back to article Federal frenzy to patch gaping GitLab account takeover hole

The US Cybersecurity and Infrastructure Security Agency (CISA) is forcing all federal agencies to patch a critical vulnerability in GitLab's Community and Enterprise editions, confirming it is very much under "active exploit." When CISA adds a vulnerability to its Known Exploited Vulnerabilities (KEV) list, it means all …

  1. Anonymous Coward
    Terminator

    Web anything doesn't belong on a security device ..

    A specially crafted HTTP request sends a password reset link to an unverified, attacker-controlled email address, enabling unauthorized account takeovers.

    1. Pascal Monett Silver badge

      You're absolutely right, except you're wrong because today, developers have the habit ingrained in their skulls that production servers should download code from 3rd-party servers.

      It's in the bloodstream now, there's nothing anyone can do about it - except the miscreants.

      If they create enough mayhem, bloodshed and tears to make all CTOs and CIOs scream for keeping production server code under control, then we might get back to those hallowed times when an admin actually knew what was running on the server he was responsible for.

      But, these days, the mantra is "move fast and break things" and, boy, how we are setting ourselves up to be broken . . .

    2. ecofeco Silver badge
      Headmaster

      Re: Web anything doesn't belong on a security device ..

      You're both right and we are all screwed.

  2. CowHorseFrog Silver badge

    Gitlab has always been crap, just look at its ugly urls, at least Github has nice urls that can easily be edited to select another pull request or repo, but nope everything in gitlab are database ids because using human readable names in urls is too hard.

    Same problem with Bitbucket.

    Funny how they are also the sources of considerable numbers of very basic security exploits, while github with its better urls also has better security.

    So congratulations on your shitty urls to save a few hours of effort, i guess the same is also true of your code reviews and efforts in doing the right thing about security. Just rush it thru.

  3. claimed Silver badge

    Specially crafted HTTP request..

    So, a REST API with the email swapped out?

    1. weirdbeardmt

      Re: Specially crafted HTTP request..

      I was imagining ?loggedin=1 or similar…

      1. Paul Crawford Silver badge
        Headmaster

        Re: Specially crafted HTTP request..

        ?bendoverBlackadder=pokerTime

        Commit added by the Bishop of Bath and Wells, 21 December 1247

  4. Paul Crawford Silver badge
    FAIL

    Looking at that graph, 4 months on and only about 50% are patched. Oh dear.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like