GitLab, a widely used web-based open-source software project management and work tracking platform, has issued security updates to address a critical vulnerability. This flaw, identified as CVE-2023-4998, could allow attackers to execute pipelines as other users through scheduled security scan policies. The vulnerability impacts both the Community Edition (CE) and Enterprise Edition (EE) of GitLab, specifically versions 13.12 through 16.2.7 and versions 16.3 through 16.3.4.
The vulnerability was uncovered by security researcher Johan Carlsson, who found that it bypassed a medium-severity problem tracked as CVE-2023-3932, which GitLab had fixed in August. Carlsson discovered a method to circumvent the protections in place and demonstrated an additional impact, which escalated the severity of the flaw to critical.
The vulnerability could allow attackers to impersonate users without their consent to run pipeline tasks. This could potentially lead to the attackers gaining access to sensitive information or misusing the impersonated user's permissions to run code, alter data, or set off specific events within the GitLab system. Given that GitLab is commonly used to manage code, such a breach could result in the loss of intellectual property, harmful data leaks, supply chain attacks, and other high-risk scenarios.
GitLab's bulletin emphasizes the severity of the vulnerability and strongly encourages users to apply the security updates as soon as possible. The versions that address CVE-2023-4998 are GitLab Community Edition and Enterprise Edition 16.3.4 and 16.2.7. For users of versions prior to 16.2, which have not received fixes for the security issue, the recommended mitigation is to avoid activating both 'Direct transfers' and 'Security policies' simultaneously. If both features are enabled, the instance is vulnerable, warns the bulletin, so users are advised to activate them one at a time. Users can update GitLab from the official webpage or obtain GitLab Runner packages from the official webpage.