GitLab Releases Urgent Security Patches for Critical Vulnerability

Cyber Security Threat Summary:
GitLab recently rolled out security updates to address a critical vulnerability impacting its enterprise edition. Tracked as CVE-2023-5009, the flaw could enable an attacker to run pipelines as an arbitrary user via scheduled security scan policies. As such, the actor could use elevated permissions of the impersonated user to further access sensitive information, modify source code, or even run arbitrary code on the targeted system.

CVE-2023-5009 is a bypass for another flaw (CVE-2023-3932) that was addressed by GitLab in early August 2023, which could also allow a threat actor to run pipelines as another user. The flaw was discovered by security researcher Johan Carlsson and impacts all versions of GitLab Enterprise Edition (EE) starting from 13.12 and prior to 16.2.7 as well as from 16.3 and before 16.3.4. Since the disclosure to GitLab, the vendor has addressed the issue with the release of GitLab versions 16.3.4 and 16.2.7.

Security Officer Comments:
According to GitLab, instances running versions prior to 16.2 are vulnerable if the following features are enabled at the same time.

  • Direct transfers
  • Security policies
if updating is not currently feasible, then GitLab recommends disabling one or both of these features.

Suggested Correction(s):
It’s unclear if the flaw was leveraged in attacks in the wild. GitLab recommends that all installations running a version affected by the issue are upgraded to the latest version as soon as possible to prevent potential exploitation attempts.