Many serious security holes are found in GitLab

Last week, GitLab released a series of unusual updates to thoroughly address some of the key security holes found on the platform. The problem is that these critical vulnerabilities exist in many of GitLab's catalogs, while targeting different versions of the platform that make patching difficult. Currently GitLab has not disclosed much details about the vulnerabilities and patches, but to ensure safety, you should update your Gitlab to the latest version.

1. New vulnerability in Mozilla Firefox allows third parties to access a saved password store

Many serious security holes are found in GitLab Picture 1 There have been 3 serious security holes found on GitLab

Many detected vulnerabilities exist in GitLab

In just a short time, researchers from many security teams have found many vulnerabilities exist in GitLab. The world's most popular DevOps platform has also confirmed the existence of these critical vulnerabilities. According to the disclosure, GitLab has solved 3 different vulnerabilities in their software.

The first of these vulnerabilities could allow crooks to access the internal resource repository when they gain access to the Grafana control panel through hard-coded authentication information. This vulnerability was discovered and reported by security expert Michael Gernoth, and was followed up with the identifier CVE-2019-14943. It directly affects GitLab CE / EE version from 12.0 and above.

1. Many serious vulnerabilities have been discovered that allow attackers to take full control of the 4G router

Many serious security holes are found in GitLab Picture 2 Security expert Michael Gernoth

The second problem stems from Gitaly and is tracked with the identifier CVE-2019-14944. This vulnerability could become the cause of more remote code execution vulnerabilities as well as other privileged escalation vulnerabilities. It mainly affects GitLab CE / EE version from 10.0 and above.

This vulnerability was discovered and reported by security expert William Bowling, and also helped the white-hat hacker earn 12,000 bonuses as part of HackerOne's bonus reporting program.

Another major security issue, being tracked with the CVE-2019-14942 identifier, was discovered targeting GitLab CE / EE version 11.5 and above. Regarding this vulnerability, GitLab described in a security recommendation as follows:

'Authentication cookies on GitLab Pages with Access Control can be sent over HTTP and not properly encrypted, which makes them vulnerable to Man-In-The-Middle' attacks.

1. Discover new ways to hack WPA3 protected WiFi passwords

GitLab patched security holes

In this incident, it is necessary to appreciate the ability to react quickly as well as the serious attitude of Gitlab security team. They successfully patched all of the three security holes before any unfortunate incidents were reported. About the fix for CVE-2019-14943, GitLab has built this patch very meticulously and elaborately:

'Hard-coded basic authentication and administrative information is now disabled by default in the case of Grafana integrated as part of the Omnibus-based GitLab package. This change makes GitLab SSO the only authentication method, creating a backup of existing data and resetting Grafana to GitLab defaults ".

Currently, patched versions include GitLab Community Edition (CE) and Enterprise Edition (EE), respectively 12.1.6, 12.0.6 and 11.11.8. GitLab has also pledged to publicly post all details of the vulnerabilities for about a month in a row. However, users also need to make sure to update their system immediately to patched versions so that there are no unfortunate security incidents.

1. More than 40 Windows drivers contain dangerous privilege escalation vulnerabilities

Many serious security holes are found in GitLab Picture 3 GitLab has released patches: 12.1.6, 12.0.6 and 11.11.8