) issue, a reflected XSS in release edit pages, and a stored XSS on audit log issue, among other flaws.
(Except for the headline, this story has not been edited by The Technology Express staff and is published from a syndicated feed)