#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

DevOps | Breaking Cybersecurity News | The Hacker News

Category — DevOps
The Problem of Permissions and Non-Human Identities - Why Remediating Credentials Takes Longer Than You Think

The Problem of Permissions and Non-Human Identities - Why Remediating Credentials Takes Longer Than You Think

Nov 18, 2024 DevOps / Identity Security
According to research from GitGuardian and CyberArk, 79% of IT decision-makers reported having experienced a secrets leak , up from 75% in the previous year's report. At the same time, the number of leaked credentials has never been higher, with over 12.7 million hardcoded credentials in public GitHub repositories alone . One of the more troubling aspects of this report is that over 90% of valid secrets found and reported remained valid for more than 5 days. According to the same research, on average, it takes organizations 27 days to remediate leaked credentials. Combine that with the fact that non-human identities outnumber human identities by at least 45:1 , and it is easy to see why many organizations are realizing stopping secrets sprawl means finding a way to deal with this machine identity crisis. Unfortunately, the research also shows that many teams are confused about who owns the security of these identities. It is a perfect storm of risk.  Why Does Rotation Take So L...
Supply Chain Attacks Can Exploit Entry Points in Python, npm, and Open-Source Ecosystems

Supply Chain Attacks Can Exploit Entry Points in Python, npm, and Open-Source Ecosystems

Oct 14, 2024 DevOps / Supply Chain
Cybersecurity researchers have found that entry points could be abused across multiple programming ecosystems like PyPI, npm, Ruby Gems, NuGet, Dart Pub, and Rust Crates to stage software supply chain attacks. "Attackers can leverage these entry points to execute malicious code when specific commands are run, posing a widespread risk in the open-source landscape," Checkmarx researchers Yehuda Gelb and Elad Rapaport said in a report shared with The Hacker News. The software supply chain security company noted that entry-point attacks offer threat actors a more sneaky and persistent method of compromising systems in a manner that can bypass traditional security defenses. Entry points in a programming language like Python refer to a packaging mechanism that allows developers to expose certain functionality as a command-line wrapper (aka console_scripts). Alternatively, they can also serve to load plugins that augment a package's features. Checkmarx noted that while en...
The Future of Serverless Security in 2025: From Logs to Runtime Protection

The Future of Serverless Security in 2025: From Logs to Runtime Protection

Nov 28, 2024Cloud Security / Threat Detection
Serverless environments, leveraging services such as AWS Lambda, offer incredible benefits in terms of scalability, efficiency, and reduced operational overhead. However, securing these environments is extremely challenging. The core of current serverless security practices often revolves around two key components: log monitoring and static analysis of code or system configuration. But here is the issue with that: 1. Logs Only Tell Part of the Story Logs can track external-facing activities, but they don't provide visibility into the internal execution of functions. For example, if an attacker injects malicious code into a serverless function that doesn't interact with external resources (e.g., external APIs or databases), traditional log-based tools will not detect this intrusion. The attacker may execute unauthorized processes, manipulate files, or escalate privileges—all without triggering log events. 2. Static Misconfiguration Detection is Incomplete Static tools that check ...
New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution

New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution

Oct 11, 2024 DevOps / Vulnerability
GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE) to address eight security flaws, including a critical bug that could allow running Continuous Integration and Continuous Delivery (CI/CD) pipelines on arbitrary branches. Tracked as CVE-2024-9164, the vulnerability carries a CVSS score of 9.6 out of 10. "An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches," GitLab said in an advisory. Of the remaining seven issues, four are rated high, two are rated medium, and one is rated low in severity - CVE-2024-8970 (CVSS score: 8.2), which allows an attacker to trigger a pipeline as another user under certain circumstances CVE-2024-8977 (CVSS score: 8.2), which allows SSRF attacks in GitLab EE instances with Product Analytics Dashboard configured and enabled CVE-...
cyber security

Creating, Managing and Securing Non-Human Identities

websitePermisoCybersecurity / Identity Security
A new class of identities has emerged alongside traditional human users: non-human identities (NHIs). Permiso Security's new eBook details everything you need to know about managing and securing non-human identities, and strategies to unify identity security without compromising agility.
Critical NVIDIA Container Toolkit Vulnerability Could Grant Full Host Access to Attackers

