The U.S. Cybersecurity and Infrastructure Safety Company (CISA) ordered authorities businesses to patch their techniques in opposition to a five-year-old GitLab vulnerability that’s actively being exploited in assaults.
GitLab patched this server-side request forgery (SSRF) flaw (tracked as CVE-2021-39935) in December 2021, saying it might enable unauthenticated attackers with no privileges to entry the CI Lint API, which is used to simulate pipelines and validate CI/CD configurations.
“When consumer registration is restricted, exterior customers that are not builders should not have entry to the CI Lint API,” the corporate stated on the time.
“A problem has been found in GitLab CE/EE affecting all variations ranging from 10.5 earlier than 14.3.6, all variations ranging from 14.4 earlier than 14.4.4, all variations ranging from 14.5 earlier than 14.5.2. Unauthorized exterior customers might carry out Server Aspect Requests by way of the CI Lint API.”
On Tuesday, CISA added the flaw to its listing of vulnerabilities exploited within the wild and ordered Federal Civilian Govt Department (FCEB) businesses to patch their techniques inside three weeks, by February 24, 2026, as mandated by Binding Operational Directive (BOD) 22-01.
Whereas BOD 22-01 targets solely federal businesses, CISA has urged all organizations, together with these within the personal sector, to prioritize securing their units in opposition to ongoing CVE-2021-39935 assaults.
“These kinds of vulnerabilities are frequent assault vectors for malicious cyber actors and pose important dangers to the federal enterprise,” CISA warned. “Apply mitigations per vendor directions, comply with relevant BOD 22-01 steerage for cloud companies, or discontinue use of the product if mitigations are unavailable.”
Shodan is at present monitoring over 49,000 units with a GitLab fingerprint uncovered on-line, the overwhelming majority of that are from China, and almost 27,000 are utilizing the default port 443.
GitLab says its DevSecOps platform has greater than 30 million registered customers and is utilized by over 50% of Fortune 100 organizations, together with high-profile corporations akin to Nvidia, Airbus, Goldman Sachs, T-Cellular, and Lockheed Martin.
Yesterday, CISA additionally flagged a vital SolarWinds Internet Assist Desk vulnerability as actively exploited and ordered authorities businesses to patch techniques inside three days.
Fashionable IT infrastructure strikes quicker than handbook workflows can deal with.
On this new Tines information, learn the way your group can scale back hidden handbook delays, enhance reliability by automated response, and construct and scale clever workflows on prime of instruments you already use.
