GitLab releases critical security updates, urges patching

published: Sept. 19, 2023

Learn More

GitLab is urging users to promptly install crucial security updates addressing a severe vulnerability in its pipeline system. The flaw, tracked as CVE-2023-4998 (CVSS v3.1 score 9.6), also tracked as CVE-2023-5009, allows potential attackers to execute pipelines as different users by exploiting scheduled security scan policies.

The vulnerability affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions ranging from 13.12 to 16.2.7, as well as versions 16.3 to 16.3.4. The vulnerability could enable attackers to impersonate users and execute pipeline tasks without their consent, potentially leading to unauthorized access to sensitive data or misuse of the impersonated user's permissions to execute code, modify data, or trigger specific events within GitLab.

Given GitLab's role in code management, a compromise of this nature could result in severe consequences, including loss of intellectual property, data breaches, supply chain attacks, and other high-risk scenarios.

GitLab emphasizes the criticality of this flaw and strongly advises users to promptly update their GitLab versions to GitLab Community Edition and Enterprise Edition 16.3.4 and 16.2.7.

For users on versions prior to 16.2 that have not yet received fixes for this security issue, GitLab suggests a mitigation strategy: avoiding the activation of both "Direct transfers" and "Security policies" simultaneously. The bulletin underscores that having both features active renders the instance vulnerable, recommending users to enable them one at a time.

To implement the necessary security updates, users can either update GitLab through the provided link or obtain GitLab Runner packages from the official webpage dedicated to GitLab Runner packages. GitLab encourages users to take swift action to secure their systems against potential exploitation of this critical vulnerability.

GitLab releases critical security updates, urges patching