Critical NVIDIA Container Toolkit Vulnerability Could Grant Full Host Access to Attackers

Sep 27, 2024 Container Security / Cloud Computing
A critical security flaw has been disclosed in the NVIDIA Container Toolkit that, if successfully exploited, could allow threat actors to break out of the confines of a container and gain full access to the underlying host. The vulnerability, tracked as CVE-2024-0132 , carries a CVSS score of 9.0 out of a maximum of 10.0. It has been addressed in NVIDIA Container Toolkit version v1.16.2 and NVIDIA GPU Operator version 24.6.2. "NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-Check Time-of-Use ( TOCTOU ) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system," NVIDIA said in an advisory. "A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering." The issue impacts all versions of NVIDIA Container Toolkit up to and including v1.16.1, and Nvidia GPU Operator up to and i...
GitLab Patches Critical SAML Authentication Bypass Flaw in CE and EE Editions

GitLab Patches Critical SAML Authentication Bypass Flaw in CE and EE Editions

Sep 19, 2024 Enterprise Security / DevOps
GitLab has released patches to address a critical flaw impacting Community Edition (CE) and Enterprise Edition (EE) that could result in an authentication bypass. The vulnerability is rooted in the ruby-saml library (CVE-2024-45409, CVSS score: 10.0), which could allow an attacker to log in as an arbitrary user within the vulnerable system. It was addressed by the maintainers last week. The problem as a result of the library not properly verifying the signature of the SAML Response. SAML, short for Security Assertion Markup Language, is a protocol that enables single sign-on (SSO) and exchange of authentication and authorization data across multiple apps and websites.  "An unauthenticated attacker with access to any signed SAML document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents, according to a security advisory . "This would allow the attacker to log in as arbitrary user within the vulnerable system." It's worth noting the fl...
Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution

Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution

Sep 12, 2024 DevSecOps / Vulnerability
GitLab on Wednesday released security updates to address 17 security vulnerabilities, including a critical flaw that allows an attacker to run pipeline jobs as an arbitrary user. The issue, tracked as CVE-2024-6678, carries a CVSS score of 9.9 out of a maximum of 10.0 "An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances," the company said in an alert. The vulnerability, along with three high-severity, 11 medium-severity, and two low-severity bugs, have been addressed in versions 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). It's worth noting that CVE-2024-6678 is the fourth such flaw that GitLab has patched over the past year after CVE-2023-5009 (CVSS score: 9.6), CVE-2024-5655 (CVSS score: 9.6), and CVE-2024...
Researchers Find Over 22,000 Removed PyPI Packages at Risk of Revival Hijack

Researchers Find Over 22,000 Removed PyPI Packages at Risk of Revival Hijack

Sep 04, 2024
A new supply chain attack technique targeting the Python Package Index (PyPI) registry has been exploited in the wild in an attempt to infiltrate downstream organizations. It has been codenamed Revival Hijack by software supply chain security firm JFrog, which said the attack method could be used to hijack 22,000 existing PyPI packages and result in "hundreds of thousands" of malicious package downloads. These susceptible packages have more than 100,000 downloads or have been active for over six months. "This attack technique involves hijacking PyPI software packages by manipulating the option to re-register them once they're removed from PyPI's index by the original owner," JFrog security researchers Andrey Polkovnychenko and Brian Moussalli said in a report shared with The Hacker News. At its core, the attack hinges on the fact that Python packages published in the PyPI repository may get removed, making available the names of those deleted projects ...
CISA Warns of Critical Jenkins Vulnerability Exploited in Ransomware Attacks

CISA Warns of Critical Jenkins Vulnerability Exploited in Ransomware Attacks

Aug 20, 2024 Vulnerability / Ransomware
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw impacting Jenkins to its Known Exploited Vulnerabilities ( KEV ) catalog, following its exploitation in ransomware attacks. The vulnerability, tracked as CVE-2024-23897 (CVSS score: 9.8), is a path traversal flaw that could lead to code execution. "Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead to code execution," CISA said in a statement. It was first disclosed by Sonar security researchers in January 2024 and addressed in Jenkins versions 2.442 and LTS 2.426.3 by disabling the command parser feature. Back in March, Trend Micro said it uncovered several attack instances originating from the Netherlands, Singapore, and Germany, and that it found instances where remote code execution exploits for the flaw were actively being traded. In recent weeks, CloudSEK and ...
GitHub Vulnerability 'ArtiPACKED' Exposes Repositories to Potential Takeover

