GitLab has resolved a raft of vulnerabilities including two high-impact web security flaws with an update to its software development platform. A cross-site request forgery (CSRF) vulnerability in GitLab’s GraphQL API created a means for an attacker to call mutations while posing as their victim. A second high severity vulnerability meant that the GitLab Webhook feature could be abused to perform denial-of-service (DoS) attacks.
The DoS vulnerability was discovered by researcher ‘afewgoats’ and disclosed through a GitLab bug bounty program run by HackerOne. CVE trackers have been requested for both high impact vulnerabilities, but identifiers are yet to be assigned. Ethical hacker ‘afewgoats’ told The Daily Swig that they've been working on a way to attack services that offer webhooks.
For more Information: Click Here