GitLab recently released security updates for both the Community and Enterprise Editions to address two critical vulnerabilities. One of these vulnerabilities allows for account hijacking without any user interaction. GitLab strongly recommends updating all vulnerable versions of the DevSecOps platform as soon as possible. It's important to note that a manual update is required for self-hosted installations.
The most severe security issue patched by GitLab has been assigned the maximum severity score of 10 out of 10 and is identified as CVE-2023-7028. This vulnerability poses a significant risk as successful exploitation does not necessitate any user interaction. It is an authentication problem that enables password reset requests to be sent to arbitrary, unverified email addresses, thereby facilitating account takeover. Even if two-factor authentication (2FA) is active, resetting the password requires the second authentication factor for successful login. Given that GitLab is commonly used to host proprietary code, API keys, and other sensitive data, hijacking a GitLab account can have a profound impact on an organization.
The following versions are impacted:
- 16.1 prior to 16.1.5
- 16.2 prior to 16.2.8
- 16.3 prior to 16.3.6
- 16.4 prior to 16.4.4
- 16.5 prior to 16.5.6
- 16.6 prior to 16.6.4
- 16.7 prior to 16.7.2
If you have the versions listed above, you are highly encouraged to update your apps.
Turning to Juniper Networks, the company has issued security updates to address a critical pre-auth remote code execution (RCE) vulnerability discovered in its SRX Series firewalls and EX Series switches. This vulnerability, tracked as CVE-2024-21591, exists in the devices' J-Web configuration interfaces. Threat actors, even if unauthenticated, can exploit this critical flaw to gain root privileges or launch denial-of-service (DoS) attacks against unpatched devices. Although there is currently no evidence of this vulnerability being exploited in the wild, users of specific versions of Junos OS are advised to promptly apply the provided security patches.
- Junos OS versions earlier than 20.4R3-S9
- Junos OS 21.2 versions earlier than 21.2R3-S7
- Junos OS 21.3 versions earlier than 21.3R3-S5
- Junos OS 21.4 versions earlier than 21.4R3-S5
- Junos OS 22.1 versions earlier than 22.1R3-S4
- Junos OS 22.2 versions earlier than 22.2R3-S3
- Junos OS 22.3 versions earlier than 22.3R3-S2
- Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3