GitHub Vulnerability 'ArtiPACKED' Exposes Repositories to Potential Takeover

Aug 15, 2024 Cloud Security / DevOps
A newly discovered attack vector in GitHub Actions artifacts dubbed ArtiPACKED could be exploited to take over repositories and gain access to organizations' cloud environments. "A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume," Palo Alto Networks Unit 42 researcher Yaron Avital said in a report published this week. "This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access." The cybersecurity company said it primarily observed the leakage of GitHub tokens (e.g., GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN), which could not only give malicious actors unauthorized access to the repositories, but also grant them the ability to poison the source code and get it pushed to production via CI/CD workflows. Artifacts in...
Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins

Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins

Jul 25, 2024 Container Security / Vulnerability
Docker is warning of a critical flaw impacting certain versions of Docker Engine that could allow an attacker to sidestep authorization plugins (AuthZ) under specific circumstances. Tracked as CVE-2024-41110 , the bypass and privilege escalation vulnerability carries a CVSS score of 10.0, indicating maximum severity. "An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly," the Moby Project maintainers said in an advisory. Docker said the issue is a regression in that the issue was originally discovered in 2018 and addressed in Docker Engine v18.09.1 in January 2019, but never got carried over to subsequent versions (19.03 and later). The issue has been resolved in versions 23.0.14 and 27.1.0 as of July 23, 2024, after the problem was identified in April 2024. The following versions of Docker Engine are impacte...
GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Jobs

GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Jobs

Jul 11, 2024 Software Security / Vulnerability
GitLab has shipped another round of updates to close out security flaws in its software development platform, including a critical bug that allows an attacker to run pipeline jobs as an arbitrary user. Tracked as CVE-2024-6385, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0. "An issue was discovered in GitLab CE/EE affecting versions 15.8 prior to 16.11.6, 17.0 prior to 17.0.4, and 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances," the company said in a Wednesday advisory. It's worth noting that the company patched a similar bug late last month ( CVE-2024-5655 , CVSS score: 9.6) that could also be weaponized to run pipelines as other users. Also addressed by GitLab is a medium-severity issue (CVE-2024-5257, CVSS score: 4.9) that allows a Developer user with admin_compliance_framework permissions to modify the URL for a group namespace. All the security shortcomings have been fi...
Hackers Exploiting Jenkins Script Console for Cryptocurrency Mining Attacks

Hackers Exploiting Jenkins Script Console for Cryptocurrency Mining Attacks

Jul 09, 2024 CI/CD Security / Server Security
Cybersecurity researchers have found that it's possible for attackers to weaponize improperly configured Jenkins Script Console instances to further criminal activities such as cryptocurrency mining. "Misconfigurations such as improperly set up authentication mechanisms expose the '/script' endpoint to attackers," Trend Micro's Shubham Singh and Sunil Bharti said in a technical write-up published last week. "This can lead to remote code execution (RCE) and misuse by malicious actors." Jenkins, a popular continuous integration and continuous delivery ( CI/CD ) platform, features a Groovy script console that allows users to run arbitrary Groovy scripts within the Jenkins controller runtime. The project maintainers, in the official documentation, explicitly note that the web-based Groovy shell can be used to read files containing sensitive data (e.g., "/etc/passwd"), decrypt credentials configured within Jenkins, and even reconfigure sec...
End-to-End Secrets Security: Making a Plan to Secure Your Machine Identities

End-to-End Secrets Security: Making a Plan to Secure Your Machine Identities

Jul 01, 2024 DevOps / Identity Protection
At the heart of every application are secrets. Credentials that allow human-to-machine and machine-to-machine communication. Machine identities outnumber human identities by a factor of 45-to-1 and represent the majority of secrets we need to worry about. According to CyberArk's recent research , 93% of organizations had two or more identity-related breaches in the past year. It is clear that we need to address this growing issue. Additionally, it is clear that many organizations are OK with using plaintext credentials for these identities in private repos, thinking they will stay private. However, poor hygiene in private code leads to public leaks, as we see in the news too often. Given the scope of the problem, what can we do?  What we really need is a change in our processes, especially around the creation, storage, and working with machine identities. Fortunately, there is a clear path forward, combining existing secrets management solutions and secret detection and remediat...
GitLab Releases Patch for Critical CI/CD Pipeline Vulnerability and 13 Others

