GitLab has released a fix for a newly discovered security flaw, and is urging its users to install immediately as it addresses a high-severity vulnerability that can cause all sorts of trouble.
In a security bulletin, GitLab said an attacker could abuse scan execution policies to run pipelines (a series of automated tasks) as another user.
This flaw is now tracked as CVE-2023-4998 and carries a severity score of 9.6. It impacts a couple of versions of the software, namely GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7, and versions 16.3 through 16.3.4.
According to a BleepingComputer report, a threat actor could impersonate a user without their knowledge and permission, and access sensitive information or run malicious code, modify data, or trigger specific events within the GitLab system. Given that GitLab is a code management platform, the vulnerability could lead to intellectual property theft, data leaks, supply chain attacks, and more, the publication claims.
Fixes and workarounds
According to a BleepingComputer report, a threat actor could impersonate a user without their knowledge and permission, and access sensitive information or run malicious code, modify data, or trigger specific events within the GitLab system. Given that GitLab is a code management platform, the vulnerability could lead to intellectual property theft, data leaks, supply chain attacks, and more, the publication claims.
“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” GitLab said in the advisory.
The vulnerability, discovered by security researcher Johan Carlsson, actually stems from a previous flaw that apparently wasn’t properly addressed. Last month, a vulnerability tracked as VE-2023-3932 was found and patched. Back then, it was a medium-severity flaw. However, Carlsson found a way to work around the fix, and even discovered that the new flaw carries even more weight (hence the new severity score of 9.6).
Users who run GitLab versions older than 16.2 should make sure they don’t have “Direct transfers” and “Security policies” both turned on, as that will make the endpoint vulnerable. Users should have just one turned at any point in time, the advisory said.
GitLab can be updated via GitLab Runner packages from the official website.