GitLab has launched security updates to deal with a important severity vulnerability that permits attackers to run pipelines as different customers by way of scheduled security scan insurance policies.
GitLab is a well-liked web-based open-source software program undertaking administration and work monitoring platform, providing a free and business model.
The flaw was assigned CVE-2023-4998 (CVSS v3.1 rating: 9.6) and impacts GitLab Group Version (CE) and Enterprise Version (EE) variations 13.12 by 16.2.7 and variations 16.3 by 16.3.4.
The difficulty was found by security researcher and bug hunter Johan Carlsson, who GitLab stated is a bypass of a medium-severity downside tracked as CVE-2023-3932 that was fastened in August.
The researcher found a approach to overcome the carried out protections and demonstrated an extra influence that raised the severity score of the flaw to important severity.
Impersonating customers with out their data or permission to run pipeline duties (a sequence of automated duties) may end result within the attackers accessing delicate info or abusing the impersonated consumer’s permissions to run code, modify information, or set off particular occasions inside the GitLab system.
Contemplating that GitLab is used to handle code, such a compromise may end in lack of mental property, damaging information leaks, provide chain assaults, and different high-risk situations.
GitLab’s bulletin underlines the severity of the vulnerability, urging customers to use the out there security updates promptly.
The variations that resolve CVE-2023-4998 are GitLab Group Version and Enterprise Version 16.3.4 and 16.2.7.
For customers of variations earlier than 16.2, which haven’t acquired fixes for the security problem, the proposed mitigation is to keep away from having each “Direct transfers” and “Safety insurance policies” turned on.
If each options are energetic, the occasion is susceptible, warns the bulletin, so customers are suggested to show them on one after the other.
Customers can replace GitLab from right here or acquire GitLab Runner packages from this official webpage.
