Article Details
Scrape Timestamp (UTC): 2023-09-20 02:01:57.584
Original Article Text
Click to Toggle View
GitLab urges users to install security updates for critical pipeline flaw. GitLab has released security updates to address a critical severity vulnerability that allows attackers to run pipelines as other users via scheduled security scan policies. GitLab is a popular web-based open-source software project management and work tracking platform, offering a free and commercial version. The flaw was assigned CVE-2023-4998 (CVSS v3.1 score: 9.6) and impacts GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7 and versions 16.3 through 16.3.4. The issue was discovered by security researcher and bug hunter Johan Carlsson, who GitLab said is a bypass of a medium-severity problem tracked as CVE-2023-3932 that was fixed in August. The researcher discovered a way to overcome the implemented protections and demonstrated an additional impact that raised the severity rating of the flaw to critical severity. Impersonating users without their knowledge or permission to run pipeline tasks (a series of automated tasks) could result in the attackers accessing sensitive information or abusing the impersonated user's permissions to run code, modify data, or trigger specific events within the GitLab system. Considering that GitLab is used to manage code, such a compromise could result in loss of intellectual property, damaging data leaks, supply chain attacks, and other high-risk scenarios. GitLab's bulletin underlines the severity of the vulnerability, urging users to apply the available security updates promptly. The versions that resolve CVE-2023-4998 are GitLab Community Edition and Enterprise Edition 16.3.4 and 16.2.7. For users of versions before 16.2, which have not received fixes for the security issue, the proposed mitigation is to avoid having both "Direct transfers" and "Security policies" turned on. If both features are active, the instance is vulnerable, warns the bulletin, so users are advised to turn them on one at a time. Users can update GitLab from here or obtain GitLab Runner packages from this official webpage.
Daily Brief Summary
GitLab has issued security updates to rectify a high severity vulnerability that could allow attackers to execute pipelines on behalf of other users via scheduled security scan policies.
The vulnerability, designated as CVE-2023-4998, affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7 and versions 16.3 through 16.3.4.
The flaw was discovered by security researcher Johan Carlsson, as a bypass of another previously fixed medium-severity problem known as CVE-2023-3932, the severity of the current flaw has been upgraded to critical.
The flaw could enable attackers to access sensitive information or misuse the permissions of the impersonated user to run code, modify data or trigger specific events within the GitLab system; the potential consequences could include loss of intellectual property, data leaks, and supply chain attacks among other high-risk scenarios.
GitLab advises users to promptly apply the security updates; for users of versions prior to 16.2, the suggested mitigation is to avoid having both "Direct transfers" and "Security policies" turned on simultaneously.
Users can download the update from official GitLab resources or obtain GitLab Runner packages from an official webpage.