GitLab has launched safety updates to handle a essential severity vulnerability that permits attackers to run pipelines as different customers through scheduled safety scan insurance policies.
GitLab is a well-liked web-based open-source software program challenge administration and work monitoring platform, providing a free and business model.
The flaw was assigned CVE-2023-4998 (CVSS v3.1 rating: 9.6) and impacts GitLab Group Version (CE) and Enterprise Version (EE) variations 13.12 by way of 16.2.7 and variations 16.3 by way of 16.3.4.
The difficulty was found by safety researcher and bug hunter Johan Carlsson, who GitLab stated is a bypass of a medium-severity drawback tracked as CVE-2023-3932 that was fastened in August.
The researcher found a technique to overcome the carried out protections and demonstrated a further influence that raised the severity score of the flaw to essential severity.
Impersonating customers with out their data or permission to run pipeline duties (a sequence of automated duties) might consequence within the attackers accessing delicate data or abusing the impersonated person’s permissions to run code, modify knowledge, or set off particular occasions throughout the GitLab system.
Contemplating that GitLab is used to handle code, such a compromise might lead to lack of mental property, damaging knowledge leaks, provide chain assaults, and different high-risk situations.
GitLab’s bulletin underlines the severity of the vulnerability, urging customers to use the accessible safety updates promptly.
The variations that resolve CVE-2023-4998 are GitLab Group Version and Enterprise Version 16.3.4 and 16.2.7.
For customers of variations earlier than 16.2, which haven’t acquired fixes for the safety situation, the proposed mitigation is to keep away from having each “Direct transfers” and “Safety insurance policies” turned on.
If each options are lively, the occasion is weak, warns the bulletin, so customers are suggested to show them on one after the other.
Customers can replace GitLab from right here or get hold of GitLab Runner packages from this official webpage.