GitLab Releases Patch for Critical CI/CD Pipeline Vulnerability and 13 Others

Jun 28, 2024 Software Security / DevOps
GitLab has released security updates to address 14 security flaws, including one critical vulnerability that could be exploited to run continuous integration and continuous deployment (CI/CD) pipelines as any user. The weaknesses, which affect GitLab Community Edition (CE) and Enterprise Edition (EE), have been addressed in versions 17.1.1, 17.0.3, and 16.11.5. The most severe of the vulnerabilities is CVE-2024-5655 (CVSS score: 9.6), which could permit a malicious actor to trigger a pipeline as another user under certain circumstances. It impacts the following versions of CE and EE - 17.1 prior to 17.1.1 17.0 prior to 17.0.3, and 15.8 prior to 16.11.5 GitLab said the fix introduces two breaking changes as a result of which GraphQL authentication using CI_JOB_TOKEN is disabled by default and pipelines will no longer run automatically when a merge request is re-targeted after its previous target branch is merged. Some of the other important flaws fixed as part of the lates...
Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool

Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool

Jun 24, 2024 Artificial Intelligence / Cloud Security
Cybersecurity researchers have detailed a now-patched security flaw affecting the Ollama open-source artificial intelligence (AI) infrastructure platform that could be exploited to achieve remote code execution. Tracked as CVE-2024-37032 , the vulnerability has been codenamed Probllama by cloud security firm Wiz. Following responsible disclosure on May 5, 2024, the issue was addressed in version 0.1.34 released on May 7, 2024. Ollama is a service for packaging, deploying, running large language models (LLMs) locally on Windows, Linux, and macOS devices. At its core, the issue relates to a case of insufficient input validation that results in a path traversal flaw an attacker could exploit to overwrite arbitrary files on the server and ultimately lead to remote code execution. The shortcoming requires the threat actor to send specially crafted HTTP requests to the Ollama API server for successful exploitation. It specifically takes advantage of the API endpoint "/api/pull...
What is DevSecOps and Why is it Essential for Secure Software Delivery?

What is DevSecOps and Why is it Essential for Secure Software Delivery?

Jun 17, 2024 DevOps / Software Security
Traditional application security practices are not effective in the modern DevOps world. When security scans are run only at the end of the software delivery lifecycle (either right before or after a service is deployed), the ensuing process of compiling and fixing vulnerabilities creates massive overhead for developers. The overhead that degrades velocity and puts production deadlines at risk. Regulatory pressure to ensure the integrity of all software components is also ramping up dramatically. Applications are built with an increasing number of open source software (OSS) components and other 3rd party artifacts, each of which can introduce new vulnerabilities to the application. Attackers seek to exploit these components' vulnerabilities, which also puts the software's consumers at risk. Software represents the largest under-addressed attack surface that organizations face. Some interesting statistics to digest: More than 80% of software vulnerabilities are introduced through o...
DevOps Dilemma: How Can CISOs Regain Control in the Age of Speed?

DevOps Dilemma: How Can CISOs Regain Control in the Age of Speed?

May 24, 2024 DevSecOps / Vulnerability Management
Introduction The Colonial Pipeline ransomware attack (2021) and SolarWinds supply chain attack (2020) were pivotal moments in cybersecurity, starting a new challenge for Chief Information Security Officers ( CISOs ). These attacks highlighted the importance of collaboration between CISOs and DevOps teams to ensure proper cloud security configurations. In this article, we will outline the 6-step approach to fostering strong partnerships between CISOs, DevOps teams, IT management, and organizations that can help to drive innovation while maintaining a robust security posture. You will learn how a CISO can effectively communicate with IT leadership and what methods to try. Our narrative will emphasize the most crucial aspect of an organization's security - growing your strong security team and moving to a proactive approach.  Understanding such breaches, such as the Capital One data breach (2019), Epsilon data breach (2019), Magecart compromises (ongoing), and MongoDB breaches (2...
Expert Insights / Articles Videos
Cybersecurity Resources