GitLab is warning its users about a vulnerability that allows hackers to run pipelines via scheduled security scan policies. In this case, the hacker pretends to be another user. An update to the latest version of the open-source software management platform is desired.
The critical vulnerability CVE-2023-4998 was found by an independent security researcher and is a bypass of a previously patched CVE-2023-3932 vulnerability, that caused a similar risk in August this year.
Accessing sensitive information
The recently found vulnerability allows hackers to access sensitive information by impersonating someone else. In addition, they can use the permissions of the person they are impersonating for other malicious activities. It is thus possible to run code, modify data and trigger specific events within the GitLab system.
Update prevents security problem
The affected versions are GitLab Community Edition (CE) and Enterprise Edition (EE) v13.12 to v16.2.7. Versions 16.3 to v16.3.4 are also affected. GitLab recommends users run the latest versions, which are v16.3.4 of GitLab Community Edition (CE) and v16.2.7 of Enterprise Edition (EE).
Users of the GitLab version before v16.2 who have not yet received fixes for the security issue should take care not to leave ‘Direct transfers’ and ‘Security policies’ on simultaneously.
Also read: GitLab 16 unveiled