Two Critical Vulnerabilities Patched in GitLab, All Organizations Advised to Update Instances

Context On January 11, 2023, GitLab released security updates to remedy two critical vulnerabilities in GitLab software. All RH-ISAC organizations are urged to immediately update to versions 16.5.6, 16.6.4, and 16.7.2, or to a version where the fix was backported (16.1.6, 16.2.9, 16.3.7, and 16.4.5). According to the security update, the flaws affected the following…

Read More

Firms Potentially Exposed to Supply Chain Compromise Attack via New Class of GitHub CI/CD Attack, PoC Available

Thousands of public GitHub repositories are vulnerable to a newly discovered malicious code injection via self-hosted GitHub Actions runners, which could lead to high-impact attacks, leading to potential disruption to large-scale organizations, according to a recently released news report. Furthermore, threat actors have specifically targeted GitHub repositories recently, demonstrating clear intent and capability, while the…

Read More

Security Researcher Discloses Misconfiguration in Chattr.ai Hiring Service That May Expose Sensitive Data

Context On January 10, 2024, the security researcher known as Mr Bruh published a report outlining a misconfiguration in the popular AI-based hiring vendor Chatter.ai that exposes sensitive user data. According to the report, attackers can use Chatter.ai’s registration feature to create new user profiles with full read/write privileges by abusing a vulnerability or a…

Read More

Proof of Concept Exploit Released for New Critical Apache Struts Vulnerability

On December 14, 2023, a security researcher published a proof of concept (POC) for the recent vulnerability on Github. Context Throughout the second half of December 2023, details have publicly emerged surrounding CVE-2023-50164, a vulnerability in Apache Struts with a 9.8 severity rating. According to the disclosure: “An attacker can manipulate file upload params to…

Read More

Russian Foreign Intelligence Service (SVR) Cyber Actors Use JetBrains TeamCity CVE in Global Targeting

Context On December 13, 2023, the United States Federal Bureau of Investigation, Cybersecurity & Infrastructure Security Agency, National Security Agency, Polish Military Counterintelligence Service, Community Emergency Response Team Polska, and the United Kingdom’s National Cyber Security Centre released a report that assessed that cyber actors associated with the Russian Foreign Intelligence Service (SVR), also known…

Read More