This article is devoid of useful information. Rather than discussing this vulnerability, it spends 90% of its time talking about why supply chain attacks are bad. In addition, the NIST page has nearly zero information and the links are similarly unhelpful:
* The GitLab issue 404s
* The hackerone link is behind a login.
* The third link describes how to leverage a class of vulnerabilities, but isn't specific to what this one is. (It's a broad CWE about spoofing.)
Does anyone have a link that actually talks about what this vulnerability is? Even GitLab's patch notes [0] are useless.
I think the article also has no clue what’s going on .
From what I’m guessing, anonymous users might be able to run the stop environment job, which would be bad. Not sure how that chains into a supply chain attack or any of that fun stuff.
my take on it is that if gitlab doesn’t know who you are, it looks to the last runner of the job (or maybe the creator) to run stop environment. The fix seems to use the current user to attempt the stop environment which seems simple enough.
* The GitLab issue 404s
* The hackerone link is behind a login.
* The third link describes how to leverage a class of vulnerabilities, but isn't specific to what this one is. (It's a broad CWE about spoofing.)
Does anyone have a link that actually talks about what this vulnerability is? Even GitLab's patch notes [0] are useless.
[0]: https://about.gitlab.com/releases/2024/09/11/patch-release-g...