GitLab has launched safety updates to deal with a vital severity vulnerability that enables attackers to run pipelines as different customers by way of scheduled safety scan insurance policies.
GitLab is a well-liked web-based open-source software program challenge administration and work monitoring platform, providing a free and industrial model.
The flaw was assigned CVE-2023-4998 (CVSS v3.1 rating: 9.6) and impacts GitLab Neighborhood Version (CE) and Enterprise Version (EE) variations 13.12 by way of 16.2.7 and variations 16.3 by way of 16.3.4.
The difficulty was found by safety researcher and bug hunter Johan Carlsson, who GitLab mentioned is a bypass of a medium-severity drawback tracked as CVE-2023-3932 that was mounted in August.
The researcher found a approach to overcome the carried out protections and demonstrated an extra influence that raised the severity ranking of the flaw to vital severity.
Impersonating customers with out their data or permission to run pipeline duties (a collection of automated duties) might end result within the attackers accessing delicate data or abusing the impersonated person’s permissions to run code, modify information, or set off particular occasions throughout the GitLab system.
Contemplating that GitLab is used to handle code, such a compromise might lead to lack of mental property, damaging information leaks, provide chain assaults, and different high-risk eventualities.
GitLab’s bulletin underlines the severity of the vulnerability, urging customers to use the accessible safety updates promptly.
The variations that resolve CVE-2023-4998 are GitLab Neighborhood Version and Enterprise Version 16.3.4 and 16.2.7.
For customers of variations earlier than 16.2, which haven’t obtained fixes for the safety subject, the proposed mitigation is to keep away from having each “Direct transfers” and “Safety insurance policies” turned on.
If each options are energetic, the occasion is susceptible, warns the bulletin, so customers are suggested to show them on one by one.
Customers can replace GitLab from right here or receive GitLab Runner packages from this official webpage.
