All news with #gitlab tag

⚠️ CISA has ordered federal agencies to patch a five-year-old GitLab SSRF vulnerability (CVE-2021-39935) that is currently being exploited in attacks. GitLab issued a fix for the server-side request forgery bug in December 2021 after it was found that unauthenticated users could reach the CI Lint API when user registration was restricted. Under BOD 22-01, affected Federal Civilian Executive Branch agencies must remediate by February 24, 2026, and CISA urges all organizations to prioritize mitigation. Shodan currently identifies over 49,000 internet-exposed GitLab instances, many reachable on default ports.

🔒 A critical two-factor authentication bypass (CVE-2026-0723) in GitLab Community and Enterprise editions allows an attacker who knows a user’s credentials to submit forged device responses and bypass MFA. GitLab released patches in versions 18.8.2, 18.7.2 and 18.6.4 and strongly recommends that all self-managed instances upgrade immediately. Additional fixes address several denial-of-service and authorization flaws; GitLab.com and Dedicated tenants are already protected.

🔒 Zoom and GitLab released security updates to address multiple vulnerabilities that could enable denial-of-service, remote code execution, and a two-factor authentication bypass. The most severe is a critical command injection in Zoom Node Multimedia Routers (CVE-2026-22844, CVSS 9.9) that may allow remote code execution; Zoom reports no evidence of active exploitation. GitLab patched several high-severity DoS and 2FA-bypass issues across CE and EE releases. Administrators should apply the provided patches, upgrade affected modules, and review exposure to untrusted networks immediately.

🔒 GitLab has patched a high-severity two-factor authentication bypass (CVE-2026-0723) that could allow attackers who know a target's account ID to submit forged device responses and bypass 2FA. The release also addresses two high-severity denial-of-service flaws (CVE-2025-13927, CVE-2025-13928) and two medium-severity DoS issues affecting Wiki rendering and SSH authentication. Administrators should upgrade to 18.8.2, 18.7.2, or 18.6.4 immediately; GitLab.com is already patched.

🔒 DevOps platforms like GitHub, GitLab, Bitbucket, and Azure DevOps accelerate development but also introduce data risks from misconfigurations, exposed credentials, and service outages. Under the SaaS shared responsibility model, customers retain liability for protecting repository data and must enforce MFA, RBAC, and tested backups. Third-party immutable backups and left-shifted security practices are recommended to mitigate ransomware, insider threats, and accidental deletions.

🔍 To secure modern software you must know what's inside it, and a Software Bill of Materials (SBOM) provides that transparency. An SBOM should be machine-readable, include component, version, license and patch data, and be generated automatically in CI/CD using standards like SPDX, CycloneDX or SWID. The article reviews eight tools — including Anchore, FOSSA, GitLab and Mend — that generate, analyze and manage SBOMs across the build, registry and runtime lifecycles.

🔒 Red Hat confirmed a security incident after an extortion group calling itself the Crimson Collective claimed to have stolen nearly 570GB of compressed data from roughly 28,000 internal repositories in a GitLab instance used solely for consulting engagements. The group alleges the haul includes about 800 Customer Engagement Reports (CERs) that may contain infrastructure details, authentication tokens, and database URIs. Red Hat says it is remediating the issue, has not verified the attackers' specific claims, and believes its software supply chain and other services remain unaffected.

🔒 A critical Argo CD vulnerability (CVE-2025-55190) allows API tokens with even low project-level get permissions to access API endpoints and retrieve repository credentials. Rated CVSS v3 10.0, the flaw bypasses isolation protections and can expose usernames and passwords used to access Git repositories. The issue affects all versions up to 2.13.0 and was fixed in 3.1.2, 3.0.14, 2.14.16, and 2.13.9; administrators should upgrade immediately.

🔓 UpGuard disclosed that a large GitLab repository belonging to AggregateIQ was publicly accessible, exposing source code, configuration files, and numerous credentials. The leak included applications and tools — notably projects named Ripon_canvas and Ripon_dialer — designed to manage voter databases, microtargeting, canvassing, and automated outreach. Credentials for Facebook apps, Twilio, AWS, and other services were present, raising the risk of account takeover and large-scale data harvesting. UpGuard linked the repository to work for US campaigns and reported ties to Cambridge Analytica, with further technical analysis promised in subsequent reports.