GitLab has shipped safety patches to resolve a important flaw that enables an attacker to run pipelines as one other person.
The difficulty, tracked as CVE-2023-5009 (CVSS rating: 9.6), impacts all variations of GitLab Enterprise Version (EE) ranging from 13.12 and previous to 16.2.7 in addition to from 16.3 and earlier than 16.3.4.
“It was attainable for an attacker to run pipelines as an arbitrary person by way of scheduled safety scan insurance policies,” GitLab mentioned in an advisory. “This was a bypass of CVE-2023-3932 displaying extra influence.”
Profitable exploitation of CVE-2023-5009 might permit a menace actor to entry delicate info or leverage the elevated permissions of the impersonated person to change supply code or run arbitrary code on the system, resulting in extreme penalties.
Safety researcher Johan Carlsson (aka joaxcar) has been credited with discovering and reporting the flaw. CVE-2023-3932 was addressed by GitLab in early August 2023.
The vulnerability has been addressed in GitLab variations 16.3.4 and 16.2.7.
Stage-Up SaaS Safety: A Complete Information to ITDR and SSPM
Keep forward with actionable insights on how ITDR identifies and mitigates threats. Study in regards to the indispensable function of SSPM in guaranteeing your id stays unbreachable.
The disclosure comes as a two-year-old important GitLab bug (CVE-2021-22205, CVSS rating: 10.0) continues to be actively exploited by menace actors in real-world assaults.
Earlier this week, Pattern Micro revealed {that a} China-linked adversary often known as Earth Lusca is aggressively focusing on public-facing servers by weaponizing N-day safety flaws, together with CVE-2021-22205, to infiltrate sufferer networks.
It is extremely advisable that customers replace their GitLab installations to the newest model as quickly as attainable to safeguard towards potential dangers.
