GitLab has shipped security patches to resolve a vital flaw that enables an attacker to run pipelines as one other consumer.
The problem, tracked as CVE-2023-5009 (CVSS rating: 9.6), impacts all variations of GitLab Enterprise Version (EE) ranging from 13.12 and previous to 16.2.7 in addition to from 16.3 and earlier than 16.3.4.
“It was doable for an attacker to run pipelines as an arbitrary consumer through scheduled security scan insurance policies,” GitLab mentioned in an advisory. “This was a bypass of CVE-2023-3932 exhibiting further impression.”
Profitable exploitation of CVE-2023-5009 might enable a menace actor to entry delicate info or leverage the elevated permissions of the impersonated consumer to change supply code or run arbitrary code on the system, resulting in extreme penalties.
Safety researcher Johan Carlsson (aka joaxcar) has been credited with discovering and reporting the flaw. CVE-2023-3932 was addressed by GitLab in early August 2023.
The vulnerability has been addressed in GitLab variations 16.3.4 and 16.2.7.
The disclosure comes as a two-year-old vital GitLab bug (CVE-2021-22205, CVSS rating: 10.0) continues to be actively exploited by menace actors in real-world assaults.
Earlier this week, Pattern Micro revealed {that a} China-linked adversary generally known as Earth Lusca is aggressively focusing on public-facing servers by weaponizing N-day security flaws, together with CVE-2021-22205, to infiltrate sufferer networks.
It is extremely really helpful that customers replace their GitLab installations to the newest model as quickly as doable to safeguard in opposition to potential dangers.
