DevOps platform GitLab this week introduced the discharge of security updates that tackle a critical-severity vulnerability permitting an attacker to run pipelines as one other consumer.
Tracked as CVE-2023-5009 (CVSS rating of 9.6) and affecting all GitLab Enterprise Version (EE) variations earlier than 16.2.7 and GitLab Neighborhood Version (CE) variations earlier than 16.3.4, the bug is a bypass of one other flaw, CVE-2023-3932, which was addressed in August 2023.
In keeping with GitLab’s advisory, the difficulty permits “an attacker to run pipelines as an arbitrary consumer by way of scheduled security scan insurance policies”.
The unique vulnerability, CVE-2023-3932, was reported by way of GitLab’s HackerOne bug bounty program by a researcher who defined that the attacker may set off the difficulty by way of the scan execution coverage.
The bug may very well be triggered with none consumer interplay, however the attacker wanted to know the sufferer’s GitLab username and the title of a sufferer’s inside or members-only challenge.
By exploiting the flaw, the attacker may acquire entry to initiatives containing personal code, the researcher defined.
CVE-2023-5009 too was reported via the HackerOne platform, and GitLab encourages customers to replace to GitLab CE and EE variations 16.3.4 and 16.2.7, which resolve the flaw.
Nevertheless, the code internet hosting platform additionally notes that for GitLab variations previous to 16.2 the vulnerability solely exists if the ‘Direct transfers’ and ‘Safety insurance policies’ options are enabled on the similar time.
To mitigate the flaw, customers that can’t improve to a patched model of GitLab can disable one or each these options.
“We strongly suggest that every one installations working a model affected by the problems are upgraded to the newest model as quickly as potential,” GitLab notes.
The code internet hosting platform makes no point out of this vulnerability being exploited in malicious assaults.