GitLab Issues Critical Security Updates for Pipeline Vulnerability

September 19, 2023

GitLab, a widely used web-based open-source software project management and work tracking platform, has issued security updates to address a critical vulnerability. This flaw, identified as CVE-2023-4998, could allow attackers to execute pipelines as other users through scheduled security scan policies. The vulnerability impacts both the Community Edition (CE) and Enterprise Edition (EE) of GitLab, specifically versions 13.12 through 16.2.7 and versions 16.3 through 16.3.4.

The vulnerability was uncovered by security researcher Johan Carlsson, who found that it bypassed a medium-severity problem tracked as CVE-2023-3932, which GitLab had fixed in August. Carlsson discovered a method to circumvent the protections in place and demonstrated an additional impact, which escalated the severity of the flaw to critical.

The vulnerability could allow attackers to impersonate users without their consent to run pipeline tasks. This could potentially lead to the attackers gaining access to sensitive information or misusing the impersonated user's permissions to run code, alter data, or set off specific events within the GitLab system. Given that GitLab is commonly used to manage code, such a breach could result in the loss of intellectual property, harmful data leaks, supply chain attacks, and other high-risk scenarios.

GitLab's bulletin emphasizes the severity of the vulnerability and strongly encourages users to apply the security updates as soon as possible. The versions that address CVE-2023-4998 are GitLab Community Edition and Enterprise Edition 16.3.4 and 16.2.7. For users of versions prior to 16.2, which have not received fixes for the security issue, the recommended mitigation is to avoid activating both 'Direct transfers' and 'Security policies' simultaneously. If both features are enabled, the instance is vulnerable, warns the bulletin, so users are advised to activate them one at a time. Users can update GitLab from the official webpage or obtain GitLab Runner packages from the official webpage.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.